Analysis
-
max time kernel
110s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
96KB
-
MD5
ed50d0cd6e61e21405f12b5ef8c7a750
-
SHA1
4050ba094c5030eacb81c58896b79c858772f56c
-
SHA256
70685710e71a08f7e79f177f5c1dd64b6a8e64297e9ea08aa54ad373479ffdc6
-
SHA512
c172ea85e73ac044bb57af114d1b2cf72528c2886ab7c1259e13f0e199f688bceb9020871253ae87a1f774eea5375e97e12d50bc91d9abd5873c724183febd76
-
SSDEEP
1536:tuOKYMS0cobw3PWK6C2J1viH0/l2LF7RZObZUUWaegPYA:tzbobw3kaiWFClUUWae
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Omfoko32.exeNipbpe32.exeIkaglgei.exeOflbmg32.exeIdcdjmao.exeJmfoon32.exePocmhnlk.exeOagkac32.exeKlipfpeh.exeIpclej32.exeFjchnclk.exeJppbkoaf.exeBdidegec.exeGadkmj32.exeLdchff32.exeLgldmlil.exeIapghlbe.exeMghjcq32.exeDimlhgep.exeOkkfoikl.exeHchcmnlj.exeGbecce32.exeNpjage32.exeLodeahen.exeGanfhpfj.exeAkldhi32.exeBkfigqjn.exeKbanfbfk.exeInkimc32.exeQpfojp32.exeBjfkde32.exeKhgglp32.exeLceagmmn.exeFcacfd32.exeNmgiga32.exeOkmceiii.exeJlckoh32.exeMkdhlh32.exeNdgiok32.exePlqjilia.exePgkqeo32.exeHfjglppd.exeDpkpie32.exeCekkaanh.exeGickgl32.exeIoqhed32.exeCjiiim32.exePikmob32.exeHcolgenf.exeMpaado32.exeAediaoae.exeGgabhmge.exeDfhjmpam.exeAibjlcli.exeHhkjpi32.exeLlpajmkq.exeBbnjphpe.exeJoajdmma.exeEonhbg32.exeIihkea32.exeEddlcgjb.exeFbjeao32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfoko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipbpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikaglgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflbmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcdjmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfoon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocmhnlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagkac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klipfpeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipclej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjchnclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jppbkoaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdidegec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadkmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldchff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgldmlil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapghlbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldchff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimlhgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkfoikl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchcmnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbecce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lodeahen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganfhpfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akldhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfigqjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbanfbfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpfojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfkde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lceagmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcacfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlckoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdhlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plqjilia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkqeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjglppd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekkaanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gickgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioqhed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikmob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcolgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aediaoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggabhmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjmpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibjlcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnjphpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joajdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjeao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmceiii.exe -
Executes dropped EXE 64 IoCs
Processes:
Cjiiim32.exeCofaad32.exeCljajh32.exeDbgjbo32.exeDbighojl.exeDkakad32.exeDheljhof.exeDnbdbomn.exeDkfdlclg.exeDbpmin32.exeEjkampao.exeEdafjiqe.exeEfbbba32.exeEqhfoj32.exeEjpkho32.exeEpmcqf32.exeEmadjj32.exeEelinm32.exeEmcqpjhh.exeFflehp32.exeFgmaphdg.exeFbbfmqdm.exeFlkjffkm.exeFcfojhhh.exeFnkchahn.exeFeeldk32.exeFmqpinlf.exeFfiebc32.exeGaoiol32.exeGlhjpjok.exeGeqnho32.exeGoicaell.exeGlmckikf.exeGajlcp32.exeHhfqejoh.exeHopibdfd.exeHdmajkdl.exeHobfgcdb.exeHhkjpi32.exeHacoio32.exeHcdkagga.exeHcghffen.exeHeedbbdb.exeIpkhpk32.exeIlaieljl.exeIanambhc.exeIlcfjkgj.exeIaqnbb32.exeIdojon32.exeIackhb32.exeIdagdm32.exeIogkaf32.exeIdcdjmao.exeJjqlbdog.exeJdfqomom.exeJkpilg32.exeJmaedolh.exeJcknqicd.exeJjefmc32.exeJqonjmbn.exeJgiffg32.exeJmfoon32.exeJodkkj32.exeJimodo32.exepid