Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
64KB
-
MD5
595d78aade46e70463461e9d3ccec030
-
SHA1
807673f319016230f34b2f4f88135dfbc4b64195
-
SHA256
946d5159c42d4688a6506415c984f438ed131d62793f069057e4919ae3e4aa0b
-
SHA512
79e70364ecb932a00ae6efa499ef7baa60270f133ddafa631c2d9ae07ba19a85d80d34c6d840dc983221bc2dfedec08ac3b65033c6ccf1c2663c8733d0f90e81
-
SSDEEP
1536:HtmQRHGcP4AnwdyN8GeK2TtVC+UrDeO6XKhbMbt2:UQdG6Xwd9Cpr6O6Xjt2
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Njhilimb.exeAjldkhjh.exeDpfkeb32.exePmmqmpdm.exeCdkkcp32.exeDghjkpck.exeOnamle32.exeEnhaeldn.exePmpdmfff.exeIqfiii32.exeKmficl32.exeHekefkig.exeAdleoc32.exeCchdpbog.exeHgfooe32.exeKamlhl32.exeBemkle32.exeLfippfej.exeQjgcecja.exeApfici32.exeObhpad32.exeAfeaei32.exeBbfnchfb.exeChofhm32.exeJgjmoace.exeOoofcg32.exeCjjpag32.exeIcoepohq.exeAankkqfl.exeChhpgn32.exeCnnimkom.exeNjeelc32.exeEpkepakn.exeFenphjei.exeMcidkf32.exeFjfhkl32.exeNanfqo32.exePfchqf32.exeEgpena32.exeAedlhg32.exeChlgid32.exeDglpdomh.exeKeiqlihp.exeKigibh32.exePcbookpp.exePbjifgcd.exeBojipjcj.exeAmglgn32.exeQlgndbil.exeDilchhgg.exeDbmkfh32.exeFbkjap32.exeGlnkcc32.exeLepclldc.exeNqpmimbe.exeBdinnqon.exeDdmchcnd.exeBjfpdf32.exeBdobdc32.exeFjaoplho.exeAompambg.exePfkimhhi.exeHkbkpcpd.exeIfgklp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhilimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dghjkpck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onamle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpdmfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqfiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adleoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchdpbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamlhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjgcecja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apfici32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnimkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkepakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenphjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcidkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpdomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keiqlihp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbookpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjifgcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgndbil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilchhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glnkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepclldc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdobdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaoplho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkimhhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgklp32.exe -
Executes dropped EXE 64 IoCs
Processes:
Nhbciaki.exeNomkfk32.exeNdicnb32.exeNoohlkpc.exeNbmdhfog.exeNgjlpmnn.exeNjhilimb.exeNcamen32.exeOgliemkk.exeOmiand32.exeOccjjnap.exeOjmbgh32.exeOninhgae.exeOcefpnom.exeOjpomh32.exeOaigib32.exeOchcem32.exeOffpbi32.exeOielnd32.exeOcjpkm32.exeOfilgh32.exeOmbddbah.exeOleepo32.exePfkimhhi.exePenihe32.exePhledp32.exePpcmfn32.exePadjmfdg.exePjmnfk32.exePdecoa32.exePllkpn32.exePnkglj32.exePeeoidik.exePjahakgb.exePmpdmfff.exePpopja32.exeQigebglj.exeQpamoa32.exeQdlipplq.exeQiiahgjh.exeQlgndbil.exeQdofep32.exeAepbmhpl.exeAbdbflnf.exeAfpogk32.exeAinkcf32.exeAphcppmo.exeAokckm32.exeAaipghcn.exeAedlhg32.exeAhchdb32.exeAlodeacc.exeAompambg.exeAbhlak32.exeAeghng32.exeAhedjb32.exeAkdafn32.exeAoomflpd.exeAanibhoh.exeAdleoc32.exeAgkako32.exeAkfnkmei.exeAndjgidl.exeBapfhg32.exepid process 1976 Nhbciaki.exe 2668 Nomkfk32.exe 2564 Ndicnb32.exe 2460 Noohlkpc.exe 3008 Nbmdhfog.exe 872 Ngjlpmnn.exe 1416 Njhilimb.exe 2904 Ncamen32.exe 1084 Ogliemkk.exe 1420 Omiand32.exe 2508 Occjjnap.exe 2364 Ojmbgh32.exe 1204 Oninhgae.exe 2216 Ocefpnom.exe 3060 Ojpomh32.exe 2380 Oaigib32.exe 1944 Ochcem32.exe 912 Offpbi32.exe 2720 Oielnd32.exe 1368 Ocjpkm32.exe 328 Ofilgh32.exe 1984 Ombddbah.exe 2468 Oleepo32.exe 2920 Pfkimhhi.exe 288 Penihe32.exe 1572 Phledp32.exe 2740 Ppcmfn32.exe 2200 Padjmfdg.exe 2708 Pjmnfk32.exe 2536 Pdecoa32.exe 2956 Pllkpn32.exe 2384 Pnkglj32.exe 1276 Peeoidik.exe 852 Pjahakgb.exe 2436 Pmpdmfff.exe 1092 Ppopja32.exe 1952 Qigebglj.exe 1612 Qpamoa32.exe 2240 Qdlipplq.exe 2248 Qiiahgjh.exe 2336 Qlgndbil.exe 1284 Qdofep32.exe 2912 Aepbmhpl.exe 1536 Abdbflnf.exe 1808 Afpogk32.exe 1308 Ainkcf32.exe 2416 Aphcppmo.exe 840 Aokckm32.exe 2876 Aaipghcn.exe 2764 Aedlhg32.exe 2692 Ahchdb32.exe 2540 Alodeacc.exe 1760 Aompambg.exe 2584 Abhlak32.exe 2196 Aeghng32.exe 2900 Ahedjb32.exe 1728 Akdafn32.exe 572 Aoomflpd.exe 3068 Aanibhoh.exe 808 Adleoc32.exe 540 Agkako32.exe 632 Akfnkmei.exe 892 Andjgidl.exe 2252 Bapfhg32.