Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe
-
Size
96KB
-
MD5
3ffe496180e896c7fb529df51eaba660
-
SHA1
efcdd115596ec42efa6126a19e7f1c460a599d9c
-
SHA256
1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849
-
SHA512
025717a033289bf09b20017cf4cc6d1ba0d84b9cada007251df89e175618c45db0f361ced7323dfd16b4988f04e4f2ed2a981df8d9ec06798adda3755f077f99
-
SSDEEP
1536:HcmevPFX7qRaAgCqr8oW2Sl06eyU02EreDmkduV9jojTIvjrH:8mevNXxp805l9Fykd69jc0vf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgaohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ialbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppbhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihopjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiichkog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfldopno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aidfacjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejldfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgihkmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbcheka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhjfjhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeajcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdnjlcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjpfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lokpcekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhmblljb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ianambhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfbnmckp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphhobmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bndjei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnppfjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfllp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holqbipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebojbaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiehilaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hepdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfjfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hofodokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahilhikb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giljinne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmhla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhanbek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpemkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaiknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdlmdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bainld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkcqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgnhiaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcimhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecklgdag.exe -
Executes dropped EXE 64 IoCs
pid Process 2172 Ifajif32.exe 1144 Jchhhjjg.exe 2776 Jkcllmhb.exe 2936 Jncenh32.exe 2528 Jnfbcg32.exe 2780 Kceganoe.exe 2120 Kjalch32.exe 2648 Kleeqp32.exe 2092 Klgbfo32.exe 1984 Lhqpqp32.exe 1904 Llnhgn32.exe 2128 Lmbadfdl.exe 1676 Lkfbmj32.exe 2464 Mkhocj32.exe 3060 Minldf32.exe 824 Mojdlm32.exe 2112 Medligko.exe 1732 Nlcnaaog.exe 1584 Nekbjf32.exe 2088 Nocgbl32.exe 2216 Nadpdg32.exe 2024 Ndeifbfj.exe 1936 Ocjfgo32.exe 844 Ofkoijhc.exe 904 Odpljf32.exe 2604 Ofphdi32.exe 644 Obfiijia.exe 1660 Pnpfckmc.exe 2432 Pghklq32.exe 2884 Pcahga32.exe 2900 Pinqoh32.exe 2756 Qibjjgag.exe 2664 Boakgapg.exe 1080 Bhjppg32.exe 2904 Baeanl32.exe 576 Chafpfqp.exe 1416 Cplkehnk.exe 2496 Cpogjh32.exe 1832 Clehoiam.exe 984 Cfnmhnhm.exe 2476 Cfpinnfj.exe 3056 Dokjlcjh.exe 2532 Dhcoei32.exe 2408 Dfgpnm32.exe 1672 Ddlloi32.exe 1960 Dndahokk.exe 1212 Dcaiqfib.exe 1028 Engnno32.exe 2444 Ejnnbpol.exe 1364 Epkgkfmd.exe 2620 Ejpkho32.exe 1668 Echpaecj.exe 1644 Eiehilaa.exe 2512 Ecklgdag.exe 3032 Elfakg32.exe 2696 Fflehp32.exe 2256 Flhnqf32.exe 1552 Faefim32.exe 1560 Fnifbaja.exe 1704 Fcfojhhh.exe 3008 Fjpggb32.exe 2080 Feeldk32.exe 2416 Fnnpma32.exe 1412 Fhfdffll.exe -
Loads dropped DLL 64 IoCs
pid Process 2376 1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe 2376 1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe 2172 Ifajif32.exe 2172 Ifajif32.exe 1144 Jchhhjjg.exe 1144 Jchhhjjg.exe 2776 Jkcllmhb.exe 2776 Jkcllmhb.exe 2936 Jncenh32.exe 2936 Jncenh32.exe 2528 Jnfbcg32.exe 2528 Jnfbcg32.exe 2780 Kceganoe.exe 2780 Kceganoe.exe 2120 Kjalch32.exe 2120 Kjalch32.exe 2648 Kleeqp32.exe 2648 Kleeqp32.exe 2092 Klgbfo32.exe 2092 Klgbfo32.exe 1984 Lhqpqp32.exe 1984 Lhqpqp32.exe 1904 Llnhgn32.exe 1904 Llnhgn32.exe 2128 Lmbadfdl.exe 2128 Lmbadfdl.exe 1676 Lkfbmj32.exe 1676 Lkfbmj32.exe 2464 Mkhocj32.exe 2464 Mkhocj32.exe 3060 Minldf32.exe 3060 Minldf32.exe 824 Mojdlm32.exe 824 Mojdlm32.exe 2112 Medligko.exe 2112 Medligko.exe 1732 Nlcnaaog.exe 1732 Nlcnaaog.exe 1584 Nekbjf32.exe 