Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe
Resource
win10v2004-20241007-en
General
-
Target
4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe
-
Size
92KB
-
MD5
355648385f5f2f3d151b18552f747f92
-
SHA1
3d552ee5faec030171e576dec2aaffe9d8aa1b48
-
SHA256
4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457
-
SHA512
6b5053bc6c66ef01ce09a9a2166a628c8608d50b62319df6b39ac0c4d01be93a919a3cc10a9c46244131f5bffbb2d924f04eae9065bafa629a8ba639769f24c7
-
SSDEEP
1536:YkFQETSVdnNr1Zca0PkZFEGWOsT8l4110OlO7uXcNvvm5yw/Lb0OUrrQ35wNBUyu:aVMLHn10J7usluTXp6U9
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejejkhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeahjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfeidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdihedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adppdckh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpodmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcokf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickaaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloimcca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmcgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlabjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqneaodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghigl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedmhlqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aapkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injlmcib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onelbfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooiepnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjehlldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacqlcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbodpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbadcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobnljhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkkkqlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmgbbeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepmokco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phoeomjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fallil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoqbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojmogak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcihdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbdljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmjkhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmjkhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfobjdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljadqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfedobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eckopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faegda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohoqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obijpgcf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2488 Afkccffq.exe 2964 Aocgll32.exe 2428 Adppdckh.exe 2136 Adeiobgc.exe 2900 Afhbljko.exe 2592 Bclcfnih.exe 288 Bkjdpp32.exe 2228 Bgqeea32.exe 2356 Bjanfl32.exe 1832 Cjdkllec.exe 2212 Cabldeik.exe 1848 Cfaaalep.exe 2352 Dibjcg32.exe 2120 Didgig32.exe 316 Dodlfmlb.exe 1796 Dmiihjak.exe 1980 Eibgbj32.exe 2296 Empphi32.exe 1676 Epqhjdhc.exe 932 Fofekp32.exe 1656 Fhnjdfcl.exe 908 Fdekigip.exe 2052 Fdggofgn.exe 2148 Fakhhk32.exe 1516 Fkdlaplh.exe 3008 Fnbhmlkk.exe 2216 Gohnpcmd.exe 2880 Gojkecka.exe 2852 Gkchpcoc.exe 828 Hqpahkmj.exe 2772 Hngngo32.exe 2756 Hgobpd32.exe 2704 Hpmdjf32.exe 2388 Ipameehe.exe 2348 Iljkofkg.exe 3068 Ihaldgak.exe 1012 Jdhlih32.exe 632 Jdjioh32.exe 2276 Jigagocd.exe 2280 Jpcfih32.exe 2524 Khcdijac.exe 616 Kegebn32.exe 1028 Kgknpfdi.exe 2700 Kdooij32.exe 592 Kdakoj32.exe 1252 Lllpclnk.exe 1048 Lfedlb32.exe 1700 Lomidgkl.exe 1040 Lhenmm32.exe 2616 Lckbkfbb.exe 2948 Llcfck32.exe 2056 Llfcik32.exe 2748 Mdahnmck.exe 2968 Mqhhbn32.exe 2896 Mgaqohql.exe 1724 Mqjehngm.exe 1760 Mkpieggc.exe 1264 Mdhnnl32.exe 888 Mfijfdca.exe 852 Mgigpgkd.exe 2080 Nmeohnil.exe 112 Njipabhe.exe 2292 Ncbdjhnf.exe 1716 Niombolm.exe -
Loads dropped DLL 64 IoCs