process 2388 Cjiiim32.exe 2724 Cofaad32.exe 2736 Cljajh32.exe 2972 Dbgjbo32.exe 1688 Dbighojl.exe 2588 Dkakad32.exe 1732 Dheljhof.exe 2064 Dnbdbomn.exe 2644 Dkfdlclg.exe 2040 Dbpmin32.exe 1756 Ejkampao.exe 1780 Edafjiqe.exe 1912 Efbbba32.exe 3004 Eqhfoj32.exe 2172 Ejpkho32.exe 3012 Epmcqf32.exe 3036 Emadjj32.exe 2468 Eelinm32.exe 1268 Emcqpjhh.exe 1332 Fflehp32.exe 340 Fgmaphdg.exe 2316 Fbbfmqdm.exe 1108 Flkjffkm.exe 360 Fcfojhhh.exe 2300 Fnkchahn.exe 296 Feeldk32.exe 2080 Fmqpinlf.exe 2776 Ffiebc32.exe 2936 Gaoiol32.exe 1696 Glhjpjok.exe 2576 Geqnho32.exe 2796 Goicaell.exe 2104 Glmckikf.exe 2896 Gajlcp32.exe 2956 Hhfqejoh.exe 2344 Hopibdfd.exe 2560 Hdmajkdl.exe 1964 Hobfgcdb.exe 2488 Hhkjpi32.exe 2184 Hacoio32.exe 2400 Hcdkagga.exe 1392 Hcghffen.exe 696 Heedbbdb.exe 776 Ipkhpk32.exe 2032 Ilaieljl.exe 2860 Ianambhc.exe 2016 Ilcfjkgj.exe 2348 Iaqnbb32.exe 1644 Idojon32.exe 2216 Iackhb32.exe 2812 Idagdm32.exe 2900 Iogkaf32.exe 392 Idcdjmao.exe 2868 Jjqlbdog.exe 2632 Jdfqomom.exe 1236 Jkpilg32.exe 2420 Jmaedolh.exe 2140 Jcknqicd.exe 1080 Jjefmc32.exe 2444 Jqonjmbn.exe 2180 Jgiffg32.exe 2460 Jmfoon32.exe 2192 Jodkkj32.exe 3024 Jimodo32.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Berbew.AA.exeCjiiim32.exeCofaad32.exeCljajh32.exeDbgjbo32.exeDbighojl.exeDkakad32.exeDheljhof.exeDnbdbomn.exeDkfdlclg.exeDbpmin32.exeEjkampao.exeEdafjiqe.exeEfbbba32.exeEqhfoj32.exeEjpkho32.exeEpmcqf32.exeEmadjj32.exeEelinm32.exeEmcqpjhh.exeFflehp32.exeFgmaphdg.exeFbbfmqdm.exeFlkjffkm.exeFcfojhhh.exeFnkchahn.exeFeeldk32.exeFmqpinlf.exeFfiebc32.exeGaoiol32.exeGlhjpjok.exeGeqnho32.exepid process 2260 Backdoor.Win32.Berbew.AA.exe 2260 Backdoor.Win32.Berbew.AA.exe 2388 Cjiiim32.exe 2388 Cjiiim32.exe 2724 Cofaad32.exe 2724 Cofaad32.exe 2736 Cljajh32.exe 2736 Cljajh32.exe 2972 Dbgjbo32.exe 2972 Dbgjbo32.exe 1688 Dbighojl.exe 1688 Dbighojl.exe 2588 Dkakad32.exe 2588 Dkakad32.exe 1732 Dheljhof.exe 1732 Dheljhof.exe 2064 Dnbdbomn.exe 2064 Dnbdbomn.exe 2644 Dkfdlclg.exe 2644 Dkfdlclg.exe 2040 Dbpmin32.exe 2040 Dbpmin32.exe 1756 Ejkampao.exe 1756 Ejkampao.exe 1780 Edafjiqe.exe 1780 Edafjiqe.exe 1912 Efbbba32.exe 1912 Efbbba32.exe 3004 Eqhfoj32.exe 3004 Eqhfoj32.exe 2172 Ejpkho32.exe 2172 Ejpkho32.exe 3012 Epmcqf32.exe 3012 Epmcqf32.exe 3036 Emadjj32.exe 3036 Emadjj32.exe 2468 Eelinm32.exe 2468 Eelinm32.exe 1268 Emcqpjhh.exe 1268 Emcqpjhh.exe 1332 Fflehp32.exe 1332 Fflehp32.exe 340 Fgmaphdg.exe 340 Fgmaphdg.exe 2316 Fbbfmqdm.exe 2316 Fbbfmqdm.exe 1108 Flkjffkm.exe 1108 Flkjffkm.exe 360 Fcfojhhh.exe 360 Fcfojhhh.exe 2300 Fnkchahn.exe 2300 Fnkchahn.exe 296 Feeldk32.exe 296 Feeldk32.exe 2080 Fmqpinlf.exe 2080 Fmqpinlf.exe 2776 Ffiebc32.exe 2776 Ffiebc32.exe 2936 Gaoiol32.exe 2936 Gaoiol32.exe 1696 Glhjpjok.exe 1696 Glhjpjok.exe 2576 Geqnho32.exe 2576 Geqnho32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kjmnfk32.exeIblfcg32.exeAhnjefcd.exeHnimgcjd.exePfekbg32.exeDjkcgpaa.exeBclnfm32.exeLaokdekd.exeAkgfll32.exeFcodhl32.exeBmcpfj32.exeFjchnclk.exeMhaodqje.exeBflghh32.exeGabpco32.exeImppciin.exeDkakad32.exeHdmajkdl.exeKbllfmfc.exeFamhqclj.exeJddhknpg.exePocmhnlk.exeLpidii32.exeFgmaphdg.exeAjelmiag.exeIhhlbegd.exeOdpghiqc.exeBjfmmnck.exeCcckabef.exePemedh32.exeEbgifo32.exeMkqnghfk.exePblkgh32.exeDidgkc32.exeObbpio32.exeFhmblljb.exeNimeje32.exeBdiciboh.exeGbgnpl32.exeImenpfap.exeEonhbg32.exeJafnhl32.exeCcikghel.exeFdlfeh32.exeDkfdlclg.exeNlkmeo32.exeCaajmilh.exeEddlcgjb.exeHfjglppd.exeMghjcq32.exeKefpbm32.exeJmaedolh.exeCdhino32.exeCaligc32.exeLkmpcpak.exeCbpbek32.exeAnonqq32.exeBbhikcpn.exePhlaqc32.exeAppikd32.exeFcacfd32.exeMfmpifdf.exeCgppep32.exedescription ioc process File created C:\Windows\SysWOW64\Fmppfa32.dll Kjmnfk32.exe File created C:\Windows\SysWOW64\Ihinkn32.exe Iblfcg32.exe File created C:\Windows\SysWOW64\Geflbg32.dll Ahnjefcd.exe File opened for modification C:\Windows\SysWOW64\Igaapiqe.exe Hnimgcjd.exe File opened for modification C:\Windows\SysWOW64\Pmpcoabe.exe Pfekbg32.exe File created C:\Windows\SysWOW64\Pjhhelpk.dll Djkcgpaa.exe File created C:\Windows\SysWOW64\Bjefcgpo.exe Bclnfm32.exe File created C:\Windows\SysWOW64\Fnanjfjp.dll Laokdekd.exe File created C:\Windows\SysWOW64\Agngqmhf.exe Akgfll32.exe File created C:\Windows\SysWOW64\Ibfkoi32.dll Fcodhl32.exe File created C:\Windows\SysWOW64\Pkdbae32.dll Bmcpfj32.exe File opened for modification C:\Windows\SysWOW64\Gggihhkd.exe Fjchnclk.exe File created C:\Windows\SysWOW64\Iaifbk32.dll Mhaodqje.exe File opened for modification C:\Windows\SysWOW64\Blfodb32.exe Bflghh32.exe File created C:\Windows\SysWOW64\Odjhea32.dll Gabpco32.exe File created C:\Windows\SysWOW64\Jeahpajf.dll Imppciin.exe File opened for modification C:\Windows\SysWOW64\Dheljhof.exe Dkakad32.exe File created C:\Windows\SysWOW64\Pdedejnm.dll Hdmajkdl.exe File created C:\Windows\SysWOW64\Kncmknkg.exe Kbllfmfc.exe File created C:\Windows\SysWOW64\Oapemdml.dll Famhqclj.exe File created C:\Windows\SysWOW64\Jedeea32.exe