1584 Nekbjf32.exe 2088 Nocgbl32.exe 2088 Nocgbl32.exe 2216 Nadpdg32.exe 2216 Nadpdg32.exe 2024 Ndeifbfj.exe 2024 Ndeifbfj.exe 1936 Ocjfgo32.exe 1936 Ocjfgo32.exe 844 Ofkoijhc.exe 844 Ofkoijhc.exe 904 Odpljf32.exe 904 Odpljf32.exe 2604 Ofphdi32.exe 2604 Ofphdi32.exe 644 Obfiijia.exe 644 Obfiijia.exe 1660 Pnpfckmc.exe 1660 Pnpfckmc.exe 2432 Pghklq32.exe 2432 Pghklq32.exe 2884 Pcahga32.exe 2884 Pcahga32.exe 2900 Pinqoh32.exe 2900 Pinqoh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mafoal32.exe Meonlkcm.exe File created C:\Windows\SysWOW64\Mfpldh32.dll Igcnfhob.exe File created C:\Windows\SysWOW64\Hajogm32.exe Hlnfof32.exe File opened for modification C:\Windows\SysWOW64\Bghcjk32.exe Bpnkmadn.exe File opened for modification C:\Windows\SysWOW64\Annkjdgd.exe Aefgao32.exe File opened for modification C:\Windows\SysWOW64\Apcjbeea.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lpjhkkbc.exe Process not Found File created C:\Windows\SysWOW64\Aaegha32.exe Aaqnmbdd.exe File created C:\Windows\SysWOW64\Bkkfff32.dll Jifjod32.exe File created C:\Windows\SysWOW64\Lgngjn32.dll Oqhemjef.exe File created C:\Windows\SysWOW64\Efchog32.exe Emkcfa32.exe File opened for modification C:\Windows\SysWOW64\Daibfa32.exe Dafeaapg.exe File created C:\Windows\SysWOW64\Kaieoo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jnfdlpje.exe Jkhhpeka.exe File created C:\Windows\SysWOW64\Bamdcf32.exe Befcne32.exe File created C:\Windows\SysWOW64\Aliejq32.exe Abaaakob.exe File created C:\Windows\SysWOW64\Aiohpk32.dll Process not Found File created C:\Windows\SysWOW64\Fiomjp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mojdlm32.exe Minldf32.exe File opened for modification C:\Windows\SysWOW64\Anbcio32.exe Adjoqjfc.exe File opened for modification C:\Windows\SysWOW64\Kbchbi32.exe Kikcjdfd.exe File created C:\Windows\SysWOW64\Ofohfeoo.exe Oabonopg.exe File created C:\Windows\SysWOW64\Hnfkpf32.exe Process not Found File created C:\Windows\SysWOW64\Lellfe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fqmobelc.exe Fgdjipfc.exe File opened for modification C:\Windows\SysWOW64\Kpdjnefm.exe Jfoeqmfg.exe File created C:\Windows\SysWOW64\Icjjilho.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbglgcbc.exe Glmckikf.exe File opened for modification C:\Windows\SysWOW64\Jicgoohq.exe Jnmbafik.exe File opened for modification C:\Windows\SysWOW64\Qnedbh32.exe Process not Found File created C:\Windows\SysWOW64\Coapim32.dll Jjpehn32.exe File created C:\Windows\SysWOW64\Pjmfgl32.dll Efchog32.exe File opened for modification C:\Windows\SysWOW64\Dfgpnm32.exe Dhcoei32.exe File created C:\Windows\SysWOW64\Hegdkkje.exe Hlopbe32.exe File created C:\Windows\SysWOW64\Lbnininb.exe Process not Found File created C:\Windows\SysWOW64\Oeffak32.dll Ephkak32.exe File opened for modification C:\Windows\SysWOW64\Ndofjq32.exe Nkfaqkcq.exe File opened for modification C:\Windows\SysWOW64\Mbkladpj.exe Megkgpaq.exe File opened for modification C:\Windows\SysWOW64\Dpfpco32.exe Ccbojk32.exe File created C:\Windows\SysWOW64\Ajidnp32.exe Anbcio32.exe File opened for modification C:\Windows\SysWOW64\Kolemj32.exe Klniao32.exe File created C:\Windows\SysWOW64\Floccbai.exe Fphbna32.exe File opened for modification C:\Windows\SysWOW64\Apinihbm.exe Qbenoccc.exe File opened for modification C:\Windows\SysWOW64\Khinoo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gigjch32.exe Fpnekc32.exe File opened for modification C:\Windows\SysWOW64\Mahlgkgo.exe Mhpgnfpn.exe File created C:\Windows\SysWOW64\Biaeccca.dll Hpodbo32.exe File opened for modification C:\Windows\SysWOW64\Dogfnj32.exe Dcqfih32.exe File created C:\Windows\SysWOW64\Kgpfcnfm.dll Process not Found File created C:\Windows\SysWOW64\Knkngp32.exe Kdcinjpo.exe File created C:\Windows\SysWOW64\Obiiacpe.exe Okoqdi32.exe File created C:\Windows\SysWOW64\Okfimnqo.dll Fpffianh.exe File created C:\Windows\SysWOW64\Demhhmfg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhbjeg32.exe Process not Found File created C:\Windows\SysWOW64\Fjacnn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mhgeckoc.exe Mammfa32.exe File opened for modification C:\Windows\SysWOW64\Efchog32.exe Emkcfa32.exe File created C:\Windows\SysWOW64\Glmgdfdh.dll Pnphlc32.exe File created C:\Windows\SysWOW64\Mdoafi32.dll Qbidffao.exe File created C:\Windows\SysWOW64\Dfigiloo.dll Lelphbon.exe File created C:\Windows\SysWOW64\Ojompp32.exe Nqfigjgi.exe File created C:\Windows\SysWOW64\Cjhajc32.dll Aeajcf32.exe File created C:\Windows\SysWOW64\Biladdcf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eihini32.