pid Process 1820 4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe 1820 4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe 2488 Afkccffq.exe 2488 Afkccffq.exe 2964 Aocgll32.exe 2964 Aocgll32.exe 2428 Adppdckh.exe 2428 Adppdckh.exe 2136 Adeiobgc.exe 2136 Adeiobgc.exe 2900 Afhbljko.exe 2900 Afhbljko.exe 2592 Bclcfnih.exe 2592 Bclcfnih.exe 288 Bkjdpp32.exe 288 Bkjdpp32.exe 2228 Bgqeea32.exe 2228 Bgqeea32.exe 2356 Bjanfl32.exe 2356 Bjanfl32.exe 1832 Cjdkllec.exe 1832 Cjdkllec.exe 2212 Cabldeik.exe 2212 Cabldeik.exe 1848 Cfaaalep.exe 1848 Cfaaalep.exe 2352 Dibjcg32.exe 2352 Dibjcg32.exe 2120 Didgig32.exe 2120 Didgig32.exe 316 Dodlfmlb.exe 316 Dodlfmlb.exe 1796 Dmiihjak.exe 1796 Dmiihjak.exe 1980 Eibgbj32.exe 1980 Eibgbj32.exe 2296 Empphi32.exe 2296 Empphi32.exe 1676 Epqhjdhc.exe 1676 Epqhjdhc.exe 932 Fofekp32.exe 932 Fofekp32.exe 1656 Fhnjdfcl.exe 1656 Fhnjdfcl.exe 908 Fdekigip.exe 908 Fdekigip.exe 2052 Fdggofgn.exe 2052 Fdggofgn.exe 2148 Fakhhk32.exe 2148 Fakhhk32.exe 1516 Fkdlaplh.exe 1516 Fkdlaplh.exe 3008 Fnbhmlkk.exe 3008 Fnbhmlkk.exe 2216 Gohnpcmd.exe 2216 Gohnpcmd.exe 2880 Gojkecka.exe 2880 Gojkecka.exe 2852 Gkchpcoc.exe 2852 Gkchpcoc.exe 828 Hqpahkmj.exe 828 Hqpahkmj.exe 2772 Hngngo32.exe 2772 Hngngo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nodnmb32.exe Nncaejie.exe File created C:\Windows\SysWOW64\Dihbqgdl.dll Paclje32.exe File created C:\Windows\SysWOW64\Nkfpmm32.dll Fmffhi32.exe File opened for modification C:\Windows\SysWOW64\Epqhjdhc.exe Empphi32.exe File opened for modification C:\Windows\SysWOW64\Gilhpe32.exe Gpccgppq.exe File opened for modification C:\Windows\SysWOW64\Lghigl32.exe Lmpdoffo.exe File created C:\Windows\SysWOW64\Gjgmhaim.exe Gmcmomjc.exe File opened for modification C:\Windows\SysWOW64\Jfgnbi32.exe Jfeamimh.exe File opened for modification C:\Windows\SysWOW64\Odaqikaa.exe Ojilqf32.exe File created C:\Windows\SysWOW64\Ahgdbk32.exe Qbkljd32.exe File opened for modification C:\Windows\SysWOW64\Cblniaii.exe Cjaieoko.exe File created C:\Windows\SysWOW64\Aapkdi32.exe Ahhgkdfo.exe File created C:\Windows\SysWOW64\Gajlcp32.exe Geckno32.exe File opened for modification C:\Windows\SysWOW64\Adeiobgc.exe Adppdckh.exe File created C:\Windows\SysWOW64\Fakeamcl.dll Hqpahkmj.exe File created C:\Windows\SysWOW64\Jnlfjjpl.exe Iaheqe32.exe File created C:\Windows\SysWOW64\Fjbfek32.exe Fefnmdfo.exe File created C:\Windows\SysWOW64\Nmlekj32.exe Nphdaeol.exe File created C:\Windows\SysWOW64\Bagaojbj.dll Process not Found File created C:\Windows\SysWOW64\Ponioeij.dll Fkjbpkag.exe File created C:\Windows\SysWOW64\Jbapjpfp.dll Gpccgppq.exe File opened for modification C:\Windows\SysWOW64\Qklfqm32.exe Pafacd32.exe File created C:\Windows\SysWOW64\Gadkmj32.exe Gboolneo.exe File created C:\Windows\SysWOW64\Fgkmkdcp.dll Agkfil32.exe File created C:\Windows\SysWOW64\Aefpfjne.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gojkecka.exe Gohnpcmd.exe File created C:\Windows\SysWOW64\Jiklpjeb.dll Nlkmeo32.exe File created C:\Windows\SysWOW64\Fdfpfm32.exe Fknlmggc.exe File opened for modification C:\Windows\SysWOW64\Didgig32.exe Dibjcg32.exe File created C:\Windows\SysWOW64\Aadlgk32.dll Lllpclnk.exe File created C:\Windows\SysWOW64\Jcaahofh.exe Jjimpj32.exe File created C:\Windows\SysWOW64\Klpdie32.dll Kbgnil32.exe File opened for modification C:\Windows\SysWOW64\Npbpjn32.exe Ndkoemji.exe File created C:\Windows\SysWOW64\Djokgk32.exe Dhnoocab.exe File opened for modification C:\Windows\SysWOW64\Efgnfi32.exe Eloimcca.exe File opened for modification C:\Windows\SysWOW64\Clgpckcb.exe Cenhfqle.exe File created C:\Windows\SysWOW64\Mqcnjnol.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hhmfhe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hqpahkmj.exe Gkchpcoc.exe File created C:\Windows\SysWOW64\Mhmfgdch.exe Lpodmb32.exe File created C:\Windows\SysWOW64\Olijen32.exe Process not Found File created C:\Windows\SysWOW64\Hndnokni.dll Dhmchljg.exe File opened for modification C:\Windows\SysWOW64\Cehlbihg.exe Cefpmiji.exe File created C:\Windows\SysWOW64\Dcfkgmcj.dll Cpccnp32.exe File opened for modification C:\Windows\SysWOW64\Lbdljk32.exe Lofono32.exe File created C:\Windows\SysWOW64\Kooklaek.dll Dflnkjhe.exe File opened for modification C:\Windows\SysWOW64\Hnlqemal.exe Hedllgjk.exe File created C:\Windows\SysWOW64\Kmjfae32.exe Jcaahofh.exe File created C:\Windows\SysWOW64\Dbighojl.exe Djnbdlla.exe File created C:\Windows\SysWOW64\Bfodod32.dll Edafjiqe.exe File created C:\Windows\SysWOW64\Dgfkoh32.exe Dibjec32.exe File created C:\Windows\SysWOW64\Ppmdmcpk.dll Hpcnmnnh.exe File created C:\Windows\SysWOW64\Blndhdgi.dll Edkahbmo.exe File opened for modification C:\Windows\SysWOW64\Alfflhpa.exe Adkbgf32.exe File opened for modification C:\Windows\SysWOW64\Pekffp32.exe Pkebig32.exe File created C:\Windows\SysWOW64\Qadhba32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oenmkngi.exe Olehbh32.exe File created C:\Windows\SysWOW64\Nocgbl32.exe Nndjhi32.exe File opened for modification C:\Windows\SysWOW64\Nodikecl.exe Ndoenlcf.exe File created C:\Windows\SysWOW64\Ilbnfmhd.exe Ibjing32.exe File created C:\Windows\SysWOW64\Fgcknc32.dll Process not Found File created C:\Windows\SysWOW64\Jlfhkenj.dll Alfflhpa.exe File created C:\Windows\SysWOW64\Gmllmn32.dll Bdpgai32.exe File opened for modification C:\Windows\SysWOW64\Aocloj32.