Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 19:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe
-
Size
125KB
-
MD5
e253d4ba09d8c0f0e7f6bd0da11cdeff
-
SHA1
d58d093e2ec265c7a7b965d15c71ff262ea8e253
-
SHA256
2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c
-
SHA512
1bf8b5fdbed4967d36e4bd0d4e1572f97d0e50c6b8803242a5bf65b464acaed40ce67c0fcaa6e0a5f0a31e093cc69516699174379694d1cb6d99ad593ee74faa
-
SSDEEP
3072:zkpaQxWgn1PZX/xzph3kgEcM1WdTCn93OGey/ZhJakrPF:sn1xX/hScjTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjaoplho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coladm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkogpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohddd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhqhmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpmog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iojopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noagjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeenapck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igeddb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnddg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbblkaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjgcecja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkjgfmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkjgfmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faijggao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghghnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Golgon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailqfooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmiolk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgkbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bodhjdcc.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Ncnjeh32.exe 2888 Nflfad32.exe 2592 Oodjjign.exe 2604 Ofobgc32.exe 2676 Onjgkf32.exe 444 Oddphp32.exe 1144 Oknhdjko.exe 2912 Obhpad32.exe 1908 Oiahnnji.exe 2980 Ogdhik32.exe 264 Oqmmbqgd.exe 2344 Oggeokoq.exe 588 Oqojhp32.exe 2336 Pgibdjln.exe 1708 Pncjad32.exe 2640 Ppdfimji.exe 1560 Pfnoegaf.exe 1612 Pimkbbpi.exe 1788 Ppgcol32.exe 1828 Pbepkh32.exe 2200 Pmkdhq32.exe 2412 Ppipdl32.exe 304 Pfchqf32.exe 2700 Ppkmjlca.exe 2784 Pbjifgcd.exe 2900 Plbmom32.exe 2716 Qnqjkh32.exe 2568 Qekbgbpf.exe 2628 Qncfphff.exe 1304 Qaablcej.exe 2264 Qlggjlep.exe 2084 Anecfgdc.exe 2180 Aeokba32.exe 2944 Afqhjj32.exe 2232 Anhpkg32.exe 776 Apilcoho.exe 1740 Ahpddmia.exe 532 Aahimb32.exe 2088 Adgein32.exe 2056 Aicmadmm.exe 3040 Adiaommc.exe 1080 Afgnkilf.exe 540 Aldfcpjn.exe 2776 Bfjkphjd.exe 1936 Bihgmdih.exe 1472 Bpboinpd.exe 2880 Boeoek32.exe 2448 Beogaenl.exe 2760 Bhndnpnp.exe 2792 Bklpjlmc.exe 2668 Bbchkime.exe 2620 Bimphc32.exe 2252 Bhpqcpkm.exe 2896 Bojipjcj.exe 2368 Bceeqi32.exe 860 Bedamd32.exe 884 Bhbmip32.exe 2008 Boleejag.exe 2392 Bnofaf32.exe 1356 Befnbd32.exe 912 Bhdjno32.exe 988 Bkcfjk32.exe 644 Boobki32.exe 2504 Cppobaeb.exe -
Loads dropped DLL 64 IoCs
pid Process 3052 2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe 3052 2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe 2744 Ncnjeh32.exe 2744 Ncnjeh32.exe 2888 Nflfad32.exe 2888 Nflfad32.exe 2592 Oodjjign.exe 2592 Oodjjign.exe 2604 Ofobgc32.exe 2604 Ofobgc32.exe 2676 Onjgkf32.exe 2676 Onjgkf32.exe 444 Oddphp32.exe 444 Oddphp32.exe 1144 Oknhdjko.exe 1144 Oknhdjko.exe 2912 Obhpad32.exe 2912 Obhpad32.exe 1908 Oiahnnji.exe 1908 Oiahnnji.exe 2980 Ogdhik32.exe 2980 Ogdhik32.exe 264 Oqmmbqgd.exe 264 Oqmmbqgd.exe 2344 Oggeokoq.exe 2344 Oggeokoq.exe 588 Oqojhp32.exe 588 Oqojhp32.exe 2336 Pgibdjln.exe 2336 Pgibdjln.exe 1708 Pncjad32.exe 1708 Pncjad32.exe 2640 Ppdfimji.exe 2640 Ppdfimji.exe 1560 Pfnoegaf.exe 1560 Pfnoegaf.exe 1612 Pimkbbpi.exe 1612 Pimkbbpi.exe 1788 Ppgcol32.exe 1788 Ppgcol32.exe 1828 Pbepkh32.exe 1828 Pbepkh32.exe 2200 Pmkdhq32.exe 2200 Pmkdhq32.exe 2412 Ppipdl32.exe 2412 Ppipdl32.exe 304 Pfchqf32.exe 304 Pfchqf32.exe 2700 Ppkmjlca.exe 2700 Ppkmjlca.exe 2784 Pbjifgcd.exe 2784 Pbjifgcd.exe 2900 Plbmom32.exe 2900 Plbmom32.exe 2716 Qnqjkh32.exe 2716 Qnqjkh32.exe 2568 Qekbgbpf.exe 2568 Qekbgbpf.exe 2628 Qncfphff.exe 2628 Qncfphff.exe 1304 Qaablcej.exe 1304 Qaablcej.exe 2264 Qlggjlep.exe 2264 Qlggjlep.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cppobaeb.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Gbffjmmp.exe Gpgjnbnl.exe File created C:\Windows\SysWOW64\Hnmcli32.exe Hkogpn32.exe File opened for modification C:\Windows\SysWOW64\Jipcbidn.exe Jfagemej.exe File created C:\Windows\SysWOW64\Ogdhik32.exe Oiahnnji.exe File opened for modification C:\Windows\SysWOW64\Adiaommc.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Embkbdce.exe Eifobe32.exe File opened for modification C:\Windows\SysWOW64\Kglfcd32.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Mheeif32.exe Mdjihgef.exe File created C:\Windows\SysWOW64\Llmhgcfd.dll Fpbqcb32.exe File created C:\Windows\SysWOW64\Mhalngad.exe Mdepmh32.exe File created C:\Windows\SysWOW64\Boleejag.