Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 02:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe
-
Size
89KB
-
MD5
67d3c218b629c2e426eb6a03f60b96f5
-
SHA1
c693a487703cc35ede714a8f886c7d2aee1083b8
-
SHA256
b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c
-
SHA512
29a713714eb36ebfb5d7c2bea8f34d88d9a6542078bcd43d1904be627add434e9cb58293e992f0dd6b3c91dfe48b69104e2764b4cf0f4a7a047fe91f10c448b8
-
SSDEEP
1536:fgrMeugvef8QRZZDO34Z9FVXcjYcQlExkg8F:fgju+ekQRZZ84FVMjYcQlakgw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhhndno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnkpobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfcjdkpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdonhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmpibam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipehmebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opglafab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohjnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibfajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekhkjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdjklek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjqpdje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkleabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhgnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgoboc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2020 Nidkmojn.exe 2052 Nlbgikia.exe 1416 Naopaa32.exe 2776 Nhiholof.exe 1584 Naalga32.exe 2732 Ngneph32.exe 2696 Nmhmlbkk.exe 2188 Odbeilbg.exe 1556 Oklnff32.exe 2180 Oaffbqaa.exe 2000 Ocgbji32.exe 2976 Ogcnkgoh.exe 1832 Olpgconp.exe 2420 Ocjophem.exe 692 Onocmadb.exe 2544 Opnpimdf.exe 544 Oekhacbn.exe 1944 Ohidmoaa.exe 876 Ooclji32.exe 820 Ocohkh32.exe 1696 Olgmcmgh.exe 868 Poeipifl.exe 632 Pdbahpec.exe 784 Plijimee.exe 884 Pohfehdi.exe 2396 Pddnnp32.exe 2368 Phpjnnki.exe 2772 Pdgkco32.exe 2736 Pnopldgn.exe 2340 Pdihiook.exe 2640 Pnalad32.exe 2672 Pmdmmalf.exe 1232 Qfmafg32.exe 2228 Qndigd32.exe 1892 Qqbecp32.exe 2876 Qfonkfqd.exe 2808 Qmifhq32.exe 1204 Qogbdl32.exe 2424 Abfnpg32.exe 484 Ajmfad32.exe 1736 Aipfmane.exe 836 Abhkfg32.exe 2276 Aeggbbci.exe 908 Abkhkgbb.exe 1620 Aggpdnpj.exe 2260 Akcldl32.exe 2376 Anahqh32.exe 1592 Aapemc32.exe 2184 Agjmim32.exe 2832 Akeijlfq.exe 2892 Aboaff32.exe 2784 Aababceh.exe 2788 Aennba32.exe 2720 Agljom32.exe 1880 Ajjfkh32.exe 2016 Bmibgd32.exe 1372 Badnhbce.exe 2112 Bccjdnbi.exe 332 Bfagpiam.exe 596 Bnhoag32.exe 2164 Bmkomchi.exe 1440 Bcegin32.exe 2980 Bgqcjlhp.exe 2360 Bjoofhgc.exe -
Loads dropped DLL 64 IoCs
pid Process 2352 b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe 2352 b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe 2020 Nidkmojn.exe 2020 Nidkmojn.exe 2052 Nlbgikia.exe 2052 Nlbgikia.exe 1416 Naopaa32.exe 1416 Naopaa32.exe 2776 Nhiholof.exe 2776 Nhiholof.exe 1584 Naalga32.exe 1584 Naalga32.exe 2732 Ngneph32.exe 2732 Ngneph32.exe 2696 Nmhmlbkk.exe 2696 Nmhmlbkk.exe 2188 Odbeilbg.exe 2188 Odbeilbg.exe 1556 Oklnff32.exe 1556 Oklnff32.exe 2180 Oaffbqaa.exe 2180 Oaffbqaa.exe 2000 Ocgbji32.exe 2000 Ocgbji32.exe 2976 Ogcnkgoh.exe 2976 Ogcnkgoh.exe 1832 Olpgconp.exe 1832 Olpgconp.exe 2420 Ocjophem.exe 2420 Ocjophem.exe 692 Onocmadb.exe 692 Onocmadb.exe 2544 Opnpimdf.exe 2544 Opnpimdf.exe 544 Oekhacbn.exe 544 Oekhacbn.exe 1944 Ohidmoaa.exe 1944 Ohidmoaa.exe 876 Ooclji32.exe 876 Ooclji32.exe 820 Ocohkh32.exe 820 Ocohkh32.exe 1696 Olgmcmgh.exe 1696 Olgmcmgh.exe 868 Poeipifl.exe 868 Poeipifl.exe 632 Pdbahpec.exe 632 Pdbahpec.exe 784 Plijimee.exe 784 Plijimee.exe 884 Pohfehdi.exe 884 Pohfehdi.exe 2396 Pddnnp32.exe 2396 Pddnnp32.exe 2368 Phpjnnki.exe 2368 Phpjnnki.exe 2772 Pdgkco32.exe 2772 Pdgkco32.exe 2736 Pnopldgn.exe 2736 Pnopldgn.exe 2340 Pdihiook.exe 2340 Pdihiook.exe 2640 Pnalad32.exe 2640 Pnalad32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jgfcja32.exe Jckgicnp.exe File created C:\Windows\SysWOW64\Daplkmbg.exe Diidjpbe.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Process not Found File created C:\Windows\SysWOW64\Mdmkoepk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfahomfd.exe Mcckcbgp.exe File opened for modification C:\Windows\SysWOW64\Neknki32.exe Nbmaon32.exe File created C:\Windows\SysWOW64\Mkipao32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fcmben32.exe Fhgnge32.exe File created C:\Windows\SysWOW64\Mfnqeb32.dll Ieofkp32.exe File created C:\Windows\SysWOW64\Pmmneg32.exe Process not Found File created C:\Windows\SysWOW64\Eadbpdla.dll Process not Found File created C:\Windows\SysWOW64\Ninmfc32.dll Eejopecj.exe File created C:\Windows\SysWOW64\Gpihdl32.dll Locjhqpa.exe File opened for modification C:\Windows\SysWOW64\Nbhhdnlh.exe Npjlhcmd.exe File created C:\Windows\SysWOW64\Dphfbiem.exe Dmijfmfi.exe File created C:\Windows\SysWOW64\Gkoobhhg.exe Ghacfmic.