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcfjoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deanooeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlfjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipipllec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbkljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpkepnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbkdkdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdonndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifelfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfidfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfghagio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdggofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoiai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiieqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhicao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqhjdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkhfnea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcqkafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfbcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdihlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfnen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglgnhgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimpocda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifloeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipefba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmafocbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmnla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqfiqjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohoqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglghdbc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlekjqk.dll" Dbneekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdllnjpm.dll" Iobdopna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbhhbojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popppemc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmpod32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djlmoilf.dll" Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljmmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcgjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dadkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deceab32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggnqmhb.dll" Khonbhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmmdj32.dll" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjgag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhjfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adoili32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhlgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdoagge.dll" Kdhlmhgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doclijgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdhkn32.dll" Eegidknj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chibhf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipameehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifceemdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnghoc32.dll" Cqneaodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfkjnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qohkdkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfgoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opmnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oogolo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmjkhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqogiafk.dll" Cffqhmqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhhkcdp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnnoempk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqapek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfopoail.dll" Adoili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaiehfo.dll" Gnenfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjpncii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblpnepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdbloobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbcimbp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgiim32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfein32.dll" Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloimcca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obniel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjman32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcbgef32.dll" Llnepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adldll32.dll" Dciekjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfhhicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecjaf32.dll" Ceanmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghcnkek.dll" Lekeak32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2488 