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loldefjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaklmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebnqcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjpekkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpokkgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpckeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeidjfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmginaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqhdnfpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggldlpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdegeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jciaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldgdpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdjnefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbghpjih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bannajom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plqjilia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naooqndd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqpqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgdcapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbglgcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deeeafii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiibqdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjdkqcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpckbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhhmele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faefim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpkdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obiiacpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgldmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcimhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdemcpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecklgdag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhhpeka.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afelbkca.dll" Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoggn32.dll" Omaqoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkenkgd.dll" Gjeckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiiapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmni32.dll" Ocilfljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqliakm.dll" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amjmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpchiebc.dll" Qnlobhne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bajqcqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmlfdqg.dll" Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdlmdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnmhici.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqpkqfal.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feblho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dggbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlbce32.dll" Bgbqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Medligko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkanl32.dll" Pipnohdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icogicoo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdddk32.dll" Dnfoho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhcpkmef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhioiq.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdchifik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaaklmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polmom32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hingpo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nocgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihgikml.dll" Meonlkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhmib32.dll" Gdlbdken.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfljpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkpa32.dll" Bcfbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidglg32.dll" Bannajom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhckja32.dll" Oqmohi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amdhidqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbqkqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmebkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idalfo32.dll" Fpngec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkggdfqa.dll" Kmjeca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkpboe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emkcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfajden.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kehcdieo.dll" Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajceba32.dll" Nliqoofa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2172 2376 1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe 29 PID 2376 wrote to memory of 2172 2376 1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe 29 PID 2376 wrote to memory of 2172 2376 1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe 29 PID 2376 wrote to memory of 2172 2376 1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe 29 PID 2172 wrote to memory of 1144 2172 Ifajif32.exe 30 PID 2172 wrote to memory of 1144 2172 Ifajif32.exe 30 PID 2172 wrote to memory of 1144 2172 Ifajif32.exe 30 PID 2172 wrote to memory of 1144 2172 Ifajif32.exe 30 PID 1144 wrote to memory of 2776 1144 Jchhhjjg.exe 31 PID 1144 wrote to memory of 2776 1144 Jchhhjjg.exe 31 PID 1144 wrote to memory of 2776 1144 Jchhhjjg.exe 31 PID 1144 wrote to memory of 2776 1144 Jchhhjjg.exe 31 PID 2776 wrote to memory of 2936 2776 Jkcllmhb.exe 32 PID 2776 wrote to memory of 2936 2776 Jkcllmhb.exe 32 PID 2776 wrote to memory of 2936 2776 Jkcllmhb.exe 32 PID 2776 wrote to memory of 2936 2776 Jkcllmhb.exe 32 PID 2936 wrote to memory of 2528 2936 Jncenh32.exe 33 PID 2936 wrote to memory of 2528 2936 Jncenh32.exe 33 PID 2936 wrote to memory of 2528 2936 Jncenh32.exe 33 PID 2936 wrote to memory of 2528 2936 Jncenh32.exe 33 PID 2528 wrote to memory of 2780 2528 Jnfbcg32.exe 34 PID 2528 wrote to memory of 2780 2528 Jnfbcg32.exe 34 PID 2528 wrote to memory of 2780 2528 Jnfbcg32.exe 34 PID 2528 wrote to memory of 2780 2528 Jnfbcg32.exe 34 PID 2780 wrote to memory of 2120 2780 Kceganoe.exe 35 PID 2780 wrote to memory of 2120 2780 Kceganoe.exe 35 PID 2780 wrote to memory of 2120 2780 Kceganoe.exe 35 PID 2780 wrote to memory of 2120 2780 Kceganoe.exe 35 PID 2120 wrote to memory of 2648 2120 Kjalch32.exe 36 PID 2120 wrote to memory of 2648 2120 Kjalch32.exe 36 PID 2120 wrote to memory of 2648 2120 Kjalch32.exe 36 PID 2120 wrote to memory of 2648 2120 Kjalch32.exe 36 PID 2648 wrote to memory of 2092 2648 Kleeqp32.exe 37 PID 2648 wrote to memory of 2092 2648 Kleeqp32.exe 37 PID 2648 wrote to memory of 2092 2648 Kleeqp32.exe 37 PID 2648 wrote to memory of 2092 2648 Kleeqp32.exe 37 PID 2092 wrote to memory of 1984 2092 Klgbfo32.exe 38 PID 2092 wrote to memory of 1984 2092 Klgbfo32.exe 38 PID 2092 wrote to memory of 1984 2092 Klgbfo32.exe 38 PID 2092 wrote to memory of 1984 2092 Klgbfo32.exe 38 PID 1984 wrote to memory of 1904 1984 Lhqpqp32.exe 39 PID 1984 wrote to memory of 1904 1984 Lhqpqp32.exe 39 PID 1984 wrote to memory of 1904 1984 Lhqpqp32.exe 39 PID 1984 wrote to memory of 1904 1984 Lhqpqp32.exe 39 PID 1904 wrote to memory of 2128 1904 Llnhgn32.exe 40 PID 1904 wrote to memory of 2128 1904 Llnhgn32.exe 40 PID 1904 wrote to memory of 2128 1904 Llnhgn32.exe 40 PID 1904 wrote to memory of 2128 1904 Llnhgn32.exe 40 PID 2128 wrote to memory of 1676 2128 Lmbadfdl.exe 41 PID 2128 wrote to memory of 1676 2128 Lmbadfdl.exe 41 PID 2128 wrote to memory of 1676 2128 Lmbadfdl.exe 41 PID 2128 wrote to memory of 1676 2128 Lmbadfdl.exe 41 PID 1676 wrote to memory of 2464 1676 Lkfbmj32.exe 42 PID 1676 wrote to memory of 2464 1676 Lkfbmj32.exe 42 PID 1676 wrote to memory of 2464 1676 Lkfbmj32.exe 42 PID 1676 wrote to memory of 2464 1676 Lkfbmj32.exe 42 PID 2464 wrote to memory of 3060 2464 Mkhocj32.exe 43 PID 2464 wrote to memory of 3060 2464 Mkhocj32.exe 43 PID 2464 wrote to memory of 3060 2464 Mkhocj32.exe 43 PID 2464 wrote to memory of 3060 2464 Mkhocj32.exe 43 PID 3060 wrote to memory of 824 3060 Minldf32.exe 44 PID 3060 wrote to memory of 824 3060 Minldf32.exe 44 PID 3060 wrote to memory of 824 3060 Minldf32.exe 44 PID 3060 wrote to memory of 824 3060 Minldf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe"C:\Users\Admin\AppData\Local\Temp\1a830d6af7f0747c2e64e0058f4c41be0b31c23aed9a0cfd291bb3d1cf954849N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ifajif32.exeC:\Windows\system32\Ifajif32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Jnfbcg32.exeC:\Windows\system32\Jnfbcg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kceganoe.exeC:\Windows\system32\Kceganoe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Llnhgn32.exeC:\Windows\system32\Llnhgn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Lmbadfdl.exeC:\Windows\system32\Lmbadfdl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Minldf32.exeC:\Windows\system32\Minldf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Nekbjf32.exeC:\Windows\system32\Nekbjf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Nocgbl32.exeC:\Windows\system32\Nocgbl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Ofkoijhc.exeC:\Windows\system32\Ofkoijhc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Odpljf32.exeC:\Windows\system32\Odpljf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Pinqoh32.exeC:\Windows\system32\Pinqoh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe33⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Boakgapg.exeC:\Windows\system32\Boakgapg.exe34⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Bhjppg32.exeC:\Windows\system32\Bhjppg32.exe35⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe36⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe37⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe38⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe40⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe41⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Cfpinnfj.exeC:\Windows\system32\Cfpinnfj.exe42⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe43⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Dhcoei32.exeC:\Windows\system32\Dhcoei32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe45⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ddlloi32.exeC:\Windows\system32\Ddlloi32.