Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de31ca84aa3b724b2043dbfacd273120N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
de31ca84aa3b724b2043dbfacd273120N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
de31ca84aa3b724b2043dbfacd273120N.exe
-
Size
62KB
-
MD5
de31ca84aa3b724b2043dbfacd273120
-
SHA1
56606533efdfef688e6d6741a12bcdc709e75aa8
-
SHA256
6749e5b1d17161c6693bac81758006d1716048567388bd620f72dfd22938e809
-
SHA512
44a61c18ec5a071f96e2254b574c41342d3efe9d6c8dbeedbf8e1185fb7f75a85c0adae4a43f35de147e23b7123cf8d422f374db71931cde9fd64f72fc1f2d29
-
SSDEEP
1536:sgp5cg3+judBtBoDuGGyinrBHGuX66yvve8Cy:N5cm+ydaiLGuX66Gve8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkelpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hocmpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqjmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mecglbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiqfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eannmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhglop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkhjabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haemloni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miocmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflbpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgjdong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffqqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbqkeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcleiclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcokpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmldbcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doabjbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmpeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pilbocej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldeik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlanhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdham32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclcon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhominh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochenfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdlfngcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caenkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liblfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceapl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphcppmo.exe -
Executes dropped EXE 64 IoCs
pid Process 2772 Nnahgh32.exe 2128 Nqpdcc32.exe 2824 Nigldq32.exe 2552 Ngjlpmnn.exe 2404 Ncamen32.exe 1060 Omiand32.exe 2192 Oepjoa32.exe 1320 Oninhgae.exe 568 Oqgjdbpi.exe 1032 Ochcem32.exe 1788 Ojblbgdg.exe 592 Ocjpkm32.exe 2120 Oighcd32.exe 2220 Pbomli32.exe 1376 Penihe32.exe 932 Padjmfdg.exe 3032 Pilbocej.exe 1932 Pebbcdkn.exe 1756 Pdecoa32.exe 1264 Pllkpn32.exe 2760 Paiche32.exe 1580 Pdjljpnc.exe 2848 Pfhhflmg.exe 2820 Qanmcdlm.exe 2728 Qdlipplq.exe 2136 Qboikm32.exe 2444 Qmenhe32.exe 1804 Afmbak32.exe 2648 Amgjnepn.exe 2828 Aljjjb32.exe 1244 Apefjqob.exe 2380 Afpogk32.exe 1784 Ainkcf32.exe 780 Ahqkocmm.exe 348 Aphcppmo.exe 2168 Abfoll32.exe 2364 Aedlhg32.exe 2140 Aipgifcp.exe 1600 Ahchdb32.exe 888 Alodeacc.exe 300 Aompambg.exe 1728 Aaklmhak.exe 680 Aeghng32.exe 2080 Adjhicpo.exe 1304 Akdafn32.exe 2408 Aanibhoh.exe 1716 Adleoc32.exe 2592 Ahhaobfe.exe 3060 Agkako32.exe 1260 Aoaill32.exe 408 Bpcfcddp.exe 2008 Bdobdc32.exe 1672 Bhjneadb.exe 2540 Bkhjamcf.exe 1956 Bikjmj32.exe 2452 Bngfmhbj.exe 1760 Bpebidam.exe 2368 Bccoeo32.exe 3008 Bkkgfm32.exe 1860 Bjngbihn.exe 3040 Bnicbh32.exe 1928 Bphooc32.exe 1736 Bphooc32.exe 2424 Bdckobhd.