Analysis
-
max time kernel
55s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
94KB
-
MD5
8df2899392b9d766c6b603398b137f30
-
SHA1
c7a4808f609f5a30958011e8b3ebdae04351d7d4
-
SHA256
ba04bfb3cb877388a1f3a8fe89d187270cdbba181fc005294e57c0b4abd03793
-
SHA512
7a1ea6dca82ed63671d3967403fc42383bf875545e66a4da62ae463a22160533e20fe4161960b0c93e47db143fee5fc612c9d8160711c80a0decf2ce05ddc85d
-
SSDEEP
1536:uVQ7q65UdZQ8kHGPSmLD8QGuomb2B2LHRMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:uouQ+hkrmfHRMQH2qC7ZQOlzSLUK64
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pknakhig.exeHgeenb32.exeEdhkpcdb.exeDbmnjenb.exeBkjfhile.exeBgcbja32.exeGofajcog.exeGbkdgn32.exeQibhao32.exeBdmhcp32.exeCmjoaofc.exeFdemap32.exeBocfch32.exeAcemeo32.exeMbehgabe.exeNcbdjhnf.exeLklmoccl.exeQlqdmj32.exeNpdkdjhp.exeFoqadnpq.exeGhmohcbl.exeFagnmkjm.exeFhqfie32.exeAdqbml32.exeEmkfmioh.exeFjdpgnee.exeHfookk32.exeFgffck32.exeNpkaei32.exeOfefqf32.exeBgnaekil.exeOaaghp32.exePikaqppk.exeAgchdfmk.exeEdfqclni.exeGdfmccfm.exeCgjjdijo.exeDndoof32.exePhhonn32.exeQdhcinme.exeEpgoio32.exeAadbfp32.exeNiaihojk.exeBjgmka32.exeKkdnke32.exeLphlck32.exeDmopge32.exeHqkmahpp.exeKidjfl32.exeAnfjpa32.exeBhgaan32.exeEmqaaabg.exeMccaodgj.exeMhbflj32.exeKobfqc32.exeHkndiabh.exeIfahpnfl.exeKmbclj32.exePbaide32.exeKadhen32.exeJlhjijpe.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhkpcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmnjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjfhile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gofajcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qibhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdemap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acemeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklmoccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlqdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdkdjhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqadnpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagnmkjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adqbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkfmioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdpgnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfookk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgnaekil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agchdfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcbja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfmccfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhonn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhcinme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadbfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niaihojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgmka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmopge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqkmahpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgaan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emqaaabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobfqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifahpnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbaide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadhen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhjijpe.exe -
Executes dropped EXE 64 IoCs
Processes:
Anfggicl.exeAkjham32.exeAqgqid32.exeAcemeo32.exeAchikonn.exeAgebam32.exeBqngjcje.exeBjfkbhae.exeBbapgknp.exeBmgddcnf.exeBnkmakbb.exeBgcbja32.exeCkajqo32.exeCcloea32.exeCgjhkpbj.exeCpemob32.exeCcceeqfl.exeDpjfjalp.exeDibjcg32.exeDeikhhhe.exeDaplmimi.exeDmgmbj32.exeDhlapc32.exeDofilm32.exeEkmjanpd.exeEmkfmioh.exeEchoepmo.exeEdhkpcdb.exeEmpphi32.exeEcmhqp32.exeEcodfogg.exeEhlmnfeo.exeFepnhjdh.exeFagnmkjm.exeFhqfie32.exeFdggofgn.exeFgfckbfa.exeFjdpgnee.exeFcmdpcle.exeFjfllm32.exeFqqdigko.exeGjiibm32.exeGofajcog.exeGfpjgn32.exeGmjbchnq.exeGccjpb32.exeGhqchi32.exeGcfgfack.exeGdgcnj32.exeGkaljdaf.exeGbkdgn32.exeGdjpcj32.exeGkchpcoc.exeHbnqln32.exeHgjieedg.exeHndaao32.exeHenjnica.exeHjkbfpah.exeHminbkql.exeHccfoehi.exeHfbckagm.exeHnikmnho.exeHgaoec32.exeIndnqb32.exepid process 1960 Anfggicl.exe 2912 Akjham32.exe 748 Aqgqid32.exe 2948 Acemeo32.exe 2632 Achikonn.exe 