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Cenancce.dll Igcgnbim.exe File opened for modification C:\Windows\SysWOW64\Ollqllod.exe Onipqp32.exe File created C:\Windows\SysWOW64\Qaqlbmbn.exe Qijdqp32.exe File created C:\Windows\SysWOW64\Ggqbii32.dll Clfhml32.exe File created C:\Windows\SysWOW64\Dnfhqi32.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Fabmmejd.exe Fikelhib.exe File opened for modification C:\Windows\SysWOW64\Jbfkeo32.exe Johoic32.exe File opened for modification C:\Windows\SysWOW64\Knfopnkk.exe Klhbdclg.exe File opened for modification C:\Windows\SysWOW64\Kpjhnfof.exe Kaggbihl.exe File created C:\Windows\SysWOW64\Mlaecdec.dll Pkjqcg32.exe File created C:\Windows\SysWOW64\Ecjgio32.exe Epnkip32.exe File created C:\Windows\SysWOW64\Eqngcc32.exe Embkbdce.exe File created C:\Windows\SysWOW64\Pnifdmnc.dll Nhcebj32.exe File opened for modification C:\Windows\SysWOW64\Pildgl32.exe Pfnhkq32.exe File created C:\Windows\SysWOW64\Jhibakgh.dll Cjjpag32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Djmiejji.exe File created C:\Windows\SysWOW64\Fhjhdp32.exe Fpbqcb32.exe File created C:\Windows\SysWOW64\Lakfjp32.dll Lpldcfmd.exe File created C:\Windows\SysWOW64\Llcehg32.exe Lidilk32.exe File created C:\Windows\SysWOW64\Chobpcbd.dll Llebnfpe.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Ohjkcile.exe File opened for modification C:\Windows\SysWOW64\Beogaenl.exe Boeoek32.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Befnbd32.exe File opened for modification C:\Windows\SysWOW64\Hgfheodo.exe Hdgkicek.exe File created C:\Windows\SysWOW64\Pcppbl32.dll Hoalia32.exe File created C:\Windows\SysWOW64\Lqeipj32.dll Jqeomfgc.exe File created C:\Windows\SysWOW64\Lpckce32.exe Lhlbbg32.exe File created C:\Windows\SysWOW64\Ikonfbfj.dll Ogdhik32.exe File opened for modification C:\Windows\SysWOW64\Aegkfpah.exe Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Oknhdjko.exe Oddphp32.exe File created C:\Windows\SysWOW64\Mgnedp32.dll Eqngcc32.exe File created C:\Windows\SysWOW64\Dfhgggim.exe Dcjjkkji.exe File created C:\Windows\SysWOW64\Pdjlfgfl.dll Iemalkgd.exe File opened for modification C:\Windows\SysWOW64\Jmgfgham.exe Jjijkmbi.exe File created C:\Windows\SysWOW64\Aopnanlf.dll Hnmcli32.exe File created C:\Windows\SysWOW64\Lffmpp32.exe Lchqcd32.exe File created C:\Windows\SysWOW64\Pofldf32.exe Pkjqcg32.exe File created C:\Windows\SysWOW64\Pfekjn32.dll Qcjoci32.exe File opened for modification C:\Windows\SysWOW64\Alofnj32.exe Aiqjao32.exe File opened for modification C:\Windows\SysWOW64\Bdfjnkne.exe Blobmm32.exe File created C:\Windows\SysWOW64\Gnokee32.dll Ppipdl32.exe File created C:\Windows\SysWOW64\Eiilge32.exe Efjpkj32.exe File created C:\Windows\SysWOW64\Akomon32.dll Eepmlf32.exe File created C:\Windows\SysWOW64\Klhbdclg.exe Kglfcd32.exe File created C:\Windows\SysWOW64\Eebibf32.exe Enhaeldn.exe File created C:\Windows\SysWOW64\Ebooboeb.dll Hememgdi.exe File created C:\Windows\SysWOW64\Iocioq32.exe Ilemce32.exe File created C:\Windows\SysWOW64\Nkkndgbj.dll Ocfiif32.exe File created C:\Windows\SysWOW64\Oaonla32.dll Kolhdbjh.exe File opened for modification C:\Windows\SysWOW64\Negeln32.exe Nommodjj.exe File created C:\Windows\SysWOW64\Nnbjpqoa.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Cmpbigma.dll Bodhjdcc.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipcbidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecbkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfikod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfabkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaablcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflfad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnngi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfmeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaeob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblkaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admgglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfacdqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbgageq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcofica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfhkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcimipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnofaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjljmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjqcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgecq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciepkajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklfia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neblqoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijdqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nommodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobmj32.dll" Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhnnnbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkndgbj.dll" Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afpapcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdodmlcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcjjkkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkmldbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbaj32.dll" Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmnofp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofobgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhpqcpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqhifni.dll" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbop32.dll" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blobmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmddik32.dll" Mpnngi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbhhkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jibpghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblaaajo.dll" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkicpej.dll" Lhlbbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bphaglgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpfl32.dll" Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafalppn.dll" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogdaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kffqqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmnofp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beogaenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqnoqah.dll" Fjckelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphajbdq.dll" Fnadkjlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbilmqm.dll" Jjijkmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facqnfnm.dll" Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncnjeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqmojc32.dll" Hhnnnbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqaiha32.dll" Hgfheodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifbkgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohefjhb.dll" Pgaahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflpan32.dll" Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaoplho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnadkjlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpgfmeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolgka32.dll" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbole32.dll" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmlmc32.dll" Boleejag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2744 3052 2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe 30 PID 3052 wrote to memory of 2744 3052 2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe 30 PID 3052 wrote to memory of 2744 3052 2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe 30 PID 3052 wrote to memory of 2744 3052 2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe 30 PID 2744 wrote to memory of 2888 2744 Ncnjeh32.exe 31 PID 2744 wrote to memory of 2888 2744 Ncnjeh32.exe 31 PID 2744 wrote to memory of 2888 2744 Ncnjeh32.exe 31 PID 2744 wrote to memory of 2888 2744 Ncnjeh32.exe 31 PID 2888 wrote to memory of 2592 2888 Nflfad32.exe 32 PID 2888 wrote to memory of 2592 2888 Nflfad32.exe 32 PID 2888 wrote to memory of 2592 2888 Nflfad32.exe 32 PID 2888 wrote to memory of 2592 2888 Nflfad32.exe 32 PID 2592 wrote to memory of 2604 2592 Oodjjign.exe 33 PID 2592 wrote to memory of 2604 2592 Oodjjign.exe 33 PID 2592 wrote to memory of 2604 2592 Oodjjign.exe 33 PID 2592 wrote to memory of 2604 2592 Oodjjign.exe 33 PID 2604 wrote to memory of 2676 2604 Ofobgc32.exe 34 PID 2604 wrote to memory of 2676 2604 Ofobgc32.exe 34 PID 2604 wrote to memory of 2676 2604 Ofobgc32.exe 34 PID 2604 wrote to memory of 2676 2604 Ofobgc32.exe 34 PID 2676 wrote to memory of 444 2676 Onjgkf32.exe 35 PID 2676 wrote to memory of 444 2676 Onjgkf32.exe 35 PID 2676 wrote to memory of 444 2676 Onjgkf32.exe 35 PID 2676 wrote to memory of 444 2676 Onjgkf32.exe 35 PID 444 wrote to memory of 1144 444 Oddphp32.exe 36 PID 444 wrote to memory of 1144 444 Oddphp32.exe 36 PID 444 wrote to memory of 1144 444 Oddphp32.exe 36 PID 444 wrote to memory of 1144 444 Oddphp32.exe 36 PID 1144 wrote to memory of 2912 1144 Oknhdjko.exe 37 PID 1144 wrote to memory of 2912 1144 Oknhdjko.exe 37 PID 1144 wrote to memory of 2912 1144 Oknhdjko.exe 37 PID 1144 wrote to memory of 2912 1144 Oknhdjko.exe 37 PID 2912 wrote to memory of 1908 2912 Obhpad32.exe 38 PID 2912 wrote to memory of 1908 2912 Obhpad32.exe 38 PID 2912 wrote to memory of 1908 2912 Obhpad32.exe 38 PID 2912 wrote to memory of 1908 2912 Obhpad32.exe 38 PID 1908 wrote to memory of 2980 1908 Oiahnnji.exe 39 PID 1908 wrote to memory of 2980 1908 Oiahnnji.exe 39 PID 1908 wrote to memory of 2980 1908 Oiahnnji.exe 39 PID 1908 wrote to memory of 2980 1908 Oiahnnji.exe 39 PID 2980 wrote to memory of 264 2980 Ogdhik32.exe 40 PID 2980 wrote to memory of 264 2980 Ogdhik32.exe 40 PID 2980 wrote to memory of 264 2980 Ogdhik32.exe 40 PID 2980 wrote to memory of 264 2980 Ogdhik32.exe 40 PID 264 wrote to memory of 2344 264 Oqmmbqgd.exe 41 PID 264 wrote to memory of 2344 264 Oqmmbqgd.exe 41 PID 264 wrote to memory of 2344 264 Oqmmbqgd.exe 41 PID 264 wrote to memory of 2344 264 Oqmmbqgd.exe 41 PID 2344 wrote to memory of 588 2344 Oggeokoq.exe 42 PID 2344 wrote to memory of 588 2344 Oggeokoq.exe 42 PID 2344 wrote to memory of 588 2344 Oggeokoq.exe 42 PID 2344 wrote to memory of 588 2344 Oggeokoq.exe 