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 de31ca84aa3b724b2043dbfacd273120N.exe 2012 de31ca84aa3b724b2043dbfacd273120N.exe 2772 Nnahgh32.exe 2772 Nnahgh32.exe 2128 Nqpdcc32.exe 2128 Nqpdcc32.exe 2824 Nigldq32.exe 2824 Nigldq32.exe 2552 Ngjlpmnn.exe 2552 Ngjlpmnn.exe 2404 Ncamen32.exe 2404 Ncamen32.exe 1060 Omiand32.exe 1060 Omiand32.exe 2192 Oepjoa32.exe 2192 Oepjoa32.exe 1320 Oninhgae.exe 1320 Oninhgae.exe 568 Oqgjdbpi.exe 568 Oqgjdbpi.exe 1032 Ochcem32.exe 1032 Ochcem32.exe 1788 Ojblbgdg.exe 1788 Ojblbgdg.exe 592 Ocjpkm32.exe 592 Ocjpkm32.exe 2120 Oighcd32.exe 2120 Oighcd32.exe 2220 Pbomli32.exe 2220 Pbomli32.exe 1376 Penihe32.exe 1376 Penihe32.exe 932 Padjmfdg.exe 932 Padjmfdg.exe 3032 Pilbocej.exe 3032 Pilbocej.exe 1932 Pebbcdkn.exe 1932 Pebbcdkn.exe 1756 Pdecoa32.exe 1756 Pdecoa32.exe 1264 Pllkpn32.exe 1264 Pllkpn32.exe 2760 Paiche32.exe 2760 Paiche32.exe 1580 Pdjljpnc.exe 1580 Pdjljpnc.exe 2848 Pfhhflmg.exe 2848 Pfhhflmg.exe 2820 Qanmcdlm.exe 2820 Qanmcdlm.exe 2728 Qdlipplq.exe 2728 Qdlipplq.exe 2136 Qboikm32.exe 2136 Qboikm32.exe 2444 Qmenhe32.exe 2444 Qmenhe32.exe 1804 Afmbak32.exe 1804 Afmbak32.exe 2648 Amgjnepn.exe 2648 Amgjnepn.exe 2828 Aljjjb32.exe 2828 Aljjjb32.exe 1244 Apefjqob.exe 1244 Apefjqob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oighcd32.exe Ocjpkm32.exe File created C:\Windows\SysWOW64\Bcpaqn32.dll Kpbhjh32.exe File created C:\Windows\SysWOW64\Okpdjjil.exe Oiahnnji.exe File created C:\Windows\SysWOW64\Jhibakgh.dll Clilmbhd.exe File created C:\Windows\SysWOW64\Ipippm32.dll Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Haemloni.exe Hcblqb32.exe File created C:\Windows\SysWOW64\Anhpkg32.exe Afqhjj32.exe File created C:\Windows\SysWOW64\Nldeka32.dll Fjaoplho.exe File created C:\Windows\SysWOW64\Gpgjnbnl.exe Gllnnc32.exe File created C:\Windows\SysWOW64\Jjfmem32.exe Jghqia32.exe File created C:\Windows\SysWOW64\Mpmmdhad.dll Lljkif32.exe File opened for modification C:\Windows\SysWOW64\Booiep32.exe Blqmid32.exe File created C:\Windows\SysWOW64\Hhoeii32.exe Hjlemlnk.exe File created C:\Windows\SysWOW64\Lpanne32.exe Ligfakaa.exe File opened for modification C:\Windows\SysWOW64\Qanolm32.exe Qmcclolh.exe File created C:\Windows\SysWOW64\Bdfjnkne.exe Blobmm32.exe File created C:\Windows\SysWOW64\Hgkinbcp.dll Ejioln32.exe File opened for modification C:\Windows\SysWOW64\Ofobgc32.exe Ocpfkh32.exe File created C:\Windows\SysWOW64\Offqpg32.dll Qhkkim32.exe File created C:\Windows\SysWOW64\Cjoilfek.exe Cfcmlg32.exe File created C:\Windows\SysWOW64\Fmncgk32.dll Gbffjmmp.exe File created C:\Windows\SysWOW64\Obckefai.dll Nopaoj32.exe File created C:\Windows\SysWOW64\Gipngg32.exe Gedbfimc.exe File created C:\Windows\SysWOW64\Pflbpg32.exe Pgibdjln.exe File opened for modification C:\Windows\SysWOW64\Lfdpjp32.exe Lcedne32.exe File created C:\Windows\SysWOW64\Gaocdi32.dll Acohnhab.exe File created C:\Windows\SysWOW64\Dgklibdj.dll Hgfooe32.exe File created C:\Windows\SysWOW64\Embkbdce.exe Eifobe32.exe File created C:\Windows\SysWOW64\Epkepakn.exe Eloipb32.exe File created C:\Windows\SysWOW64\Ifbaapfk.exe Igpaec32.exe File created C:\Windows\SysWOW64\Cabcdq32.dll Bklpjlmc.exe File created C:\Windows\SysWOW64\Kglenb32.dll Clkicbfa.exe File opened for modification C:\Windows\SysWOW64\Jcleiclo.exe Jdidmf32.exe File created C:\Windows\SysWOW64\Ebialmjb.exe Epkepakn.exe File created C:\Windows\SysWOW64\Lkgifd32.exe Ldmaijdc.exe File created C:\Windows\SysWOW64\Ofiopaap.exe Ockbdebl.exe File created C:\Windows\SysWOW64\Adleoc32.exe Aanibhoh.exe File opened for modification C:\Windows\SysWOW64\Gpmjcg32.exe Gajjhkgh.exe File created C:\Windows\SysWOW64\Ggiofa32.exe Gcmcebkc.exe File created C:\Windows\SysWOW64\Dgqion32.exe Ddbmcb32.exe File created C:\Windows\SysWOW64\Gbffjmmp.exe Gpgjnbnl.exe File opened for modification C:\Windows\SysWOW64\Idbnmgll.exe Ifpnaj32.exe File created C:\Windows\SysWOW64\Cbjhhiqm.dll Ligfakaa.exe File opened for modification C:\Windows\SysWOW64\Bdaabk32.exe Bacefpbg.exe File created C:\Windows\SysWOW64\Nnahgh32.exe de31ca84aa3b724b2043dbfacd273120N.exe File created C:\Windows\SysWOW64\Hhfdfc32.dll Mlmoilni.exe File created C:\Windows\SysWOW64\Plbmom32.exe Phgannal.exe File opened for modification C:\Windows\SysWOW64\Hkjnenbp.exe Hgoadp32.exe File opened for modification C:\Windows\SysWOW64\Penihe32.exe Pbomli32.exe File created C:\Windows\SysWOW64\Cfmlpf32.dll Decdmi32.exe File opened for modification C:\Windows\SysWOW64\Ejklan32.exe Ehmpeb32.exe File created C:\Windows\SysWOW64\Inipeafi.dll Fkkhpadq.exe File created C:\Windows\SysWOW64\Nflpan32.dll Nepokogo.exe File created C:\Windows\SysWOW64\Mokegi32.dll Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Padjmfdg.exe Penihe32.exe File opened for modification C:\Windows\SysWOW64\Piadma32.exe Pefhlcdk.exe File created