2832 Agebam32.exe 1608 Bqngjcje.exe 2064 Bjfkbhae.exe 2128 Bbapgknp.exe 2400 Bmgddcnf.exe 964 Bnkmakbb.exe 1992 Bgcbja32.exe 2424 Ckajqo32.exe 2232 Ccloea32.exe 1352 Cgjhkpbj.exe 1020 Cpemob32.exe 2140 Ccceeqfl.exe 112 Dpjfjalp.exe 2600 Dibjcg32.exe 692 Deikhhhe.exe 472 Daplmimi.exe 888 Dmgmbj32.exe 3032 Dhlapc32.exe 2332 Dofilm32.exe 1964 Ekmjanpd.exe 2788 Emkfmioh.exe 2872 Echoepmo.exe 2900 Edhkpcdb.exe 2708 Empphi32.exe 2476 Ecmhqp32.exe 2112 Ecodfogg.exe 388 Ehlmnfeo.exe 1980 Fepnhjdh.exe 1156 Fagnmkjm.exe 1744 Fhqfie32.exe 2676 Fdggofgn.exe 436 Fgfckbfa.exe 2148 Fjdpgnee.exe 1768 Fcmdpcle.exe 1452 Fjfllm32.exe 1448 Fqqdigko.exe 1616 Gjiibm32.exe 1168 Gofajcog.exe 2204 Gfpjgn32.exe 2044 Gmjbchnq.exe 3036 Gccjpb32.exe 1096 Ghqchi32.exe 1484 Gcfgfack.exe 2892 Gdgcnj32.exe 2836 Gkaljdaf.exe 3040 Gbkdgn32.exe 1988 Gdjpcj32.exe 1192 Gkchpcoc.exe 3060 Hbnqln32.exe 2544 Hgjieedg.exe 3028 Hndaao32.exe 2652 Henjnica.exe 1076 Hjkbfpah.exe 2004 Hminbkql.exe 2432 Hccfoehi.exe 1000 Hfbckagm.exe 2616 Hnikmnho.exe 360 Hgaoec32.exe 1172 Indnqb32.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeAnfggicl.exeAkjham32.exeAqgqid32.exeAcemeo32.exeAchikonn.exeAgebam32.exeBqngjcje.exeBjfkbhae.exeBbapgknp.exeBmgddcnf.exeBnkmakbb.exeBgcbja32.exeCkajqo32.exeCcloea32.exeCgjhkpbj.exeCpemob32.exeCcceeqfl.exeDpjfjalp.exeDibjcg32.exeDeikhhhe.exeDaplmimi.exeDmgmbj32.exeDhlapc32.exeDofilm32.exeEkmjanpd.exeEmkfmioh.exeEchoepmo.exeEdhkpcdb.exeEmpphi32.exeEcmhqp32.exeEcodfogg.exepid process 2924 Backdoor.Win32.Berbew.exe 2924 Backdoor.Win32.Berbew.exe 1960 Anfggicl.exe 1960 Anfggicl.exe 2912 Akjham32.exe 2912 Akjham32.exe 748 Aqgqid32.exe 748 Aqgqid32.exe 2948 Acemeo32.exe 2948 Acemeo32.exe 2632 Achikonn.exe 2632 Achikonn.exe 2832 Agebam32.exe 2832 Agebam32.exe 1608 Bqngjcje.exe 1608 Bqngjcje.exe 2064 Bjfkbhae.exe 2064 Bjfkbhae.exe 2128 Bbapgknp.exe 2128 Bbapgknp.exe 2400 Bmgddcnf.exe 2400 Bmgddcnf.exe 964 Bnkmakbb.exe 964 Bnkmakbb.exe 1992 Bgcbja32.exe 1992 Bgcbja32.exe 2424 Ckajqo32.exe 2424 Ckajqo32.exe 2232 Ccloea32.exe 2232 Ccloea32.exe 1352 Cgjhkpbj.exe 1352 Cgjhkpbj.exe 1020 Cpemob32.exe 1020 Cpemob32.exe 2140 Ccceeqfl.exe 2140 Ccceeqfl.exe 112 Dpjfjalp.exe 112 Dpjfjalp.exe 2600 Dibjcg32.exe 2600 Dibjcg32.exe 692 Deikhhhe.exe 692 Deikhhhe.exe 472 Daplmimi.exe 472 Daplmimi.exe 888 Dmgmbj32.exe 888 Dmgmbj32.exe 3032 Dhlapc32.exe 3032 Dhlapc32.exe 2332 Dofilm32.exe 2332 Dofilm32.exe 1964 Ekmjanpd.exe 1964 Ekmjanpd.exe 2788 Emkfmioh.exe 2788 Emkfmioh.exe 2872 Echoepmo.exe 2872 Echoepmo.exe 2900 Edhkpcdb.exe 2900 Edhkpcdb.exe 2708 Empphi32.exe 2708 Empphi32.exe 2476 Ecmhqp32.exe 2476 Ecmhqp32.exe 2112 Ecodfogg.exe 2112 Ecodfogg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nmkbfmpf.exeEdhmhl32.exeFgffck32.exeGacgli32.exeLeaallcb.exeBkmcni32.exeHmlmacfn.exeFdggofgn.exeJgpklb32.exeLbnbfb32.exeFgqcel32.exeIpcjje32.exeNlklik32.exeDmopge32.exeFjfllm32.exeOlokighn.exeApjpglfn.exeEgljjmkp.exeImidgh32.exeBbdoec32.exeJpomnilc.exeKdjenkgh.exeCemebcnf.exeGkaljdaf.exeNehjmppo.exeGopnca32.exeIbjikk32.exeLkafib32.exeQakppa32.exeLobbpg32.exeMjgclcjh.exeDeonff32.exeJljgni32.exeCjbpoeoj.exeDkaihkih.exeFgfckbfa.exeGcfgfack.exeCjljpjjk.exeNfcfob32.exeHgjieedg.exeKobfqc32.exeJocceo32.exeHkndiabh.exeBfieec32.exeCilfka32.exeJkfnaa32.exePkkeeikj.exeEpgoio32.exeIaipmm32.exeDcojbm32.exeFholmo32.exeMfoqephq.exeBdbkaoce.exeCkajqo32.exeDeikhhhe.exeMbehgabe.exeLjndga32.exeCkbccnji.exeEibikc32.exeAadbfp32.exeEenckc32.exeKloqiijm.exedescription ioc process File created C:\Windows\SysWOW64\Nfcfob32.exe Nmkbfmpf.exe File opened for modification C:\Windows\SysWOW64\Effidg32.exe Edhmhl32.exe File opened for modification C:\Windows\SysWOW64\Fmpnpe32.exe Fgffck32.exe File opened for modification C:\Windows\SysWOW64\Ghmohcbl.exe Gacgli32.exe File created C:\Windows\SysWOW64\Fpdgab32.dll Leaallcb.exe File created C:\Windows\SysWOW64\Bbflkcao.exe Bkmcni32.exe File opened for modification C:\Windows\SysWOW64\Hfdbji32.exe Hmlmacfn.exe File created C:\Windows\SysWOW64\Egcaic32.dll Fdggofgn.exe File created C:\Windows\SysWOW64\Jhldob32.dll Jgpklb32.exe File created C:\Windows\SysWOW64\Aaplgfio.dll Lbnbfb32.exe File opened for modification C:\Windows\SysWOW64\Fpihnbmk.exe Fgqcel32.exe File created C:\Windows\SysWOW64\Ieqbbl32.exe Ipcjje32.exe File created C:\Windows\SysWOW64\Ncbdjhnf.exe Nlklik32.exe File created C:\Windows\SysWOW64\Qjagmb32.dll Dmopge32.exe File created C:\Windows\SysWOW64\Jlpneplg.dll Fjfllm32.exe File created C:\Windows\SysWOW64\Gdkejjnc.dll Olokighn.exe File created C:\Windows\SysWOW64\Djgbkf32.dll Apjpglfn.exe File created C:\Windows\SysWOW64\Abmgojdb.dll Egljjmkp.exe File created C:\Windows\SysWOW64\Ifahpnfl.exe Imidgh32.exe File created C:\Windows\SysWOW64\Bdbkaoce.exe Bbdoec32.