42 PID 588 wrote to memory of 2336 588 Oqojhp32.exe 43 PID 588 wrote to memory of 2336 588 Oqojhp32.exe 43 PID 588 wrote to memory of 2336 588 Oqojhp32.exe 43 PID 588 wrote to memory of 2336 588 Oqojhp32.exe 43 PID 2336 wrote to memory of 1708 2336 Pgibdjln.exe 44 PID 2336 wrote to memory of 1708 2336 Pgibdjln.exe 44 PID 2336 wrote to memory of 1708 2336 Pgibdjln.exe 44 PID 2336 wrote to memory of 1708 2336 Pgibdjln.exe 44 PID 1708 wrote to memory of 2640 1708 Pncjad32.exe 45 PID 1708 wrote to memory of 2640 1708 Pncjad32.exe 45 PID 1708 wrote to memory of 2640 1708 Pncjad32.exe 45 PID 1708 wrote to memory of 2640 1708 Pncjad32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe"C:\Users\Admin\AppData\Local\Temp\2a697b1b71427e56963db709481377e85eeb1795b1aaa6bc774778060c77c94c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe33⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe35⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe36⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe37⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe38⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe39⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe40⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe43⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe44⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe45⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Bihgmdih.exeC:\Windows\system32\Bihgmdih.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe47⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe50⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe51⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Bbchkime.exeC:\Windows\system32\Bbchkime.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe53⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe56⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe57⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe62⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe63⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe65⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe66⤵PID:1920
-
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe67⤵PID:2112
-
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe68⤵PID:2840
-
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe69⤵PID:2580
-
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe70⤵PID:2600
-
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe71⤵PID:2080
-
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe72⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe74⤵PID:2796
-
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe76⤵PID:572
-
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe78⤵PID:3016
-
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe79⤵PID:2380
-
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe80⤵PID:1820
-
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe81⤵PID:1664
-
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe83⤵PID:1912
-
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe84⤵PID:2712
-
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe85⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe87⤵PID:2540
-
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe88⤵PID:2544
-
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe89⤵PID:2388
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe90⤵PID:1652
-
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe91⤵PID:1944
-
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe93⤵PID:1400
-
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe94⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe96⤵PID:2708
-
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe97⤵PID:2672
-
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe98⤵PID:2588
-
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe99⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe100⤵PID:108
-
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe101⤵PID:3068
-
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe102⤵PID:2652
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe104⤵PID:2892
-
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe105⤵PID:924
-
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe106⤵PID:1628
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe107⤵PID:1792
-
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe108⤵PID:1748
-
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe110⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe111⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe112⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe113⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe114⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe115⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe116⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe117⤵PID:1548
-
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe118⤵PID:2596
-
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe119⤵PID:1040
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe120⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-