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Process not Found File created C:\Windows\SysWOW64\Mkkiehdc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jenpajfb.exe Jbpdeogo.exe File created C:\Windows\SysWOW64\Dldkmlhl.exe Difnaqih.exe File opened for modification C:\Windows\SysWOW64\Dbaice32.exe Dpcmgi32.exe File created C:\Windows\SysWOW64\Khoebi32.exe Kjleflod.exe File opened for modification C:\Windows\SysWOW64\Bnihdemo.exe Bofgii32.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Daacecfc.exe File created C:\Windows\SysWOW64\Ihbcmaje.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Gamnhq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Abhkfg32.exe Aipfmane.exe File created C:\Windows\SysWOW64\Jkcfcend.dll Giiglhjb.exe File opened for modification C:\Windows\SysWOW64\Pohhna32.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Bhjlli32.exe Adnpkjde.exe File created C:\Windows\SysWOW64\Ekddecnj.dll Dhhhbg32.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Process not Found File created C:\Windows\SysWOW64\Elibpg32.exe Process not Found File created C:\Windows\SysWOW64\Aennba32.exe Aababceh.exe File created C:\Windows\SysWOW64\Nmnclmoj.exe Njpgpbpf.exe File created C:\Windows\SysWOW64\Dkkcoogp.dll Nmcmgm32.exe File created C:\Windows\SysWOW64\Mfjaekpm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fqalaa32.exe Fncpef32.exe File created C:\Windows\SysWOW64\Fdqnkoep.exe Fennoa32.exe File created C:\Windows\SysWOW64\Ejkkfjkj.exe Ekhkjm32.exe File opened for modification C:\Windows\SysWOW64\Hcojam32.exe Heliepmn.exe File opened for modification C:\Windows\SysWOW64\Npbklabl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ppinkcnp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ddiibc32.exe Dchmkkkj.exe File created C:\Windows\SysWOW64\Elcpbigl.exe Edlhqlfi.exe File created C:\Windows\SysWOW64\Kageia32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cnckjddd.exe Bflbigdb.exe File opened for modification C:\Windows\SysWOW64\Bmkomchi.exe Bnhoag32.exe File created C:\Windows\SysWOW64\Ddonghfa.dll Flhmfbim.exe File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe Khkbbc32.exe File opened for modification C:\Windows\SysWOW64\Kenoifpb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe Process not Found File created C:\Windows\SysWOW64\Kghpoa32.exe Kcmcoblm.exe File created C:\Windows\SysWOW64\Kojpahgg.dll Okdmjdol.exe File opened for modification C:\Windows\SysWOW64\Pmmneg32.exe Process not Found File created C:\Windows\SysWOW64\Hjpqkajf.dll Process not Found File created C:\Windows\SysWOW64\Ibmcpifp.dll Jlelhe32.exe File created C:\Windows\SysWOW64\Pofkha32.exe Plgolf32.exe File created C:\Windows\SysWOW64\Ebqngb32.exe Process not Found File created C:\Windows\SysWOW64\Inaqlm32.dll Caidaeak.exe File created C:\Windows\SysWOW64\Jlelhe32.exe Jhjphfgi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2056 3696 Process not Found 1497 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdegfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpgpbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmphhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcahoqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnclmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nallalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnibcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phpjnnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneaqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbgikia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooclji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkffng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqnkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebdfind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnlocgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjdjjdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcmbgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqqpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgkco32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamnel32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofejpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpdod32.dll" Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfphcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbabncd.dll" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbgbj32.dll" Oaghki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjaickl.dll" Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" Pghfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnfie32.dll" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmqbj32.dll" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idppjg32.dll" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhepmkh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmbfggdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cakqgeoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeielfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncekdcqn.dll" Dfmeccao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aijbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbcbjlmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Godaakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmifhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngndfk32.dll" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmhkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecikhmn.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2020 2352 b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe 30 PID 2352 wrote to memory of 2020 2352 b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe 30 PID 2352 wrote to memory of 2020 2352 b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe 30 PID 2352 wrote to memory of 2020 2352 b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe 30 PID 2020 wrote to memory of 2052 2020 Nidkmojn.exe 31 PID 2020 wrote to memory of 2052 2020 Nidkmojn.exe 31 PID 2020 wrote to memory of 2052 2020 Nidkmojn.exe 31 PID 2020 wrote to memory of 2052 2020 Nidkmojn.exe 31 PID 2052 wrote to memory of 1416 2052 Nlbgikia.exe 32 PID 2052 wrote to memory of 1416 2052 Nlbgikia.exe 32 PID 2052 wrote to memory of 1416 2052 Nlbgikia.exe 32 PID 2052 wrote to memory of 1416 2052 Nlbgikia.exe 32 PID 1416 wrote to memory of 2776 1416 Naopaa32.exe 33 PID 1416 wrote to memory of 2776 1416 Naopaa32.exe 33 PID 1416 wrote to memory of 2776 1416 Naopaa32.exe 33 PID 1416 wrote to memory of 2776 1416 Naopaa32.exe 33 PID 2776 wrote to memory of 1584 2776 Nhiholof.exe 34 PID 2776 wrote to memory of 1584 2776 Nhiholof.exe 34 PID 2776 wrote to memory of 1584 2776 Nhiholof.exe 34 PID 2776 wrote to memory of 1584 2776 Nhiholof.exe 34 PID 1584 wrote to memory of 2732 1584 Naalga32.exe 35 PID 1584 wrote to memory of 2732 1584 Naalga32.exe 35 PID 1584 wrote to memory of 2732 1584 Naalga32.exe 35 PID 1584 wrote to memory of 2732 1584 Naalga32.exe 35 PID 2732 wrote to memory of 2696 2732 Ngneph32.exe 36 PID 2732 wrote to memory of 2696 2732 Ngneph32.exe 36 PID 2732 wrote to memory of 2696 2732 Ngneph32.exe 36 PID 2732 wrote to memory of 2696 2732 Ngneph32.exe 36 PID 2696 wrote to memory of 2188 2696 Nmhmlbkk.exe 37 PID 2696 wrote to memory of 2188 2696 Nmhmlbkk.exe 37 PID 2696 wrote to memory of 2188 2696 Nmhmlbkk.exe 37 PID 2696 wrote to memory of 2188 2696 Nmhmlbkk.exe 37 PID 2188 wrote to memory of 1556 2188 Odbeilbg.exe 38 PID 2188 wrote to memory of 1556 2188 Odbeilbg.exe 38 PID 2188 wrote to memory of 1556 2188 Odbeilbg.exe 38 PID 2188 wrote to memory of 1556 2188 Odbeilbg.exe 38 PID 1556 wrote to memory of 2180 1556 Oklnff32.exe 39 PID 1556 wrote to memory of 2180 1556 Oklnff32.exe 39 PID 1556 wrote to memory of 2180 1556 Oklnff32.exe 39 PID 1556 wrote to memory of 2180 1556 Oklnff32.exe 39 PID 2180 wrote to memory of 2000 2180 Oaffbqaa.exe 40 PID 2180 wrote to memory of 2000 2180 Oaffbqaa.exe 40 PID 2180 wrote to memory of 2000 2180 Oaffbqaa.exe 40 PID 2180 wrote to memory of 2000 2180 Oaffbqaa.exe 40 PID 2000 wrote to memory of 2976 2000 Ocgbji32.exe 41 PID 2000 wrote to memory of 2976 2000 Ocgbji32.exe 41 PID 2000 wrote to memory of 2976 2000 Ocgbji32.exe 41 PID 2000 wrote to memory of 2976 2000 Ocgbji32.exe 41 PID 2976 wrote to memory of 1832 2976 Ogcnkgoh.exe 42 PID 2976 wrote to memory of 1832 2976 Ogcnkgoh.exe 42 PID 2976 wrote to memory of 1832 2976 Ogcnkgoh.exe 42 PID 2976 wrote to memory of 1832 2976 Ogcnkgoh.exe 42 PID 1832 wrote to memory of 2420 1832 Olpgconp.exe 43 PID 1832 wrote to memory of 2420 1832 Olpgconp.exe 43 PID 1832 wrote to memory of 2420 1832 Olpgconp.exe 43 PID 1832 wrote to memory of 2420 1832 Olpgconp.exe 43 PID 2420 wrote to memory of 692 2420 Ocjophem.exe 44 PID 2420 wrote to memory of 692 2420 Ocjophem.exe 44 PID 2420 wrote to memory of 692 2420 Ocjophem.exe 44 PID 2420 wrote to memory of 692 2420 Ocjophem.exe 44 PID 692 wrote to memory of 2544 692 Onocmadb.exe 45 PID 692 wrote to memory of 2544 692 Onocmadb.exe 45 PID 692 wrote to memory of 2544 692 Onocmadb.exe 45 PID 692 wrote to memory of 2544 692 