Jddhknpg.exe File opened for modification C:\Windows\SysWOW64\Pemedh32.exe Pocmhnlk.exe File created C:\Windows\SysWOW64\Gjllpppq.dll Lpidii32.exe File created C:\Windows\SysWOW64\Fbbfmqdm.exe Fgmaphdg.exe File opened for modification C:\Windows\SysWOW64\Acnqen32.exe Ajelmiag.exe File created C:\Windows\SysWOW64\Ielllj32.exe Ihhlbegd.exe File created C:\Windows\SysWOW64\Abcfkfkn.dll Odpghiqc.exe File created C:\Windows\SysWOW64\Bkfigqjn.exe Bjfmmnck.exe File created C:\Windows\SysWOW64\Nodjei32.dll Ccckabef.exe File created C:\Windows\SysWOW64\Phlaqc32.exe Pemedh32.exe File opened for modification C:\Windows\SysWOW64\Elpnoebj.exe Ebgifo32.exe File created C:\Windows\SysWOW64\Mmojcceo.exe Mkqnghfk.exe File opened for modification C:\Windows\SysWOW64\Pkeppngm.exe Pblkgh32.exe File created C:\Windows\SysWOW64\Jhohclgg.dll Didgkc32.exe File opened for modification C:\Windows\SysWOW64\Olkebejb.exe Obbpio32.exe File opened for modification C:\Windows\SysWOW64\Fhpoalho.exe Fhmblljb.exe File opened for modification C:\Windows\SysWOW64\Nnjnbl32.exe Nimeje32.exe File created C:\Windows\SysWOW64\Ppopgcbc.dll Bdiciboh.exe File created C:\Windows\SysWOW64\Glpbiaqg.exe Gbgnpl32.exe File created C:\Windows\SysWOW64\Ifmbilhq.exe Imenpfap.exe File created C:\Windows\SysWOW64\Eehpoaaf.exe Eonhbg32.exe File opened for modification C:\Windows\SysWOW64\Eehpoaaf.exe Eonhbg32.exe File opened for modification C:\Windows\SysWOW64\Jmmommnl.exe Jafnhl32.exe File opened for modification C:\Windows\SysWOW64\Cjbccb32.exe Ccikghel.exe File opened for modification C:\Windows\SysWOW64\Fgkbac32.exe Fdlfeh32.exe File created C:\Windows\SysWOW64\Dapafl32.dll Dkfdlclg.exe File created C:\Windows\SysWOW64\Ekhnip32.dll Nlkmeo32.exe File created C:\Windows\SysWOW64\Eohhfn32.dll Caajmilh.exe File opened for modification C:\Windows\SysWOW64\Ebhlmlhl.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Dlomfh32.dll Hfjglppd.exe File opened for modification C:\Windows\SysWOW64\Mmebkg32.exe Mghjcq32.exe File opened for modification C:\Windows\SysWOW64\Kkchkd32.exe Kefpbm32.exe File created C:\Windows\SysWOW64\Ofjhkhke.dll Jmaedolh.exe File created C:\Windows\SysWOW64\Jplcaknb.dll Cdhino32.exe File created C:\Windows\SysWOW64\Pnmaofkf.dll Caligc32.exe File opened for modification C:\Windows\SysWOW64\Ldedlfhl.exe Lkmpcpak.exe File created C:\Windows\SysWOW64\Cmegbd32.exe Cbpbek32.exe File opened for modification C:\Windows\SysWOW64\Amdkam32.exe Anonqq32.exe File created C:\Windows\SysWOW64\Foekeq32.dll Bbhikcpn.exe File created C:\Windows\SysWOW64\Bfbalg32.dll Phlaqc32.exe File created C:\Windows\SysWOW64\Bphofk32.dll Appikd32.exe File created C:\Windows\SysWOW64\Fljhojnk.exe Fcacfd32.exe File created C:\Windows\SysWOW64\Aobici32.dll Mfmpifdf.exe File created C:\Windows\SysWOW64\Mnadjb32.dll Cgppep32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4668 4624 WerFault.exe Bgkppkih.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kbhckm32.exeIcjokidf.exeKodhbe32.exePgklcaqi.exeGkhgge32.exeJifmgman.exeKnhnkc32.exeCljajh32.exeDldndf32.exeBkqnchgo.exeCjqigkfp.exeHjeacf32.exeOjlmgg32.exeEopbooqb.exeBfmlif32.exeHhaogp32.exeImppciin.exeMnhgga32.exeOghnoi32.exeLfeegfkf.exeKlipfpeh.exeKahedf32.exeDbgknc32.exeJedeea32.exeAepqac32.exeLpfdpmho.exeIkafpbon.exeKkkgnmqb.exeJjefmc32.exeEhnmgo32.exeOadjjfga.exeAkfbjkdj.exeJcpidagc.exeGabpco32.exeBpgjob32.exeNaeigf32.exeLmkgajnm.exeFgkbac32.exeJmfoon32.exeJoijpo32.exeOdnmkb32.exeEhpjmoio.exeMpaado32.exeMnfjab32.exeCmnlphjd.exeMqcnjnol.exeMgcheg32.exeOindba32.exePlpehj32.exeBbkfpb32.exeIehejc32.exeKeadoe32.exeNceeaikk.exeBdiciboh.exePadcqp32.exeDkfdlclg.exeFppcjcfn.exeEmcqpjhh.exeMogqlgbi.exeDidgkc32.exeOlqkapoa.exeOeaoncjj.exePdhhepmo.exeEfoobkej.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjokidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgklcaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhgge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifmgman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhnkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljajh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqnchgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjqigkfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbooqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmlif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imppciin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhgga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeegfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klipfpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgknc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepqac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfdpmho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikafpbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkgnmqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjefmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnmgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadjjfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfbjkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpidagc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabpco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naeigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkgajnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgkbac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfoon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joijpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpjmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfjab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnlphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqcnjnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgcheg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oindba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehejc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keadoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfdlclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppcjcfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcqpjhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogqlgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olqkapoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoncjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhhepmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoobkej.exe -
Modifies registry class 64 IoCs
Processes:
Llbnpm32.exeDaidojeh.exeGkkdldhe.exeDehfig32.exeHbohblcg.exeEmcqpjhh.exeOdpghiqc.exeNfpkgblc.exeEjcaanfg.exeEloimcca.exePnicgi32.exeJiiimmok.exeJcknqicd.exeJodkkj32.exeFolknlae.exeBcfbbe32.exeMkihfi32.exeQagiio32.exeOdnmkb32.exeOagkac32.exeJnadfk32.exeOlablfbm.exeHjeacf32.exeHnegod32.exeFlkjffkm.exeGmklbk32.exeOjijha32.exeMnefpq32.exeGlddig32.exeAahkhgag.exeDidgkc32.exeNdmidq32.exeOkecak32.exeGadkmj32.exeHhaogp32.exeDonlcdgn.exeMnheniaa.exeDnlafm32.exeFbhkdgbk.exeOlkebejb.exeElmoqlmh.exeGbecce32.exeLfhgng32.exeAohbaq32.exeJpfikjfe.exeGffmqq32.exeFbqkqj32.exeMnjaci32.exeDccgpf32.exeEbkibk32.exeOlclimif.exeBjphff32.exeFeljja32.exeCcckabef.exeFgkbac32.exeKbanfbfk.exeEopbooqb.exeImmnlh32.exeOabdol32.exeEiapjq32.exeJedeea32.exeAepqac32.exeMahinb32.exeAocgnh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncghha32.dll" Llbnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daidojeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkdldhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbohblcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcqpjhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odpghiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adcncabg.dll" Nfpkgblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelmlah.dll" Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloimcca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnicgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaghgb32.dll" Jiiimmok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folknlae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcfbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkgbb32.dll" Mkihfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikkpd32.dll" Qagiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odnmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oagkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnadfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddhfa32.dll" Olablfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjeacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnegod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkjffkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmaphoqe.dll" Gmklbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojijha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnefpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glddig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahkhgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Didgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmidq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okecak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemmjqgm.dll" Gadkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Donlcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnheniaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhkdgbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkebejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmoqlmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbecce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhgng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblfnhfg.dll" Jpfikjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maedlmdn.dll" Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbqkqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnjaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dccgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebkibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomceb32.dll" Olclimif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjphff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feljja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccckabef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgkbac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbanfbfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Immnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiapjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jigijb32.dll" Aepqac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahinb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aocgnh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.AA.exeCjiiim32.exeCofaad32.exeCljajh32.exeDbgjbo32.exeDbighojl.exeDkakad32.exeDheljhof.exeDnbdbomn.exeDkfdlclg.exeDbpmin32.exeEjkampao.exeEdafjiqe.exeEfbbba32.exeEqhfoj32.exeEjpkho32.exedescription pid process target process PID 2260 wrote to memory of 2388 2260 Backdoor.Win32.Berbew.AA.exe Cjiiim32.exe PID 2260 wrote to memory of 2388 2260 Backdoor.Win32.Berbew.AA.exe Cjiiim32.exe PID 2260 wrote to memory of 2388 2260 Backdoor.Win32.Berbew.AA.exe Cjiiim32.exe PID 2260 wrote to memory of 2388 2260 Backdoor.Win32.Berbew.AA.exe Cjiiim32.exe PID 2388 wrote to memory of 2724 2388 Cjiiim32.exe Cofaad32.exe PID 2388 wrote to memory of 2724 2388 Cjiiim32.exe Cofaad32.exe PID 2388 wrote to memory of 2724 2388 Cjiiim32.exe Cofaad32.exe PID 2388 wrote to memory of 2724 2388 Cjiiim32.exe Cofaad32.exe PID 2724 wrote to memory of 2736 2724 Cofaad32.exe Cljajh32.exe PID 2724 wrote to memory of 2736 2724 Cofaad32.exe Cljajh32.exe PID 2724 wrote to memory of 2736 2724 Cofaad32.exe Cljajh32.exe PID 2724 wrote to memory of 2736 2724 Cofaad32.exe Cljajh32.exe PID 2736 wrote to memory of 2972 2736 Cljajh32.exe Dbgjbo32.exe PID 2736 wrote to memory of 2972 2736 Cljajh32.exe Dbgjbo32.exe PID 2736 wrote to memory of 2972 2736 Cljajh32.exe Dbgjbo32.exe PID 2736 wrote to memory of 2972 2736 Cljajh32.exe Dbgjbo32.exe PID 2972 wrote to memory of 1688 2972 Dbgjbo32.exe Dbighojl.exe PID 2972 wrote to memory of 1688 2972 Dbgjbo32.exe Dbighojl.exe PID 2972 wrote to memory of 1688 2972 Dbgjbo32.exe Dbighojl.exe PID 2972 wrote to memory of 1688 2972 Dbgjbo32.exe Dbighojl.exe PID 1688 wrote to memory of 2588 1688 Dbighojl.exe Dkakad32.exe PID 1688 wrote to memory of 2588 1688 Dbighojl.exe Dkakad32.exe PID 1688 wrote to memory of 2588 1688 Dbighojl.exe Dkakad32.exe PID 1688 wrote to memory of 2588 1688 Dbighojl.exe Dkakad32.exe PID 2588 wrote to memory of 1732 2588 Dkakad32.exe Dheljhof.exe PID 2588 wrote to memory of 1732 2588 Dkakad32.exe Dheljhof.exe PID 2588 wrote to memory of 1732 2588 Dkakad32.exe Dheljhof.exe PID 2588 wrote to memory of 1732 2588 Dkakad32.exe Dheljhof.exe PID 1732 wrote to memory of 2064 1732 Dheljhof.exe Dnbdbomn.exe PID 1732 wrote to memory of 2064 1732 Dheljhof.exe Dnbdbomn.exe PID 1732 wrote to memory of 2064 1732 Dheljhof.exe Dnbdbomn.exe PID 1732 wrote to memory of 2064 1732 Dheljhof.exe Dnbdbomn.exe PID 2064 wrote to memory of 2644 2064 Dnbdbomn.exe Dkfdlclg.exe PID 2064 wrote to memory of 2644 2064 Dnbdbomn.exe Dkfdlclg.exe PID 2064 wrote to memory of 2644 2064 Dnbdbomn.exe Dkfdlclg.exe PID 2064 wrote to memory of 2644 2064 Dnbdbomn.exe Dkfdlclg.exe PID 2644 wrote to memory of 2040 2644 Dkfdlclg.exe Dbpmin32.exe PID 2644 wrote to memory of 2040 2644 Dkfdlclg.exe Dbpmin32.exe PID 2644 wrote to memory of 2040 2644 Dkfdlclg.exe Dbpmin32.exe PID 2644 wrote to memory of 2040 2644 Dkfdlclg.exe Dbpmin32.exe PID 2040 wrote to memory of 1756 2040 Dbpmin32.exe Ejkampao.exe PID 2040 wrote to memory of 1756 2040 Dbpmin32.exe Ejkampao.exe PID 2040 wrote to memory of 1756 2040 Dbpmin32.exe Ejkampao.exe PID 2040 wrote to memory of 1756 2040 Dbpmin32.exe Ejkampao.exe PID 1756 wrote to memory of 1780 1756 Ejkampao.exe Edafjiqe.exe PID 1756 wrote to memory of 1780 1756 Ejkampao.exe Edafjiqe.exe PID 1756 wrote to memory of 1780 1756 Ejkampao.exe Edafjiqe.exe PID 1756 wrote to memory of 1780 1756 Ejkampao.exe Edafjiqe.exe PID 1780 wrote to memory of 1912 1780 Edafjiqe.exe Efbbba32.exe PID 1780 wrote to memory of 1912 1780 Edafjiqe.exe Efbbba32.exe PID 1780 wrote to memory of 1912 1780 Edafjiqe.exe Efbbba32.exe PID 1780 wrote to memory of 1912 1780 Edafjiqe.exe Efbbba32.exe PID 1912 wrote to memory of 3004 1912 Efbbba32.exe Eqhfoj32.exe PID 1912 wrote to memory of 3004 1912 Efbbba32.exe Eqhfoj32.exe PID 1912 wrote to memory of 3004 1912 Efbbba32.exe Eqhfoj32.exe PID 1912 wrote to memory of 3004 1912 Efbbba32.exe Eqhfoj32.exe PID 3004 wrote to memory of 2172 3004 Eqhfoj32.exe Ejpkho32.exe PID 3004 wrote to memory of 2172 3004 Eqhfoj32.exe Ejpkho32.exe PID 3004 wrote to memory of 2172 3004 Eqhfoj32.exe Ejpkho32.exe PID 3004 wrote to memory of 2172 3004 Eqhfoj32.exe Ejpkho32.exe PID 2172 wrote to memory of 3012 2172 Ejpkho32.exe Epmcqf32.exe PID 2172 wrote to memory of 3012 2172 Ejpkho32.exe Epmcqf32.exe PID 2172 wrote to memory of 3012 2172 Ejpkho32.exe Epmcqf32.exe PID 2172 wrote to memory of 3012 2172 Ejpkho32.exe Epmcqf32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Cljajh32.exeC:\Windows\system32\Cljajh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ejkampao.exeC:\Windows\system32\Ejkampao.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Efbbba32.exeC:\Windows\system32\Efbbba32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Eelinm32.exeC:\Windows\system32\Eelinm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360 -