1820 4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe 29 PID 1820 wrote to memory of 2488 1820 4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe 29 PID 1820 wrote to memory of 2488 1820 4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe 29 PID 1820 wrote to memory of 2488 1820 4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe 29 PID 2488 wrote to memory of 2964 2488 Afkccffq.exe 30 PID 2488 wrote to memory of 2964 2488 Afkccffq.exe 30 PID 2488 wrote to memory of 2964 2488 Afkccffq.exe 30 PID 2488 wrote to memory of 2964 2488 Afkccffq.exe 30 PID 2964 wrote to memory of 2428 2964 Aocgll32.exe 31 PID 2964 wrote to memory of 2428 2964 Aocgll32.exe 31 PID 2964 wrote to memory of 2428 2964 Aocgll32.exe 31 PID 2964 wrote to memory of 2428 2964 Aocgll32.exe 31 PID 2428 wrote to memory of 2136 2428 Adppdckh.exe 32 PID 2428 wrote to memory of 2136 2428 Adppdckh.exe 32 PID 2428 wrote to memory of 2136 2428 Adppdckh.exe 32 PID 2428 wrote to memory of 2136 2428 Adppdckh.exe 32 PID 2136 wrote to memory of 2900 2136 Adeiobgc.exe 33 PID 2136 wrote to memory of 2900 2136 Adeiobgc.exe 33 PID 2136 wrote to memory of 2900 2136 Adeiobgc.exe 33 PID 2136 wrote to memory of 2900 2136 Adeiobgc.exe 33 PID 2900 wrote to memory of 2592 2900 Afhbljko.exe 34 PID 2900 wrote to memory of 2592 2900 Afhbljko.exe 34 PID 2900 wrote to memory of 2592 2900 Afhbljko.exe 34 PID 2900 wrote to memory of 2592 2900 Afhbljko.exe 34 PID 2592 wrote to memory of 288 2592 Bclcfnih.exe 35 PID 2592 wrote to memory of 288 2592 Bclcfnih.exe 35 PID 2592 wrote to memory of 288 2592 Bclcfnih.exe 35 PID 2592 wrote to memory of 288 2592 Bclcfnih.exe 35 PID 288 wrote to memory of 2228 288 Bkjdpp32.exe 36 PID 288 wrote to memory of 2228 288 Bkjdpp32.exe 36 PID 288 wrote to memory of 2228 288 Bkjdpp32.exe 36 PID 288 wrote to memory of 2228 288 Bkjdpp32.exe 36 PID 2228 wrote to memory of 2356 2228 Bgqeea32.exe 37 PID 2228 wrote to memory of 2356 2228 Bgqeea32.exe 37 PID 2228 wrote to memory of 2356 2228 Bgqeea32.exe 37 PID 2228 wrote to memory of 2356 2228 Bgqeea32.exe 37 PID 2356 wrote to memory of 1832 2356 Bjanfl32.exe 38 PID 2356 wrote to memory of 1832 2356 Bjanfl32.exe 38 PID 2356 wrote to memory of 1832 2356 Bjanfl32.exe 38 PID 2356 wrote to memory of 1832 2356 Bjanfl32.exe 38 PID 1832 wrote to memory of 2212 1832 Cjdkllec.exe 39 PID 1832 wrote to memory of 2212 1832 Cjdkllec.exe 39 PID 1832 wrote to memory of 2212 1832 Cjdkllec.exe 39 PID 1832 wrote to memory of 2212 1832 Cjdkllec.exe 39 PID 2212 wrote to memory of 1848 2212 Cabldeik.exe 40 PID 2212 wrote to memory of 1848 2212 Cabldeik.exe 40 PID 2212 wrote to memory of 1848 2212 Cabldeik.exe 40 PID 2212 wrote to memory of 1848 2212 Cabldeik.exe 40 PID 1848 wrote to memory of 2352 1848 Cfaaalep.exe 41 PID 1848 wrote to memory of 2352 1848 Cfaaalep.exe 41 PID 1848 wrote to memory of 2352 1848 Cfaaalep.exe 41 PID 1848 wrote to memory of 2352 1848 Cfaaalep.exe 41 PID 2352 wrote to memory of 2120 2352 Dibjcg32.exe 42 PID 2352 wrote to memory of 2120 2352 Dibjcg32.exe 42 PID 2352 wrote to memory of 2120 2352 Dibjcg32.exe 42 PID 2352 wrote to memory of 2120 2352 Dibjcg32.exe 42 PID 2120 wrote to memory of 316 2120 Didgig32.exe 43 PID 2120 wrote to memory of 316 2120 Didgig32.exe 43 PID 2120 wrote to memory of 316 2120 Didgig32.exe 43 PID 2120 wrote to memory of 316 2120 Didgig32.exe 43 PID 316 wrote to memory of 1796 316 Dodlfmlb.exe 44 PID 316 wrote to memory of 1796 316 Dodlfmlb.exe 44 PID 316 wrote to memory of 1796 316 Dodlfmlb.exe 44 PID 316 wrote to memory of 1796 316 Dodlfmlb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe"C:\Users\Admin\AppData\Local\Temp\4c12e1d097a60dc74011e39a976ae8104916acbcce8d72b2910751edf26aa457.