C:\Windows\SysWOW64\Eaflfbko.dll Amjpgdik.exe File opened for modification C:\Windows\SysWOW64\Ecgjdong.exe Eddjhb32.exe File created C:\Windows\SysWOW64\Ebmbnn32.dll Kpjhnfof.exe File created C:\Windows\SysWOW64\Fbjhhm32.dll Oqlfhjch.exe File created C:\Windows\SysWOW64\Ibddbplp.dll Ochcem32.exe File created C:\Windows\SysWOW64\Hqbdjfbm.dll Bjngbihn.exe File created C:\Windows\SysWOW64\Dcokpa32.exe Docopbaf.exe File opened for modification C:\Windows\SysWOW64\Hlhddh32.exe Hijhhl32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpceebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokfjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanmcdlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpogk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkepakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iianmlfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coafko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpokjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoimecmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmldbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioefdpne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malmllfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkopndcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofkoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedhgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephdjeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjkfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkilka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbcdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilemce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqgmmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehebbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkjgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfggkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnnlboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphaglgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gplcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggekf32.dll" Aiqjao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmmdhad.dll" Lljkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkmfofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnqjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfbaa32.dll" Ijimli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcadpgeb.dll" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocpfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmomfda.dll" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalieb32.dll" Kabngjla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palbgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piimanjg.dll" Idekbgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfigi32.dll" Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edoblfhf.dll" Ghekhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbomli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnicbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll" Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbgefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmgfgham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnnjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnocncd.dll" Kenjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll" Bhjpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonoenh.dll" Oighcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgadja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecadddjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jelhmlgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keango32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilmbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkicqkc.dll" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaceogh.dll" Anhpkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjhnfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcqjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllkimj.dll" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojagi32.dll" Geilah32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2772 2012 de31ca84aa3b724b2043dbfacd273120N.exe 30 PID 2012 