C:\Windows\SysWOW64\Fnkchahn.exeC:\Windows\system32\Fnkchahn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Feeldk32.exeC:\Windows\system32\Feeldk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Ffiebc32.exeC:\Windows\system32\Ffiebc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe34⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Gajlcp32.exeC:\Windows\system32\Gajlcp32.exe35⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe36⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe37⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe39⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Hacoio32.exeC:\Windows\system32\Hacoio32.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe42⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe43⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe44⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe45⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe46⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe47⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe48⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe49⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe50⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe55⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe57⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Jjefmc32.exeC:\Windows\system32\Jjefmc32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe61⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe62⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe65⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe66⤵PID:2204
-
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe67⤵PID:636
-
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe68⤵PID:2156
-
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe69⤵PID:3028
-
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe70⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe71⤵PID:1460
-
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe72⤵PID:2272
-
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe75⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe76⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe77⤵PID:2284
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe78⤵PID:112
-
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe79⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Meolcb32.exeC:\Windows\system32\Meolcb32.exe80⤵PID:3000
-
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe81⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe82⤵PID:2164
-
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe83⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe84⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe85⤵PID:2112
-
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe86⤵PID:2852
-
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe87⤵PID:1160
-
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe89⤵PID:2692
-
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe91⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe92⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe93⤵
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe95⤵PID:1740
-
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe96⤵PID:1612
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe97⤵PID:2092
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe98⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe99⤵PID:2360
-
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe100⤵PID:2036
-
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe101⤵PID:2152
-
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe103⤵PID:2856
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe104⤵PID:2804
-
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe105⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe106⤵PID:2680
-
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe107⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe108⤵PID:628
-
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe109⤵PID:2656
-
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1032 -
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe111⤵PID:1908
-
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1260 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe113⤵PID:2664