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeNhbciaki.exeNomkfk32.exeNdicnb32.exeNoohlkpc.exeNbmdhfog.exeNgjlpmnn.exeNjhilimb.exeNcamen32.exeOgliemkk.exeOmiand32.exeOccjjnap.exeOjmbgh32.exeOninhgae.exeOcefpnom.exeOjpomh32.exeOaigib32.exeOchcem32.exeOffpbi32.exeOielnd32.exeOcjpkm32.exeOfilgh32.exeOmbddbah.exeOleepo32.exePfkimhhi.exePenihe32.exePhledp32.exePpcmfn32.exePadjmfdg.exePjmnfk32.exePdecoa32.exePllkpn32.exepid process 2328 Backdoor.Win32.Berbew.exe 2328 Backdoor.Win32.Berbew.exe 1976 Nhbciaki.exe 1976 Nhbciaki.exe 2668 Nomkfk32.exe 2668 Nomkfk32.exe 2564 Ndicnb32.exe 2564 Ndicnb32.exe 2460 Noohlkpc.exe 2460 Noohlkpc.exe 3008 Nbmdhfog.exe 3008 Nbmdhfog.exe 872 Ngjlpmnn.exe 872 Ngjlpmnn.exe 1416 Njhilimb.exe 1416 Njhilimb.exe 2904 Ncamen32.exe 2904 Ncamen32.exe 1084 Ogliemkk.exe 1084 Ogliemkk.exe 1420 Omiand32.exe 1420 Omiand32.exe 2508 Occjjnap.exe 2508 Occjjnap.exe 2364 Ojmbgh32.exe 2364 Ojmbgh32.exe 1204 Oninhgae.exe 1204 Oninhgae.exe 2216 Ocefpnom.exe 2216 Ocefpnom.exe 3060 Ojpomh32.exe 3060 Ojpomh32.exe 2380 Oaigib32.exe 2380 Oaigib32.exe 1944 Ochcem32.exe 1944 Ochcem32.exe 912 Offpbi32.exe 912 Offpbi32.exe 2720 Oielnd32.exe 2720 Oielnd32.exe 1368 Ocjpkm32.exe 1368 Ocjpkm32.exe 328 Ofilgh32.exe 328 Ofilgh32.exe 1984 Ombddbah.exe 1984 Ombddbah.exe 2468 Oleepo32.exe 2468 Oleepo32.exe 2920 Pfkimhhi.exe 2920 Pfkimhhi.exe 288 Penihe32.exe 288 Penihe32.exe 1572 Phledp32.exe 1572 Phledp32.exe 2740 Ppcmfn32.exe 2740 Ppcmfn32.exe 2200 Padjmfdg.exe 2200 Padjmfdg.exe 2708 Pjmnfk32.exe 2708 Pjmnfk32.exe 2536 Pdecoa32.exe 2536 Pdecoa32.exe 2956 Pllkpn32.exe 2956 Pllkpn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ogaeieoj.exeBknfeege.exeHljaigmo.exeJkkjeeke.exeKcmdjgbh.exeColadm32.exeNanfqo32.exeCkomqopi.exeEiciig32.exeBjfpdf32.exeAbdbflnf.exeQpniokan.exeIjfqfj32.exeIgcgnbim.exeMdepmh32.exeMkfojakp.exeBdcnhk32.exeQiiahgjh.exeHnnjfo32.exeNnlhab32.exeBeadgdli.exeFabmmejd.exeAhfgbkpl.exeNcamen32.exeIblola32.exeLijiaabk.exeOnamle32.exeFpbqcb32.exeIjimli32.exeIklfia32.exeOmnmal32.exeBdobdc32.exeBfiabjjm.exeGgbieb32.exeGpacogjm.exeLkbpke32.exeOnldqejb.exeEjfllhao.exeEgfjdchi.exeJihdnk32.exeNobndj32.exePcdldknm.exeAedlhg32.exeCcmblnif.exeGmkjgfmf.exeJdidmf32.exeJecnnk32.exeLmcilp32.exeNaegmabc.exeOodjjign.exePcnfdl32.exeFefcmehe.exeLofkoamf.exeAfpogk32.exeFhhbif32.exeJnlbgq32.exeAdgein32.exeQnpcpa32.exeDmebcgbb.exeHqochjnk.exeJcikog32.exedescription ioc process File created C:\Windows\SysWOW64\Bnipnnpb.dll Ogaeieoj.exe File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bknfeege.exe File created C:\Windows\SysWOW64\Hoimecmb.exe Hljaigmo.exe File opened for modification C:\Windows\SysWOW64\Jnifaajh.exe Jkkjeeke.exe File created C:\Windows\SysWOW64\Kflafbak.exe Kcmdjgbh.exe File opened for modification C:\Windows\SysWOW64\Cbjnqh32.exe Coladm32.exe File created C:\Windows\SysWOW64\Ndlbmk32.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Cjbmll32.exe Ckomqopi.exe File created C:\Windows\SysWOW64\Pajhnb32.dll Eiciig32.exe File created C:\Windows\SysWOW64\Bobleeef.exe Bjfpdf32.exe File created C:\Windows\SysWOW64\Ikkkijnk.dll Abdbflnf.exe File created C:\Windows\SysWOW64\Qblfkgqb.exe Qpniokan.exe File created C:\Windows\SysWOW64\Ilemce32.exe Ijfqfj32.exe File opened for modification C:\Windows\SysWOW64\Iojopp32.exe Igcgnbim.exe File opened for modification C:\Windows\SysWOW64\Mllhne32.exe Mdepmh32.exe File opened for modification C:\Windows\SysWOW64\Mmdkfmjc.exe Mkfojakp.exe File opened for modification C:\Windows\SysWOW64\Bbfnchfb.exe Bdcnhk32.exe File opened for modification C:\Windows\SysWOW64\Qlgndbil.exe Qiiahgjh.exe File created C:\Windows\SysWOW64\Fplkghjl.dll Hnnjfo32.exe