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jpomnilc.exe File opened for modification C:\Windows\SysWOW64\Kkdnke32.exe Kdjenkgh.exe File created C:\Windows\SysWOW64\Ckgmon32.exe Cemebcnf.exe File opened for modification C:\Windows\SysWOW64\Bdbkaoce.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Mhjbbblb.dll Gkaljdaf.exe File opened for modification C:\Windows\SysWOW64\Nlabjj32.exe Nehjmppo.exe File created C:\Windows\SysWOW64\Hqpjndio.exe Gopnca32.exe File opened for modification C:\Windows\SysWOW64\Iggbdb32.exe Ibjikk32.exe File opened for modification C:\Windows\SysWOW64\Lhegcg32.exe Lkafib32.exe File created C:\Windows\SysWOW64\Qibhao32.exe Qakppa32.exe File created C:\Windows\SysWOW64\Ldokhn32.exe Lobbpg32.exe File created C:\Windows\SysWOW64\Jdpmbmao.dll Mjgclcjh.exe File created C:\Windows\SysWOW64\Dbcnpk32.exe Deonff32.exe File created C:\Windows\SysWOW64\Jgpklb32.exe Jljgni32.exe File opened for modification C:\Windows\SysWOW64\Cqlhlo32.exe Cjbpoeoj.exe File created C:\Windows\SysWOW64\Dnpedghl.exe Dkaihkih.exe File created C:\Windows\SysWOW64\Eipnnj32.dll Lkafib32.exe File opened for modification C:\Windows\SysWOW64\Fjdpgnee.exe Fgfckbfa.exe File created C:\Windows\SysWOW64\Gdgcnj32.exe Gcfgfack.exe File created C:\Windows\SysWOW64\Lgmhbloc.dll Cjljpjjk.exe File opened for modification C:\Windows\SysWOW64\Nplkhh32.exe Nfcfob32.exe File created C:\Windows\SysWOW64\Eihdakqq.dll Hgjieedg.exe File opened for modification C:\Windows\SysWOW64\Kpcbhlki.exe Kobfqc32.exe File created C:\Windows\SysWOW64\Jdplmflg.exe Jocceo32.exe File created C:\Windows\SysWOW64\Benhai32.dll Hkndiabh.exe File opened for modification C:\Windows\SysWOW64\Bhgaan32.exe Bfieec32.exe File opened for modification C:\Windows\SysWOW64\Ccakij32.exe Cilfka32.exe File opened for modification C:\Windows\SysWOW64\Jlhjijpe.exe Jkfnaa32.exe File created C:\Windows\SysWOW64\Pddinn32.exe Pkkeeikj.exe File created C:\Windows\SysWOW64\Eecgafkj.exe Epgoio32.exe File opened for modification C:\Windows\SysWOW64\Jhchjgoh.exe Iaipmm32.exe File opened for modification C:\Windows\SysWOW64\Dndoof32.exe Dcojbm32.exe File created C:\Windows\SysWOW64\Foidii32.exe Fholmo32.exe File opened for modification C:\Windows\SysWOW64\Mccaodgj.exe Mfoqephq.exe File created C:\Windows\SysWOW64\Bbekbnge.dll Bdbkaoce.exe File opened for modification C:\Windows\SysWOW64\Ccloea32.exe Ckajqo32.exe File created C:\Windows\SysWOW64\Kqkdjkoi.dll Deikhhhe.exe File opened for modification C:\Windows\SysWOW64\Mqhhbn32.exe Mbehgabe.exe File created C:\Windows\SysWOW64\Gfpphd32.dll Ljndga32.exe File created C:\Windows\SysWOW64\Oeldjogm.dll Ckbccnji.exe File created C:\Windows\SysWOW64\Edhmhl32.exe Eibikc32.exe File opened for modification C:\Windows\SysWOW64\Adcobk32.exe Aadbfp32.exe File opened for modification C:\Windows\SysWOW64\Fpcghl32.exe Eenckc32.exe File created C:\Windows\SysWOW64\Beokkc32.dll Kloqiijm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4252 5080 WerFault.exe Iqmcmaja.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Qibhao32.exeMhlcnl32.exeEecgafkj.exeGheola32.exeCmjoaofc.exeFholmo32.exeEmkfmioh.exeHbnqln32.exeCmmcae32.exeEgimdmmc.exeFdggofgn.exeGkchpcoc.exeCkgmon32.exeIfceemdj.exeBqngjcje.exeBjfkbhae.exeDibjcg32.exeQdkpomkb.exeLeaallcb.exePinnfonh.exeQlqdmj32.exeBhljlnma.exeFjdpgnee.exeNlklik32.exeGaajfi32.exeLgjcdc32.exeMjgclcjh.exeGacgli32.exeIggbdb32.exeEbmjihqn.exeHqpjndio.exeEmqaaabg.exeKloqiijm.exeKngcbpjc.exeMbbkabdh.exeEgljjmkp.exeQdhcinme.exeBfieec32.exeIpimic32.exeDjkodg32.exeGofajcog.exeOlokighn.exeMhgpgjoj.exeCohlnkeg.exeHndaao32.exeFaedpdcc.exeGllabp32.exeGknhjn32.exeCqlhlo32.exeBgcbja32.exeOiniaboi.exeKidjfl32.exeIgdndl32.exeIlmgef32.exeMqgahh32.exePhckglbq.exeGebiefle.exeIiodliep.exeMhbflj32.exeEenckc32.exeBoainhic.exeDfdqpdja.exeKanfgofa.exeMkkpjg32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qibhao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhlcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecgafkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gheola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjoaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkfmioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnqln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimdmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdggofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkchpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifceemdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkbhae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkpomkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leaallcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdpgnee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlklik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgclcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqaaabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kloqiijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbkabdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egljjmkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipimic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofajcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohlnkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faedpdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqlhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqgahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebiefle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiodliep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boainhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdqpdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanfgofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkkpjg32.exe -
Modifies registry class 64 IoCs
Processes:
Hgkknm32.exeGccjpb32.exeJkdalb32.exeOfmiea32.exeBkmcni32.exeFgfckbfa.exeJkfnaa32.exeHbepplkh.exeEibikc32.exeFpihnbmk.exeQomcdf32.exeIgdndl32.exeFcmdpcle.exeGkchpcoc.exeHndaao32.exeDfjaej32.exeHqpjndio.exeMhgpgjoj.exeFholmo32.exeGdjpcj32.exeHccfoehi.exeKokppd32.exeNnpofe32.exeBqngjcje.exeNpieoi32.exeIaipmm32.exePinnfonh.exeFoqadnpq.exeOlokighn.exeCjbpoeoj.exeGomjckqc.exeAnfggicl.exeBbapgknp.exeBmgddcnf.exeIlmgef32.exeIecohl32.exeJljgni32.exeJaoblk32.exeEigbfb32.exeFjfllm32.exeJinghn32.exeOlehbh32.exeHbnqln32.exeMccaodgj.exeKngcbpjc.exeBoainhic.exeCpemob32.exeKobfqc32.exeCemebcnf.exeBdbkaoce.exeEmqaaabg.exeFhqfie32.exeOjgokflc.exeNdpmbjbk.exeIggbdb32.exeFgffck32.exeBjfkbhae.exeGhqchi32.exeEjmljg32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gccjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmlfo32.dll" Ofmiea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkmcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicgd32.dll" Fgfckbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpihnbmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qomcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcmdpcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogalfbhd.dll" Gkchpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hndaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqpjndio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgpgjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fholmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjpcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hccfoehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kokppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqmcb32.dll" Nnpofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqngjcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajoaoj32.dll" Npieoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaipmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfobjfcf.dll" Foqadnpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkejjnc.dll" Olokighn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpoeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaieif32.dll" Anfggicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehblofm.dll" Bbapgknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfomk32.dll" Bmgddcnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilmgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcphpcno.dll" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpdbdcc.dll" Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaoblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eigbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpneplg.dll" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdijfdc.dll" Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll" Olehbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncodq32.dll" Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boainhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpemob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobfqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbkaoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emqaaabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobfqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdpfmcb.dll" Ojgokflc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpmbjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgffck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gomjckqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfkbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhpen32.dll" Ejmljg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeAnfggicl.exeAkjham32.exeAqgqid32.exeAcemeo32.exeAchikonn.exeAgebam32.exeBqngjcje.exeBjfkbhae.exeBbapgknp.exeBmgddcnf.exeBnkmakbb.exeBgcbja32.exeCkajqo32.exeCcloea32.exeCgjhkpbj.exedescription pid process target process PID 2924 wrote to memory of 1960 2924 Backdoor.Win32.Berbew.exe Anfggicl.exe PID 2924 wrote to memory of 1960 2924 Backdoor.Win32.Berbew.exe Anfggicl.exe PID 2924 wrote to memory of 1960 2924 Backdoor.Win32.Berbew.exe Anfggicl.exe PID 2924 wrote to memory of 1960 2924 Backdoor.Win32.Berbew.exe Anfggicl.exe PID 1960 wrote to memory of 2912 1960 Anfggicl.exe Akjham32.exe PID 1960 wrote to memory of 2912 1960 Anfggicl.exe Akjham32.exe PID 1960 wrote to memory of 2912 1960 Anfggicl.exe Akjham32.exe PID 1960 wrote to memory of 2912 1960 Anfggicl.exe Akjham32.exe PID 2912 wrote to memory of 748 2912 Akjham32.exe Aqgqid32.exe PID 2912 wrote to memory of 748 2912 Akjham32.exe Aqgqid32.exe PID 2912 wrote to memory of 748 2912 Akjham32.exe Aqgqid32.exe PID 2912 wrote to memory of 748 2912 Akjham32.exe Aqgqid32.exe PID 748 wrote to memory of 2948 748 Aqgqid32.exe Acemeo32.exe PID 748 wrote to memory of 2948 748 Aqgqid32.exe Acemeo32.exe PID 748 wrote to memory of 2948 748 Aqgqid32.exe Acemeo32.exe PID 748 wrote to memory of 2948 748 Aqgqid32.exe Acemeo32.exe PID 2948 wrote to memory of 2632 2948 Acemeo32.exe Achikonn.exe PID 2948 wrote to memory of 2632 2948 Acemeo32.exe Achikonn.exe PID 2948 wrote to memory of 2632 2948 Acemeo32.exe Achikonn.exe PID 2948 wrote to memory of 2632 2948 Acemeo32.exe Achikonn.exe PID 2632 wrote to memory of 2832 2632 Achikonn.exe Agebam32.exe PID 2632 wrote to memory of 2832 2632 Achikonn.exe Agebam32.exe PID 2632 wrote to memory of 2832 2632 Achikonn.exe Agebam32.exe PID 2632 wrote to memory of 2832 2632 Achikonn.exe Agebam32.exe PID 2832 wrote to memory of 1608 2832 Agebam32.exe Bqngjcje.exe PID 2832 wrote to memory of 1608 2832 Agebam32.exe Bqngjcje.exe PID 2832 wrote to memory of 1608 2832 Agebam32.exe Bqngjcje.exe PID 2832 wrote to memory of 1608 2832 Agebam32.exe Bqngjcje.exe PID 1608 wrote to memory of 2064 1608 Bqngjcje.exe Bjfkbhae.exe PID 1608 wrote to memory of 2064 1608 Bqngjcje.exe Bjfkbhae.exe PID 1608 wrote to memory of 2064 1608 Bqngjcje.exe Bjfkbhae.exe PID 1608 wrote to memory of 2064 1608 Bqngjcje.exe Bjfkbhae.exe PID 2064 wrote to memory of 2128 2064 Bjfkbhae.exe Bbapgknp.exe PID 2064 wrote to memory of 2128 2064 Bjfkbhae.exe Bbapgknp.exe PID 2064 wrote to memory of 2128 2064 Bjfkbhae.exe Bbapgknp.exe PID 2064 wrote to memory of 2128 2064 Bjfkbhae.exe Bbapgknp.exe PID 2128 wrote to memory of 2400 2128 Bbapgknp.exe Bmgddcnf.exe PID 2128 wrote to memory