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe114⤵PID:2324
-
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe115⤵PID:2292
-
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe116⤵PID:2748
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe117⤵PID:1860
-
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe118⤵PID:2128
-
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe119⤵PID:2116
-
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe120⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe121⤵PID:1960
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe122⤵PID:2332
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe123⤵PID:2424
-
C:\Windows\SysWOW64\Aimfcedl.exeC:\Windows\system32\Aimfcedl.exe124⤵PID:1324
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe125⤵PID:2976
-
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe126⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe127⤵PID:2892
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe128⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe129⤵PID:2412
-
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe130⤵PID:108
-
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe131⤵PID:972
-
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe132⤵PID:888
-
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe133⤵PID:2076
-
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe134⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe135⤵PID:2432
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe136⤵PID:2224
-
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe137⤵PID:1456
-
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe138⤵PID:2880
-
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe139⤵PID:1104
-
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe140⤵PID:2792
-
C:\Windows\SysWOW64\Coqaknog.exeC:\Windows\system32\Coqaknog.exe141⤵PID:2200
-
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe142⤵PID:1924
-
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe143⤵PID:980
-
C:\Windows\SysWOW64\Caajmilh.exeC:\Windows\system32\Caajmilh.exe144⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Dpkpie32.exeC:\Windows\system32\Dpkpie32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Dnoqbi32.exeC:\Windows\system32\Dnoqbi32.exe146⤵PID:2580
-
C:\Windows\SysWOW64\Dldndf32.exeC:\Windows\system32\Dldndf32.exe147⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe148⤵PID:940
-
C:\Windows\SysWOW64\Eoefea32.exeC:\Windows\system32\Eoefea32.exe149⤵PID:592
-
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe150⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Eligoe32.exeC:\Windows\system32\Eligoe32.exe151⤵PID:2828
-
C:\Windows\SysWOW64\Eddlcgjb.exeC:\Windows\system32\Eddlcgjb.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe153⤵PID:1120
-
C:\Windows\SysWOW64\Ehbdif32.exeC:\Windows\system32\Ehbdif32.exe154⤵PID:1096
-
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe155⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe156⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe157⤵PID:2524
-
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe158⤵PID:2372
-
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe159⤵PID:2296
-
C:\Windows\SysWOW64\Fgjnpb32.exeC:\Windows\system32\Fgjnpb32.exe160⤵PID:2952
-
C:\Windows\SysWOW64\Fndfmljk.exeC:\Windows\system32\Fndfmljk.exe161⤵PID:1656
-
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe162⤵PID:1060
-
C:\Windows\SysWOW64\Fmicnhob.exeC:\Windows\system32\Fmicnhob.exe163⤵PID:2740
-
C:\Windows\SysWOW64\Ffahgn32.exeC:\Windows\system32\Ffahgn32.exe164⤵PID:1824
-
C:\Windows\SysWOW64\Flnpoe32.exeC:\Windows\system32\Flnpoe32.exe165⤵PID:276
-
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe166⤵PID:2020
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe167⤵PID:2084
-
C:\Windows\SysWOW64\Flqmddah.exeC:\Windows\system32\Flqmddah.exe168⤵PID:2872
-
C:\Windows\SysWOW64\Fbjeao32.exeC:\Windows\system32\Fbjeao32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe170⤵PID:2912
-
C:\Windows\SysWOW64\Gnaffpoi.exeC:\Windows\system32\Gnaffpoi.exe171⤵PID:2108
-
C:\Windows\SysWOW64\Glefpd32.exeC:\Windows\system32\Glefpd32.exe172⤵PID:272
-
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe173⤵PID:2068
-
C:\Windows\SysWOW64\Glgcec32.exeC:\Windows\system32\Glgcec32.exe174⤵PID:2240
-
C:\Windows\SysWOW64\Gadkmj32.exeC:\Windows\system32\Gadkmj32.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Gfadeaho.exeC:\Windows\system32\Gfadeaho.exe176⤵PID:3056
-
C:\Windows\SysWOW64\Gmklbk32.exeC:\Windows\system32\Gmklbk32.exe177⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ghqqpd32.exeC:\Windows\system32\Ghqqpd32.exe178⤵PID:984
-
C:\Windows\SysWOW64\Gmmihk32.exeC:\Windows\system32\Gmmihk32.exe179⤵PID:2584
-
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe180⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Hbmnfajm.exeC:\Windows\system32\Hbmnfajm.exe181⤵PID:1856