File opened for modification C:\Windows\SysWOW64\Kflafbak.exe Kcmdjgbh.exe File created C:\Windows\SysWOW64\Mpbelhkp.dll Nnlhab32.exe File opened for modification C:\Windows\SysWOW64\Bhpqcpkm.exe Beadgdli.exe File opened for modification C:\Windows\SysWOW64\Fpemhb32.exe Fabmmejd.exe File opened for modification C:\Windows\SysWOW64\Ajdcofop.exe Ahfgbkpl.exe File created C:\Windows\SysWOW64\Ogliemkk.exe Ncamen32.exe File created C:\Windows\SysWOW64\Cqekiefo.dll Iblola32.exe File opened for modification C:\Windows\SysWOW64\Lmeebpkd.exe Lijiaabk.exe File created C:\Windows\SysWOW64\Oqojhp32.exe Onamle32.exe File created C:\Windows\SysWOW64\Llmhgcfd.dll Fpbqcb32.exe File opened for modification C:\Windows\SysWOW64\Ilgjhena.exe Ijimli32.exe File created C:\Windows\SysWOW64\Inkcem32.exe Iklfia32.exe File created C:\Windows\SysWOW64\Oqjibkek.exe Omnmal32.exe File opened for modification C:\Windows\SysWOW64\Bgmnpn32.exe Bdobdc32.exe File opened for modification C:\Windows\SysWOW64\Chgnneiq.exe Bfiabjjm.exe File created C:\Windows\SysWOW64\Mldlaa32.dll Ggbieb32.exe File opened for modification C:\Windows\SysWOW64\Gcppkbia.exe Gpacogjm.exe File created C:\Windows\SysWOW64\Obdfbbbn.dll Lkbpke32.exe File created C:\Windows\SysWOW64\Ajcdki32.dll Onldqejb.exe File opened for modification C:\Windows\SysWOW64\Emdhhdqb.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Ejdfqogm.exe Egfjdchi.exe File created C:\Windows\SysWOW64\Ihjpll32.dll Jihdnk32.exe File opened for modification C:\Windows\SysWOW64\Nbqjqehd.exe Nobndj32.exe File opened for modification C:\Windows\SysWOW64\Pfchqf32.exe Pcdldknm.exe File created C:\Windows\SysWOW64\Pcdbhb32.dll Aedlhg32.exe File opened for modification C:\Windows\SysWOW64\Cbpbgk32.exe Ccmblnif.exe File created C:\Windows\SysWOW64\Glnkcc32.exe Gmkjgfmf.exe File created C:\Windows\SysWOW64\Jghqia32.exe Jdidmf32.exe File created C:\Windows\SysWOW64\Jgbjjf32.exe Jecnnk32.exe File created C:\Windows\SysWOW64\Laodmoep.exe Lmcilp32.exe File created C:\Windows\SysWOW64\Nacjlp32.dll Naegmabc.exe File opened for modification C:\Windows\SysWOW64\Obcffefa.exe Oodjjign.exe File opened for modification C:\Windows\SysWOW64\Pgibdjln.exe Pcnfdl32.exe File opened for modification C:\Windows\SysWOW64\Fcichb32.exe Fefcmehe.exe File opened for modification C:\Windows\SysWOW64\Lbagpp32.exe Lofkoamf.exe File opened for modification C:\Windows\SysWOW64\Ainkcf32.exe Afpogk32.exe File created C:\Windows\SysWOW64\Fbngfo32.exe Fhhbif32.exe File created C:\Windows\SysWOW64\Jmocbnop.exe Jnlbgq32.exe File created C:\Windows\SysWOW64\Afeaei32.exe Adgein32.exe File created C:\Windows\SysWOW64\Qanolm32.exe Qnpcpa32.exe File opened for modification C:\Windows\SysWOW64\Ahchdb32.exe Aedlhg32.exe File created C:\Windows\SysWOW64\Dqaode32.exe Dmebcgbb.exe File created C:\Windows\SysWOW64\Mmgofm32.dll Hqochjnk.exe File created C:\Windows\SysWOW64\Kfggkc32.exe Jcikog32.exe File created C:\Windows\SysWOW64\Ebinok32.dll Nanfqo32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hhlaiccm.exePfkkeq32.exeCiglaa32.exeQdlipplq.exeEcmjid32.exeFlhhed32.exeHcdifa32.exeJnbpqb32.exeQijdqp32.exeGlckihcg.exePlbmom32.exeHchoop32.exeNohddd32.exeQlggjlep.exeAfndjdpe.exeIfengpdh.exeCjjpag32.exeAfqhjj32.exeNndgeplo.exeAjdcofop.exeBbfnchfb.exeHhmhcigh.exeJnlbgq32.exeCgqmpkfg.exeFlqkjo32.exeKpoejbhe.exePcmoie32.exeGgdekbgb.exeOiahnnji.exeNmggllha.exeNchipb32.exeBpfebmia.exeAmafgc32.exeDglpdomh.exeKenjgi32.exeMdoccg32.exeIgpaec32.exePjjkfe32.exeAejnfe32.exeHpnlndkp.exeIqllghon.exeLfippfej.exeAadobccg.exeBbchkime.exeEkghcq32.exeCnnimkom.exeAhpddmia.exeChbihc32.exeEcadddjh.exeFbpclofe.exeLijiaabk.exeFamcbf32.exeMllhne32.exeMgkbjb32.exeOkpdjjil.exeNnbjpqoa.exeBmelpa32.exeCpohhk32.exeEannmi32.exeIgmepdbc.exeIblola32.exeEpqgopbi.exeOjbnkp32.exeBdfjnkne.