of 2400 2128 Bbapgknp.exe Bmgddcnf.exe PID 2128 wrote to memory of 2400 2128 Bbapgknp.exe Bmgddcnf.exe PID 2128 wrote to memory of 2400 2128 Bbapgknp.exe Bmgddcnf.exe PID 2400 wrote to memory of 964 2400 Bmgddcnf.exe Bnkmakbb.exe PID 2400 wrote to memory of 964 2400 Bmgddcnf.exe Bnkmakbb.exe PID 2400 wrote to memory of 964 2400 Bmgddcnf.exe Bnkmakbb.exe PID 2400 wrote to memory of 964 2400 Bmgddcnf.exe Bnkmakbb.exe PID 964 wrote to memory of 1992 964 Bnkmakbb.exe Bgcbja32.exe PID 964 wrote to memory of 1992 964 Bnkmakbb.exe Bgcbja32.exe PID 964 wrote to memory of 1992 964 Bnkmakbb.exe Bgcbja32.exe PID 964 wrote to memory of 1992 964 Bnkmakbb.exe Bgcbja32.exe PID 1992 wrote to memory of 2424 1992 Bgcbja32.exe Ckajqo32.exe PID 1992 wrote to memory of 2424 1992 Bgcbja32.exe Ckajqo32.exe PID 1992 wrote to memory of 2424 1992 Bgcbja32.exe Ckajqo32.exe PID 1992 wrote to memory of 2424 1992 Bgcbja32.exe Ckajqo32.exe PID 2424 wrote to memory of 2232 2424 Ckajqo32.exe Ccloea32.exe PID 2424 wrote to memory of 2232 2424 Ckajqo32.exe Ccloea32.exe PID 2424 wrote to memory of 2232 2424 Ckajqo32.exe Ccloea32.exe PID 2424 wrote to memory of 2232 2424 Ckajqo32.exe Ccloea32.exe PID 2232 wrote to memory of 1352 2232 Ccloea32.exe Cgjhkpbj.exe PID 2232 wrote to memory of 1352 2232 Ccloea32.exe Cgjhkpbj.exe PID 2232 wrote to memory of 1352 2232 Ccloea32.exe Cgjhkpbj.exe PID 2232 wrote to memory of 1352 2232 Ccloea32.exe Cgjhkpbj.exe PID 1352 wrote to memory of 1020 1352 Cgjhkpbj.exe Cpemob32.exe PID 1352 wrote to memory of 1020 1352 Cgjhkpbj.exe Cpemob32.exe PID 1352 wrote to memory of 1020 1352 Cgjhkpbj.exe Cpemob32.exe PID 1352 wrote to memory of 1020 1352 Cgjhkpbj.exe Cpemob32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe33⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe34⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe42⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe43⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe45⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe50⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe58⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe59⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe60⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe62⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Hnikmnho.exeC:\Windows\system32\Hnikmnho.exe63⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe64⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe65⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe66⤵PID:2016
-
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe67⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe68⤵PID:1204
-
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe69⤵PID:2728
-
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe70⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe73⤵PID:2220
-
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe74⤵PID:2680
-
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe75⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Jkdalb32.exeC:\Windows\system32\Jkdalb32.exe76⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe77⤵PID:1640
-
C:\Windows\SysWOW64\Jkfnaa32.exeC:\Windows\system32\Jkfnaa32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe80⤵PID:2940
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe82⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe83⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe84⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe85⤵PID:2268
-
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe87⤵PID:2240
-
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe88⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe90⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe91⤵PID:2688
-
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe93⤵PID:1016
-
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe94⤵PID:932
-
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe96⤵PID:2168
-
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe97⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe99⤵PID:2000
-
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe100⤵PID:2372
-
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe102⤵PID:1596