-
C:\Windows\SysWOW64\Hjdfgojp.exeC:\Windows\system32\Hjdfgojp.exe182⤵PID:1604
-
C:\Windows\SysWOW64\Hfjglppd.exeC:\Windows\system32\Hfjglppd.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Hoflpbmo.exeC:\Windows\system32\Hoflpbmo.exe184⤵PID:1500
-
C:\Windows\SysWOW64\Hljljflh.exeC:\Windows\system32\Hljljflh.exe185⤵PID:3100
-
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe186⤵PID:3140
-
C:\Windows\SysWOW64\Hbfalpab.exeC:\Windows\system32\Hbfalpab.exe187⤵PID:3180
-
C:\Windows\SysWOW64\Idgmch32.exeC:\Windows\system32\Idgmch32.exe188⤵PID:3220
-
C:\Windows\SysWOW64\Ikafpbon.exeC:\Windows\system32\Ikafpbon.exe189⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe190⤵PID:3300
-
C:\Windows\SysWOW64\Inbobn32.exeC:\Windows\system32\Inbobn32.exe191⤵PID:3340
-
C:\Windows\SysWOW64\Iapghlbe.exeC:\Windows\system32\Iapghlbe.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe193⤵PID:3420
-
C:\Windows\SysWOW64\Iccqedfa.exeC:\Windows\system32\Iccqedfa.exe194⤵PID:3460
-
C:\Windows\SysWOW64\Ijmibn32.exeC:\Windows\system32\Ijmibn32.exe195⤵PID:3500
-
C:\Windows\SysWOW64\Jpjndh32.exeC:\Windows\system32\Jpjndh32.exe196⤵PID:3540
-
C:\Windows\SysWOW64\Jfffmo32.exeC:\Windows\system32\Jfffmo32.exe197⤵PID:3580
-
C:\Windows\SysWOW64\Jcjffc32.exeC:\Windows\system32\Jcjffc32.exe198⤵PID:3624
-
C:\Windows\SysWOW64\Jlckoh32.exeC:\Windows\system32\Jlckoh32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Jndgfqlh.exeC:\Windows\system32\Jndgfqlh.exe200⤵PID:3704
-
C:\Windows\SysWOW64\Jgllof32.exeC:\Windows\system32\Jgllof32.exe201⤵PID:3744
-
C:\Windows\SysWOW64\Kgoief32.exeC:\Windows\system32\Kgoief32.exe202⤵PID:3784
-
C:\Windows\SysWOW64\Kqgmnk32.exeC:\Windows\system32\Kqgmnk32.exe203⤵PID:3824
-
C:\Windows\SysWOW64\Kjpafanf.exeC:\Windows\system32\Kjpafanf.exe204⤵PID:3864
-
C:\Windows\SysWOW64\Kjdkap32.exeC:\Windows\system32\Kjdkap32.exe205⤵PID:3904
-
C:\Windows\SysWOW64\Kqncnjan.exeC:\Windows\system32\Kqncnjan.exe206⤵PID:3944
-
C:\Windows\SysWOW64\Kbppfb32.exeC:\Windows\system32\Kbppfb32.exe207⤵PID:3984
-
C:\Windows\SysWOW64\Kkhdohnm.exeC:\Windows\system32\Kkhdohnm.exe208⤵PID:4028
-
C:\Windows\SysWOW64\Lbbmlbej.exeC:\Windows\system32\Lbbmlbej.exe209⤵PID:4068
-
C:\Windows\SysWOW64\Lilehl32.exeC:\Windows\system32\Lilehl32.exe210⤵PID:1828
-
C:\Windows\SysWOW64\Lpfmefdc.exeC:\Windows\system32\Lpfmefdc.exe211⤵PID:3120
-
C:\Windows\SysWOW64\Lgaaiian.exeC:\Windows\system32\Lgaaiian.exe212⤵PID:3168
-
C:\Windows\SysWOW64\Lgcooh32.exeC:\Windows\system32\Lgcooh32.exe213⤵PID:3228
-
C:\Windows\SysWOW64\Lbibla32.exeC:\Windows\system32\Lbibla32.exe214⤵PID:3280
-
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe215⤵PID:3336
-
C:\Windows\SysWOW64\Lhhhjhkf.exeC:\Windows\system32\Lhhhjhkf.exe216⤵PID:3368
-
C:\Windows\SysWOW64\Minnmomo.exeC:\Windows\system32\Minnmomo.exe217⤵PID:3392
-
C:\Windows\SysWOW64\Mdcbjhme.exeC:\Windows\system32\Mdcbjhme.exe218⤵PID:3480
-
C:\Windows\SysWOW64\Momckfid.exeC:\Windows\system32\Momckfid.exe219⤵PID:3512
-
C:\Windows\SysWOW64\Mpmpeiqg.exeC:\Windows\system32\Mpmpeiqg.exe220⤵PID:3568
-
C:\Windows\SysWOW64\Neihmpon.exeC:\Windows\system32\Neihmpon.exe221⤵PID:3620
-
C:\Windows\SysWOW64\Nbmhfdnh.exeC:\Windows\system32\Nbmhfdnh.exe222⤵PID:3684
-
C:\Windows\SysWOW64\Nmgiga32.exeC:\Windows\system32\Nmgiga32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728 -
C:\Windows\SysWOW64\Noffadai.exeC:\Windows\system32\Noffadai.exe224⤵PID:3776
-
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe225⤵PID:3832
-
C:\Windows\SysWOW64\Npjonlee.exeC:\Windows\system32\Npjonlee.exe226⤵PID:3880
-
C:\Windows\SysWOW64\Olapcm32.exeC:\Windows\system32\Olapcm32.exe227⤵PID:3932
-
C:\Windows\SysWOW64\Olclimif.exeC:\Windows\system32\Olclimif.exe228⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Oekaab32.exeC:\Windows\system32\Oekaab32.exe229⤵PID:4016
-
C:\Windows\SysWOW64\Ojijha32.exeC:\Windows\system32\Ojijha32.exe230⤵
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Okkfoikl.exeC:\Windows\system32\Okkfoikl.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Okmceiii.exeC:\Windows\system32\Okmceiii.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Oagkac32.exeC:\Windows\system32\Oagkac32.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Pnnlfd32.exeC:\Windows\system32\Pnnlfd32.exe234⤵PID:3272
-
C:\Windows\SysWOW64\Pjdlkeln.exeC:\Windows\system32\Pjdlkeln.exe235⤵PID:3320
-
C:\Windows\SysWOW64\Pcmadj32.exeC:\Windows\system32\Pcmadj32.exe236⤵PID:3412
-
C:\Windows\SysWOW64\Pjgiad32.exeC:\Windows\system32\Pjgiad32.exe237⤵PID:3436
-
C:\Windows\SysWOW64\Pgkjji32.exeC:\Windows\system32\Pgkjji32.exe238⤵PID:3532
-
C:\Windows\SysWOW64\Pofnok32.exeC:\Windows\system32\Pofnok32.exe239⤵PID:3588
-
C:\Windows\SysWOW64\Pinchq32.exeC:\Windows\system32\Pinchq32.exe240⤵PID:3640
-
C:\Windows\SysWOW64\Qohkdkdn.exeC:\Windows\system32\Qohkdkdn.exe241⤵PID:3724
-
C:\Windows\SysWOW64\Qiqpmp32.exeC:\Windows\system32\Qiqpmp32.exe242⤵PID:3792