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlipplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmjid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijdqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glckihcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdcofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfnchfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmhcigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqmpkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoejbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdekbgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmggllha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfebmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amafgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjkfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqllghon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfippfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadobccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnimkom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpddmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecadddjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpclofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eannmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqgopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe -
Modifies registry class 64 IoCs
Processes:
Cgqmpkfg.exeIgkhjdde.exeLmcilp32.exeBckefnki.exeKflafbak.exeCpbkhabp.exeDlboca32.exeInkcem32.exePllkpn32.exeDcokpa32.exeNhmbdl32.exeBaealp32.exeCfknhi32.exeKngekdnf.exeIgpaec32.exeLdbjdj32.exeBlipno32.exeDkjhjm32.exeMalmllfb.exeNdicnb32.exeBdckobhd.exeJngilalk.exeFjfhkl32.exeCqleifna.exeFicehj32.exeFbkjap32.exeMldeik32.exeHhnnnbaj.exeAdleoc32.exeCkkcep32.exeJihdnk32.exeObhpad32.exeJgjmoace.exeNkfkidmk.exeOmnmal32.exeBdaojbjf.exeDecdmi32.exePegnglnm.exeMmjomogn.exeBfpmog32.exeIgmepdbc.exeMacjgadf.exeAepbmhpl.exeNphpng32.exeBheaiekc.exeGgklka32.exeBoleejag.exeGkhaooec.exeJinfli32.exeManjaldo.exeNjhilimb.exeAhedjb32.exeBeldao32.exeCeickb32.exeOchenfdn.exePgodcich.exeFlqkjo32.exeOdqlhjbi.exeKecjmodq.exeAicmadmm.exePnimpcke.exeEalahi32.exeLigfakaa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkhjdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdccacf.dll" Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflafbak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geindqkj.dll" Inkcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldknflmi.dll" Pllkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcokpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngekdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnkcm32.dll" Blipno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndicnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdckobhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffnnem32.dll" Fjfhkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgodoah.dll" Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbkjap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqmojc32.dll" Hhnnnbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmmil32.dll" Adleoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgehjlpm.dll" Ckkcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjpll32.dll" Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmccgf32.dll" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidffnka.dll" Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcoomf32.dll" Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelgmaak.dll" Bdaojbjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Decdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjabpb.dll" Cqleifna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjomogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmepdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhkobjh.dll" Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaefik.dll" Aepbmhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphpng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheaiekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhdlkp.dll" Ggklka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colojben.dll" Gkhaooec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhgp32.dll" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahedjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceickb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaqejn32.dll" Flqkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kecjmodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadpbdp.dll" Pnimpcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ligfakaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeNhbciaki.exeNomkfk32.exeNdicnb32.exeNoohlkpc.exeNbmdhfog.exeNgjlpmnn.exeNjhilimb.exeNcamen32.exeOgliemkk.exeOmiand32.exeOccjjnap.exeOjmbgh32.exeOninhgae.exeOcefpnom.exeOjpomh32.exedescription