-
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe103⤵PID:2972
-
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe104⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe105⤵PID:1080
-
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe106⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe107⤵PID:2340
-
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe108⤵PID:2328
-
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe109⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe113⤵PID:832
-
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe114⤵PID:2644
-
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe115⤵PID:3048
-
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe116⤵PID:1516
-
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe117⤵PID:876
-
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe118⤵PID:2180
-
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe119⤵PID:896
-
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe120⤵PID:2224
-
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe121⤵PID:2008
-
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe122⤵PID:2244
-
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe123⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe125⤵PID:2672
-
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe126⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe128⤵PID:928
-
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe129⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe130⤵PID:2184
-
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe133⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe134⤵PID:2840
-
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe135⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe136⤵PID:2956
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe137⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe139⤵PID:2124
-
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe140⤵PID:2764
-
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe141⤵PID:1624
-
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe142⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe143⤵PID:2380
-
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe144⤵PID:3044
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe145⤵PID:2580
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe147⤵PID:2484
-
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe149⤵PID:1736
-
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe150⤵PID:2740
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe151⤵PID:1332
-
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe152⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe153⤵PID:2076
-
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe155⤵PID:2460
-
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe156⤵PID:2296
-
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe157⤵PID:2172
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe159⤵PID:2468
-
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe160⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe161⤵PID:2436
-
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe162⤵PID:2976
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe165⤵PID:2812
-
C:\Windows\SysWOW64\Bgpnjkgi.exeC:\Windows\system32\Bgpnjkgi.exe166⤵PID:2264
-
C:\Windows\SysWOW64\Bqhbcqmj.exeC:\Windows\system32\Bqhbcqmj.exe167⤵PID:2816
-
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe168⤵PID:2588
-
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe169⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe170⤵PID:956
-
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe171⤵PID:940
-
C:\Windows\SysWOW64\Cemebcnf.exeC:\Windows\system32\Cemebcnf.exe172⤵
- Drops file in System32 directory
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe173⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe174⤵PID:3052
-
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe175⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Ccdnipal.exeC:\Windows\system32\Ccdnipal.exe176⤵PID:2756
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe177⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe178⤵PID:976