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe47⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe48⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe49⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe50⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe51⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe52⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe53⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ecklgdag.exeC:\Windows\system32\Ecklgdag.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe56⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Flhnqf32.exeC:\Windows\system32\Flhnqf32.exe58⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Fnifbaja.exeC:\Windows\system32\Fnifbaja.exe60⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe61⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe62⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Feeldk32.exeC:\Windows\system32\Feeldk32.exe63⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe64⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe65⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe66⤵PID:2136
-
C:\Windows\SysWOW64\Gfkagc32.exeC:\Windows\system32\Gfkagc32.exe67⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe68⤵PID:2036
-
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe70⤵PID:112
-
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe71⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe72⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe73⤵PID:2540
-
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe75⤵PID:2944
-
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe78⤵PID:1176
-
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe79⤵PID:2916
-
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe81⤵PID:2360
-
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe82⤵PID:2160
-
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe83⤵PID:460
-
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe85⤵PID:1104
-
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe86⤵PID:2276
-
C:\Windows\SysWOW64\Ihjfolmn.exeC:\Windows\system32\Ihjfolmn.exe87⤵PID:2472
-
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe88⤵PID:1292
-
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe89⤵PID:804
-
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe92⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe94⤵PID:1736
-
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe95⤵PID:2984
-
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe96⤵PID:2096
-
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe97⤵PID:1908
-
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe98⤵PID:2192
-
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe99⤵PID:2516
-
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe100⤵PID:1816
-
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe101⤵PID:2272
-
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe102⤵PID:2012
-
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe103⤵PID:1952
-
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe104⤵PID:2288
-
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe105⤵PID:2672
-
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe106⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe107⤵PID:2412
-
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe109⤵PID:2028
-
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe110⤵PID:2548
-
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe111⤵
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe112⤵PID:884
-
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe113⤵PID:2576
-
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe115⤵PID:2072
-
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe116⤵PID:2176
-
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe117⤵PID:2892
-
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe118⤵PID:2676
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe119⤵PID:2960
-
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe120⤵PID:2116
-
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe121⤵PID:780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-