pid process target process PID 2328 wrote to memory of 1976 2328 Backdoor.Win32.Berbew.exe Nhbciaki.exe PID 2328 wrote to memory of 1976 2328 Backdoor.Win32.Berbew.exe Nhbciaki.exe PID 2328 wrote to memory of 1976 2328 Backdoor.Win32.Berbew.exe Nhbciaki.exe PID 2328 wrote to memory of 1976 2328 Backdoor.Win32.Berbew.exe Nhbciaki.exe PID 1976 wrote to memory of 2668 1976 Nhbciaki.exe Nomkfk32.exe PID 1976 wrote to memory of 2668 1976 Nhbciaki.exe Nomkfk32.exe PID 1976 wrote to memory of 2668 1976 Nhbciaki.exe Nomkfk32.exe PID 1976 wrote to memory of 2668 1976 Nhbciaki.exe Nomkfk32.exe PID 2668 wrote to memory of 2564 2668 Nomkfk32.exe Ndicnb32.exe PID 2668 wrote to memory of 2564 2668 Nomkfk32.exe Ndicnb32.exe PID 2668 wrote to memory of 2564 2668 Nomkfk32.exe Ndicnb32.exe PID 2668 wrote to memory of 2564 2668 Nomkfk32.exe Ndicnb32.exe PID 2564 wrote to memory of 2460 2564 Ndicnb32.exe Noohlkpc.exe PID 2564 wrote to memory of 2460 2564 Ndicnb32.exe Noohlkpc.exe PID 2564 wrote to memory of 2460 2564 Ndicnb32.exe Noohlkpc.exe PID 2564 wrote to memory of 2460 2564 Ndicnb32.exe Noohlkpc.exe PID 2460 wrote to memory of 3008 2460 Noohlkpc.exe Nbmdhfog.exe PID 2460 wrote to memory of 3008 2460 Noohlkpc.exe Nbmdhfog.exe PID 2460 wrote to memory of 3008 2460 Noohlkpc.exe Nbmdhfog.exe PID 2460 wrote to memory of 3008 2460 Noohlkpc.exe Nbmdhfog.exe PID 3008 wrote to memory of 872 3008 Nbmdhfog.exe Ngjlpmnn.exe PID 3008 wrote to memory of 872 3008 Nbmdhfog.exe Ngjlpmnn.exe PID 3008 wrote to memory of 872 3008 Nbmdhfog.exe Ngjlpmnn.exe PID 3008 wrote to memory of 872 3008 Nbmdhfog.exe Ngjlpmnn.exe PID 872 wrote to memory of 1416 872 Ngjlpmnn.exe Njhilimb.exe PID 872 wrote to memory of 1416 872 Ngjlpmnn.exe Njhilimb.exe PID 872 wrote to memory of 1416 872 Ngjlpmnn.exe Njhilimb.exe PID 872 wrote to memory of 1416 872 Ngjlpmnn.exe Njhilimb.exe PID 1416 wrote to memory of 2904 1416 Njhilimb.exe Ncamen32.exe PID 1416 wrote to memory of 2904 1416 Njhilimb.exe Ncamen32.exe PID 1416 wrote to memory of 2904 1416 Njhilimb.exe Ncamen32.exe PID 1416 wrote to memory of 2904 1416 Njhilimb.exe Ncamen32.exe PID 2904 wrote to memory of 1084 2904 Ncamen32.exe Ogliemkk.exe PID 2904 wrote to memory of 1084 2904 Ncamen32.exe Ogliemkk.exe PID 2904 wrote to memory of 1084 2904 Ncamen32.exe Ogliemkk.exe PID 2904 wrote to memory of 1084 2904 Ncamen32.exe Ogliemkk.exe PID 1084 wrote to memory of 1420 1084 Ogliemkk.exe Omiand32.exe PID 1084 wrote to memory of 1420 1084 Ogliemkk.exe Omiand32.exe PID 1084 wrote to memory of 1420 1084 Ogliemkk.exe Omiand32.exe PID 1084 wrote to memory of 1420 1084 Ogliemkk.exe Omiand32.exe PID 1420 wrote to memory of 2508 1420 Omiand32.exe Occjjnap.exe PID 1420 wrote to memory of 2508 1420 Omiand32.exe Occjjnap.exe PID 1420 wrote to memory of 2508 1420 Omiand32.exe Occjjnap.exe PID 1420 wrote to memory of 2508 1420 Omiand32.exe Occjjnap.exe PID 2508 wrote to memory of 2364 2508 Occjjnap.exe Ojmbgh32.exe PID 2508 wrote to memory of 2364 2508 Occjjnap.exe Ojmbgh32.exe PID 2508 wrote to memory of 2364 2508 Occjjnap.exe Ojmbgh32.exe PID 2508 wrote to memory of 2364 2508 Occjjnap.exe Ojmbgh32.exe PID 2364 wrote to memory of 1204 2364 Ojmbgh32.exe Oninhgae.exe PID 2364 wrote to memory of 1204 2364 Ojmbgh32.exe Oninhgae.exe PID 2364 wrote to memory of 1204 2364 Ojmbgh32.exe Oninhgae.exe PID 2364 wrote to memory of 1204 2364 Ojmbgh32.exe Oninhgae.exe PID 1204 wrote to memory of 2216 1204 Oninhgae.exe Ocefpnom.exe PID 1204 wrote to memory of 2216 1204 Oninhgae.exe Ocefpnom.exe PID 1204 wrote to memory of 2216 1204 Oninhgae.exe Ocefpnom.exe PID 1204 wrote to memory of 2216 1204 Oninhgae.exe Ocefpnom.exe PID 2216 wrote to memory of 3060 2216 Ocefpnom.exe Ojpomh32.exe PID 2216 wrote to memory of 3060 2216 Ocefpnom.exe Ojpomh32.exe PID 2216 wrote to memory of 3060 2216 Ocefpnom.exe Ojpomh32.exe PID 2216 wrote to memory of 3060 2216 Ocefpnom.exe Ojpomh32.exe PID 