wrote to memory of 2772 2012 de31ca84aa3b724b2043dbfacd273120N.exe 30 PID 2012 wrote to memory of 2772 2012 de31ca84aa3b724b2043dbfacd273120N.exe 30 PID 2012 wrote to memory of 2772 2012 de31ca84aa3b724b2043dbfacd273120N.exe 30 PID 2772 wrote to memory of 2128 2772 Nnahgh32.exe 31 PID 2772 wrote to memory of 2128 2772 Nnahgh32.exe 31 PID 2772 wrote to memory of 2128 2772 Nnahgh32.exe 31 PID 2772 wrote to memory of 2128 2772 Nnahgh32.exe 31 PID 2128 wrote to memory of 2824 2128 Nqpdcc32.exe 32 PID 2128 wrote to memory of 2824 2128 Nqpdcc32.exe 32 PID 2128 wrote to memory of 2824 2128 Nqpdcc32.exe 32 PID 2128 wrote to memory of 2824 2128 Nqpdcc32.exe 32 PID 2824 wrote to memory of 2552 2824 Nigldq32.exe 33 PID 2824 wrote to memory of 2552 2824 Nigldq32.exe 33 PID 2824 wrote to memory of 2552 2824 Nigldq32.exe 33 PID 2824 wrote to memory of 2552 2824 Nigldq32.exe 33 PID 2552 wrote to memory of 2404 2552 Ngjlpmnn.exe 34 PID 2552 wrote to memory of 2404 2552 Ngjlpmnn.exe 34 PID 2552 wrote to memory of 2404 2552 Ngjlpmnn.exe 34 PID 2552 wrote to memory of 2404 2552 Ngjlpmnn.exe 34 PID 2404 wrote to memory of 1060 2404 Ncamen32.exe 35 PID 2404 wrote to memory of 1060 2404 Ncamen32.exe 35 PID 2404 wrote to memory of 1060 2404 Ncamen32.exe 35 PID 2404 wrote to memory of 1060 2404 Ncamen32.exe 35 PID 1060 wrote to memory of 2192 1060 Omiand32.exe 36 PID 1060 wrote to memory of 2192 1060 Omiand32.exe 36 PID 1060 wrote to memory of 2192 1060 Omiand32.exe 36 PID 1060 wrote to memory of 2192 1060 Omiand32.exe 36 PID 2192 wrote to memory of 1320 2192 Oepjoa32.exe 37 PID 2192 wrote to memory of 1320 2192 Oepjoa32.exe 37 PID 2192 wrote to memory of 1320 2192 Oepjoa32.exe 37 PID 2192 wrote to memory of 1320 2192 Oepjoa32.exe 37 PID 1320 wrote to memory of 568 1320 Oninhgae.exe 38 PID 1320 wrote to memory of 568 1320 Oninhgae.exe 38 PID 1320 wrote to memory of 568 1320 Oninhgae.exe 38 PID 1320 wrote to memory of 568 1320 Oninhgae.exe 38 PID 568 wrote to memory of 1032 568 Oqgjdbpi.exe 39 PID 568 wrote to memory of 1032 568 Oqgjdbpi.exe 39 PID 568 wrote to memory of 1032 568 Oqgjdbpi.exe 39 PID 568 wrote to memory of 1032 568 Oqgjdbpi.exe 39 PID 1032 wrote to memory of 1788 1032 Ochcem32.exe 40 PID 1032 wrote to memory of 1788 1032 Ochcem32.exe 40 PID 1032 wrote to memory of 1788 1032 Ochcem32.exe 40 PID 1032 wrote to memory of 1788 1032 Ochcem32.exe 40 PID 1788 wrote to memory of 592 1788 Ojblbgdg.exe 41 PID 1788 wrote to memory of 592 1788 Ojblbgdg.exe 41 PID 1788 wrote to memory of 592 1788 Ojblbgdg.exe 41 PID 1788 wrote to memory of 592 1788 Ojblbgdg.exe 41 PID 592 wrote to memory of 2120 592 Ocjpkm32.exe 42 PID 592 wrote to memory of 2120 592 Ocjpkm32.exe 42 PID 592 wrote to memory of 2120 592 Ocjpkm32.exe 42 PID 592 wrote to memory of 2120 592 Ocjpkm32.exe 42 PID 2120 wrote to memory of 2220 2120 Oighcd32.exe 43 PID 2120 wrote to memory of 2220 2120 Oighcd32.exe 43 PID 2120 wrote to memory of 2220 2120 Oighcd32.exe 43 PID 2120 wrote to memory of 2220 2120 Oighcd32.exe 43 PID 2220 wrote to memory of 1376 2220 Pbomli32.exe 44 PID 2220 wrote to memory of 1376 2220 Pbomli32.exe 44 PID 2220 wrote to memory of 1376 2220 Pbomli32.exe 44 PID 2220 wrote to memory of 1376 2220 Pbomli32.exe 44 PID 1376 wrote to memory of 932 1376 Penihe32.exe 45 PID 1376 wrote to memory of 932 1376 Penihe32.exe 45 PID 1376 wrote to memory of 932 1376 Penihe32.exe 45 PID 1376 wrote to memory of 932 1376 Penihe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\de31ca84aa3b724b2043dbfacd273120N.exe"C:\Users\Admin\AppData\Local\Temp\de31ca84aa3b724b2043dbfacd273120N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe34⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe35⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe37⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe38⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe39⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe41⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe42⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe43⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe44⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe45⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe46⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe47⤵PID:2852