Onocmadb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe"C:\Users\Admin\AppData\Local\Temp\b4ebaacfda5dc20a313f5c318e020023bda6aa8ef7146249cbd4a4e41d2a125c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe33⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe34⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe35⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe36⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe37⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe39⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe40⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe41⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe43⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe44⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe45⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe46⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe47⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe48⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe49⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe50⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe51⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe52⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe54⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe57⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe58⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe59⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe60⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe62⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe63⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe64⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe65⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe66⤵PID:2572
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe67⤵PID:2380
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe68⤵PID:2816
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe69⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe70⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe72⤵PID:1860
-
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe73⤵PID:912
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe74⤵PID:2952
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe75⤵PID:2660
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe77⤵PID:1624
-
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe78⤵PID:612
-
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe81⤵PID:1248
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe82⤵PID:2548
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe83⤵PID:2584
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe84⤵PID:3004
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe85⤵PID:2912
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe86⤵PID:1932
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe87⤵PID:2864
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe88⤵PID:2160
-
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe89⤵PID:1508
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe90⤵PID:2308
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe91⤵PID:1464
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe92⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe93⤵PID:1940
-
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe94⤵PID:936
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe95⤵PID:1608
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe96⤵PID:1984
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe97⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe98⤵PID:2628
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe99⤵PID:2664
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe100⤵PID:676
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe101⤵PID:1408
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe102⤵PID:2928
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe103⤵PID:1640
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe104⤵PID:1720
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe105⤵PID:2168
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe106⤵PID:1664
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe107⤵PID:952
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe108⤵PID:1924
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe109⤵PID:1652
-
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe110⤵PID:2824
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe111⤵PID:2676
-
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe112⤵PID:2680
-
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe113⤵PID:1404
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe114⤵PID:2284
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe115⤵PID:2220
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe116⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe117⤵PID:1920
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe118⤵PID:2744
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe119⤵PID:2884
-
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe120⤵PID:1908
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe121⤵
- Modifies registry class
PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-