3060 wrote to memory of 2380 3060 Ojpomh32.exe Oaigib32.exe PID 3060 wrote to memory of 2380 3060 Ojpomh32.exe Oaigib32.exe PID 3060 wrote to memory of 2380 3060 Ojpomh32.exe Oaigib32.exe PID 3060 wrote to memory of 2380 3060 Ojpomh32.exe Oaigib32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe33⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe34⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe35⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe37⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe39⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe43⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe47⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe48⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe49⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe50⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe53⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe55⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe56⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe58⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe59⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe60⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe62⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe63⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe64⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe65⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe66⤵PID:3036
-
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe68⤵PID:2916
-
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe69⤵PID:2672
-
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe70⤵PID:3056
-
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe71⤵PID:2568
-
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe72⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe73⤵PID:2408
-
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe74⤵PID:2040
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe75⤵PID:1752
-
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe76⤵PID:2244
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe77⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe78⤵PID:1652
-
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe79⤵PID:1908
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe80⤵PID:1904
-
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe81⤵PID:2356
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe82⤵PID:2500
-
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe83⤵PID:280
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe84⤵PID:1336
-
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe85⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe86⤵PID:2884
-
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe87⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe88⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe89⤵PID:2520
-
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe90⤵PID:1428
-
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe91⤵PID:2060
-
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe92⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe93⤵PID:2308
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe94⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe95⤵PID:2000
-
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe96⤵PID:848
-
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe97⤵PID:1784
-
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe98⤵PID:2736
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe99⤵PID:2716
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe100⤵PID:2816
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe102⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe103⤵PID:2516
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe104⤵PID:992
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe105⤵PID:2080
-
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe106⤵PID:1496
-
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe107⤵PID:3064
-
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe109⤵PID:1324
-
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe110⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe111⤵PID:1216