-
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe49⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe50⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe52⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe53⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe54⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe55⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe56⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe57⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe59⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe60⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe61⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe64⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe65⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe66⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe68⤵PID:2680
-
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe69⤵PID:2560
-
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe70⤵PID:2812
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe71⤵PID:2736
-
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe72⤵PID:912
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe73⤵PID:3000
-
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe74⤵PID:2088
-
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe75⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe76⤵PID:1988
-
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe77⤵PID:2000
-
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe78⤵PID:2376
-
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe79⤵PID:3004
-
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe80⤵PID:2520
-
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe81⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe82⤵PID:1740
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe83⤵PID:844
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe84⤵PID:1524
-
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe85⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe86⤵PID:2788
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe87⤵PID:2564
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe88⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe89⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe90⤵PID:396
-
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe91⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe92⤵PID:2884
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe93⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe94⤵PID:2104
-
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe95⤵PID:1668
-
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe96⤵PID:1532
-
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe97⤵PID:1308
-
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe98⤵PID:1120
-
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe99⤵PID:2416
-
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe100⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe101⤵PID:2580
-
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe102⤵PID:2968
-
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe103⤵PID:2992
-
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe105⤵PID:2060
-
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe106⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe107⤵PID:1140
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe108⤵PID:904
-
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe109⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe111⤵PID:1584
-
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe112⤵PID:2548
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe113⤵PID:1940
-
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:656 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe115⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe116⤵PID:2864
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe117⤵PID:2976
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe118⤵PID:2072
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe119⤵PID:1036
-
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe120⤵PID:1560
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-