-
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe180⤵PID:772
-
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe181⤵PID:3100
-
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe182⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe183⤵PID:3180
-
C:\Windows\SysWOW64\Deonff32.exeC:\Windows\system32\Deonff32.exe184⤵
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe185⤵PID:3260
-
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe186⤵PID:3300
-
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe188⤵
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe189⤵PID:3420
-
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe190⤵PID:3460
-
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe191⤵PID:3500
-
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe192⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe193⤵PID:3580
-
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe194⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe195⤵PID:3660
-
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe196⤵PID:3700
-
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe197⤵PID:3744
-
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe198⤵
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe199⤵
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe200⤵PID:3864
-
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe201⤵PID:3904
-
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe202⤵PID:3944
-
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe204⤵PID:4024
-
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe205⤵PID:4064
-
C:\Windows\SysWOW64\Gaajfi32.exeC:\Windows\system32\Gaajfi32.exe206⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ggncop32.exeC:\Windows\system32\Ggncop32.exe207⤵PID:2720
-
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe208⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3208 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe210⤵PID:3244
-
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe211⤵PID:3316
-
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe212⤵
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3408 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe214⤵
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe215⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe216⤵PID:3560
-
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe217⤵PID:3616
-
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3656 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe219⤵
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Hkndiabh.exeC:\Windows\system32\Hkndiabh.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3760 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3808 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3860 -
C:\Windows\SysWOW64\Ibjikk32.exeC:\Windows\system32\Ibjikk32.exe223⤵
- Drops file in System32 directory
PID:3912 -
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe224⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Inajql32.exeC:\Windows\system32\Inajql32.exe225⤵PID:4008
-
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe226⤵PID:4056
-
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe227⤵PID:1700
-
C:\Windows\SysWOW64\Iglkoaad.exeC:\Windows\system32\Iglkoaad.exe228⤵PID:3132
-
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe229⤵
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3240 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe231⤵
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe232⤵
- System Location Discovery: System Language Discovery
PID:3336 -
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe233⤵
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe234⤵PID:3488
-
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe235⤵PID:3548
-
C:\Windows\SysWOW64\Jaoblk32.exeC:\Windows\system32\Jaoblk32.exe236⤵
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe237⤵
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe238⤵PID:3740
-
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe240⤵PID:3892
-
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3960 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe242⤵PID:3976