-
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe113⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe114⤵PID:1424
-
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe115⤵PID:2292
-
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe116⤵PID:1744
-
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe117⤵PID:2164
-
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe118⤵PID:1564
-
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe119⤵PID:2068
-
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe121⤵PID:2616
-
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe122⤵PID:2596
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe123⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe124⤵PID:1964
-
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe125⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe126⤵PID:3012
-
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe127⤵PID:2124
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe130⤵PID:2752
-
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe131⤵PID:2892
-
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe132⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe133⤵PID:2224
-
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe134⤵PID:2064
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe135⤵PID:2396
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe136⤵PID:1996
-
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe137⤵PID:2588
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe138⤵PID:2024
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe139⤵PID:1596
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe141⤵PID:2496
-
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe142⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe143⤵
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe144⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe145⤵PID:1228
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe146⤵PID:1628
-
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe147⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe148⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe149⤵PID:2140
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe150⤵PID:2504
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe151⤵PID:1980
-
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe152⤵PID:2092
-
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe153⤵PID:2676
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe154⤵PID:2008
-
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe155⤵PID:1448
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe156⤵PID:3044
-
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe157⤵PID:1872
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe158⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe159⤵PID:1868
-
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe160⤵PID:2652
-
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe161⤵PID:2760
-
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe162⤵PID:2748
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe163⤵PID:2428
-
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe164⤵PID:2304
-
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe165⤵PID:1880
-
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe166⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe167⤵PID:2448
-
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe168⤵PID:2776
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe170⤵PID:2968
-
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe171⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe172⤵PID:2116
-
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe173⤵PID:2220
-
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe174⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe176⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe177⤵PID:3080
-
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe178⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe179⤵PID:3160
-
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe180⤵PID:3200
-
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe181⤵
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe182⤵PID:3280