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe33⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe34⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe36⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe37⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe38⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe39⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe40⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe41⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe43⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe44⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe45⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe46⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe48⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe49⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe50⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe51⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe52⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe53⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe55⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe56⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe57⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe58⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe60⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe61⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe63⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe65⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe66⤵PID:1780
-
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe67⤵PID:1772
-
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe69⤵PID:2288
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe70⤵PID:2696
-
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe71⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe72⤵PID:1600
-
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe74⤵PID:3024
-
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe76⤵PID:2220
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe77⤵PID:2132
-
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe78⤵PID:2372
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe80⤵PID:2088
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe82⤵PID:2480
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe83⤵PID:2432
-
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe84⤵PID:1732
-
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe85⤵PID:1776
-
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe86⤵PID:740
-
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe87⤵PID:2264
-
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe88⤵PID:2996
-
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe89⤵PID:2924
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe90⤵PID:2740
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe91⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe92⤵PID:2660
-
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe93⤵PID:1748
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe94⤵PID:3028
-
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe95⤵PID:2176
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe97⤵PID:1548
-
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe98⤵PID:1400
-
C:\Windows\SysWOW64\Cfghagio.exeC:\Windows\system32\Cfghagio.exe99⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe100⤵PID:1512
-
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe101⤵PID:2232
-
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe102⤵PID:1604
-
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe103⤵PID:2800
-
C:\Windows\SysWOW64\Ceanmc32.exeC:\Windows\system32\Ceanmc32.exe104⤵
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe105⤵PID:968
-
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe106⤵PID:2300
-
C:\Windows\SysWOW64\Dgbgon32.exeC:\Windows\system32\Dgbgon32.exe107⤵PID:1920
-
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe110⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe111⤵PID:1964
-
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe112⤵PID:2456
-
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe113⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe114⤵PID:1708
-
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe115⤵PID:2840
-
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe116⤵PID:2848
-
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe117⤵PID:2408
-
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe118⤵PID:2636
-
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe119⤵PID:1280
-
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe120⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Epbamc32.exeC:\Windows\system32\Epbamc32.exe121⤵PID:1704
-
C:\Windows\SysWOW64\Ekgfkl32.exeC:\Windows\system32\Ekgfkl32.exe122⤵PID:912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-