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe183⤵PID:3320
-
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe184⤵PID:3360
-
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe185⤵PID:3404
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe186⤵
- System Location Discovery: System Language Discovery
PID:3444 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe187⤵PID:3484
-
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe188⤵PID:3524
-
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe189⤵PID:3564
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe190⤵PID:3604
-
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe191⤵PID:3644
-
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe192⤵
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe193⤵PID:3724
-
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe194⤵
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe195⤵PID:3804
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe196⤵
- System Location Discovery: System Language Discovery
PID:3844 -
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe197⤵PID:3884
-
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe198⤵PID:3924
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe199⤵PID:3964
-
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe200⤵PID:4004
-
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe201⤵PID:4044
-
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe202⤵
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe203⤵PID:3104
-
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe204⤵
- System Location Discovery: System Language Discovery
PID:3152 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe205⤵PID:3208
-
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe206⤵PID:3260
-
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe207⤵PID:3292
-
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe208⤵PID:3352
-
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe209⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe210⤵PID:3464
-
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe211⤵PID:3508
-
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3556 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3612 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe214⤵PID:3664
-
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe215⤵
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe216⤵PID:3752
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe217⤵PID:3776
-
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe218⤵PID:3864
-
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe219⤵PID:3920
-
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe220⤵PID:3956
-
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe221⤵PID:4012
-
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe222⤵PID:4056
-
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe223⤵
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe224⤵PID:3144
-
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe225⤵PID:3168
-
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe226⤵PID:3276
-
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe227⤵PID:3332
-
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe228⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe229⤵PID:3432
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe230⤵PID:3532
-
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3588 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe232⤵PID:3636
-
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe233⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe234⤵PID:3744
-
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe235⤵PID:3836
-
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe236⤵PID:3896
-
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe237⤵PID:3936
-
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe238⤵PID:3972
-
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe239⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe240⤵PID:3140
-
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe241⤵PID:3176
-
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe242⤵PID:3252