Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
64KB
-
MD5
bf61de697cc6c16787f41e193623c630
-
SHA1
1bdb744c0c467a7d5675a2951590310a384c1490
-
SHA256
48c9d9448d61374ea97e7ba4b1a833fe1f1b09ce7347675c2022bfe1b04fe0c5
-
SHA512
c19f883490f8bff0e98ecb53f1133ca5dbc4efd320884d6af459499bf0c0588121a953d64a3a9337d911bba6e4cf41be618bd45d1e6b083a8d8cebe5ee2e21f1
-
SSDEEP
768:9xpxxTVK50Ex7FpPSNvn+Ycmqlbv8oJ7+VYfWDQ/yFdM9X+X1kh02p/1H5wcnXdQ:9xnyHoNv4dvx5faQ/yF6h02L3AMCeW
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bnofaf32.exeEbockkal.exeJihdnk32.exeMkibjgli.exePaafmp32.exeIfengpdh.exePfnoegaf.exeBfiabjjm.exeFenphjei.exeGmidlmcd.exeNlohmonb.exePncjad32.exeAoomflpd.exeIkagogco.exeMokkegmm.exeCceapl32.exeEifobe32.exeKihpmnbb.exeLgnjke32.exeMldeik32.exeOqmmbqgd.exeAejnfe32.exeNhhehpbc.exeCpgecq32.exeEegmhhie.exeGibbgmfe.exeLkbpke32.exePfqlkfoc.exeBggjjlnb.exeNhkbmo32.exeDoqkpl32.exeIngmmn32.exeLilfgq32.exeMnhnfckm.exeCkkcep32.exeOnamle32.exeGgiofa32.exeLophacfl.exeLolofd32.exeAmjpgdik.exeAmoibc32.exeHlhddh32.exeJfjhbo32.exeJaeehmko.exeDinpnged.exeInepgn32.exePcpbik32.exeIickckcl.exeAjjgei32.exeBogljj32.exeNbqjqehd.exeCamnge32.exeJcikog32.exeKppldhla.exeNgpcohbm.exeFejfmk32.exeGcppkbia.exeDkbbinig.exeIqfiii32.exeEpeajo32.exeCnipak32.exeDqobnf32.exeGieommdc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnofaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkibjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifengpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnoegaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfiabjjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoomflpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikagogco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceapl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihpmnbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejnfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgecq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegmhhie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfqlkfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggjjlnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doqkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilfgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onamle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolofd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amoibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinpnged.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iickckcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqjqehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpcohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcppkbia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqfiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnipak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieommdc.exe -
Executes dropped EXE 64 IoCs
Processes:
Qanmcdlm.exeQfkelkkd.exeQiiahgjh.exeQbafalph.exeAiknnf32.exeAljjjb32.exeAfpogk32.exeAphcppmo.exeAokckm32.exeAedlhg32.exeAhchdb32.exeAompambg.exeAdjhicpo.exeAhedjb32.exeAoomflpd.exeAdleoc32.exeAgkako32.exeBapfhg32.exeBhjneadb.exeBgmnpn32.exeBngfmhbj.exeBccoeo32.exeBgokfnij.exeBdckobhd.exeBgahkngh.exeBedhgj32.exeBomlppdb.exeBheaiekc.exeBooiep32.exeBfiabjjm.exeChgnneiq.exeCbpbgk32.exeCdnncfoe.exeCkhfpp32.exeCodbqonk.exeCfnkmi32.exeChlgid32.exeCkkcep32.exeCnipak32.exeCdedde32.exeCchdpbog.exeCqleifna.exeDcjaeamd.exeDgfmep32.exeDfinam32.exeDqobnf32.exeDoabjbci.exeDcmnja32.exeDfkjgm32.exeDijfch32.exeDmebcgbb.exeDbbklnpj.exeDfngll32.exeDjicmk32.exeDmgoif32.exeDkjpdcfj.exeDcageqgm.exeDfpcblfp.exeDecdmi32.exeDinpnged.exeDkmljcdh.exeDnkhfnck.exeDbgdgm32.exeDeeqch32.exepid process 2760 Qanmcdlm.exe 2560 Qfkelkkd.exe 2576 Qiiahgjh.exe 2564 Qbafalph.exe 2236 Aiknnf32.exe 1904 Aljjjb32.exe 2984 Afpogk32.exe 2252 Aphcppmo.exe 1492 Aokckm32.exe 764 Aedlhg32.exe 444 Ahchdb32.exe 1908 Aompambg.exe 592 Adjhicpo.exe 2084 Ahedjb32.exe 3012 Aoomflpd.exe 1932 Adleoc32.exe 2508 Agkako32.exe 348 Bapfhg32.exe 2868 Bhjneadb.exe 1556 Bgmnpn32.exe 2212 Bngfmhbj.exe 376 Bccoeo32.exe 840 Bgokfnij.exe 2168 Bdckobhd.exe 1496 Bgahkngh.exe 2976 Bedhgj32.exe 1620 Bomlppdb.exe 2828 Bheaiekc.exe 2596 Booiep32.exe 1408 Bfiabjjm.exe 1108 Chgnneiq.exe 792 Cbpbgk32.exe 2188 Cdnncfoe.exe 1488 Ckhfpp32.exe 2612 Codbqonk.exe 1352 Cfnkmi32.exe 2392 Chlgid32.exe 536 Ckkcep32.exe 2204 Cnipak32.exe 1948 Cdedde32.exe 2504 Cchdpbog.exe 1276 Cqleifna.exe 1056 Dcjaeamd.exe 556 Dgfmep32.exe 1992 Dfinam32.exe 2120 Dqobnf32.exe 2476 Doabjbci.exe 2216 Dcmnja32.exe 2836 Dfkjgm32.exe 1624 Dijfch32.exe 1588 Dmebcgbb.exe 2776 Dbbklnpj.exe 2184 Dfngll32.exe 2352 Djicmk32.exe 2992 Dmgoif32.exe 2388 Dkjpdcfj.exe 1220 Dcageqgm.exe 344 Dfpcblfp.exe 588 Decdmi32.exe 2136 Dinpnged.exe 1672 Dkmljcdh.exe 1328 Dnkhfnck.exe 1916 Dbgdgm32.exe 2952 Deeqch32.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Berbew.AA.exeQanmcdlm.exeQfkelkkd.exeQiiahgjh.exeQbafalph.exeAiknnf32.exeAljjjb32.exeAfpogk32.exeAphcppmo.exeAokckm32.exeAedlhg32.exeAhchdb32.exeAompambg.exeAdjhicpo.exeAhedjb32.exeAoomflpd.exeAdleoc32.exeAgkako32.exeBapfhg32.exeBhjneadb.exeBgmnpn32.exeBngfmhbj.exeBccoeo32.exeBgokfnij.exeBdckobhd.exeBgahkngh.exeBedhgj32.exeBomlppdb.exeBheaiekc.exeBooiep32.exeBfiabjjm.exeChgnneiq.exepid process 2324 Backdoor.Win32.Berbew.AA.exe 2324 Backdoor.Win32.Berbew.AA.exe 2760 Qanmcdlm.exe 2760 Qanmcdlm.exe 2560 Qfkelkkd.exe 2560 Qfkelkkd.exe 2576 Qiiahgjh.exe 2576 Qiiahgjh.exe 2564 Qbafalph.exe 2564 Qbafalph.exe 2236 Aiknnf32.exe 2236 Aiknnf32.exe 1904 Aljjjb32.exe 1904 Aljjjb32.exe 2984 Afpogk32.exe 2984 Afpogk32.exe 2252 Aphcppmo.exe 2252 Aphcppmo.exe 1492 Aokckm32.exe 1492 Aokckm32.exe 764 Aedlhg32.exe 764 Aedlhg32.exe 444 Ahchdb32.exe 444 Ahchdb32.exe 1908 Aompambg.exe 1908 Aompambg.exe 592 Adjhicpo.exe 592 Adjhicpo.exe 2084 Ahedjb32.exe 2084 Ahedjb32.exe 3012 Aoomflpd.exe 3012 Aoomflpd.exe 1932 Adleoc32.exe 1932 Adleoc32.exe 2508 Agkako32.exe 2508 Agkako32.exe 348 Bapfhg32.exe 348 Bapfhg32.exe 2868 Bhjneadb.exe 2868 Bhjneadb.exe 1556 Bgmnpn32.exe 1556 Bgmnpn32.exe 2212 Bngfmhbj.exe 2212 Bngfmhbj.exe 376 Bccoeo32.exe 376 Bccoeo32.exe 840 Bgokfnij.exe 840 Bgokfnij.exe 2168 Bdckobhd.exe 2168 Bdckobhd.exe 1496 Bgahkngh.exe 1496 Bgahkngh.exe 2976 Bedhgj32.exe 2976 Bedhgj32.exe 1620 Bomlppdb.exe 1620 Bomlppdb.exe 2828 Bheaiekc.exe 2828 Bheaiekc.exe 2596 Booiep32.exe 2596 Booiep32.exe 1408 Bfiabjjm.exe 1408 Bfiabjjm.exe 1108 Chgnneiq.exe 1108 Chgnneiq.exe -
Drops file in System32 directory 64 IoCs
Processes:
Enbogmnc.exeHijhhl32.exeHgiked32.exeMlahdkjc.exeNcnjeh32.exeOiokholk.exeAicmadmm.exeAldfcpjn.exeCpgecq32.exeDoqkpl32.exeQanmcdlm.exeBedhgj32.exeEnneln32.exeEegmhhie.exeGmnngl32.exeIokfjf32.exeLdhgnk32.exeMiapbpmb.exeAompambg.exeGdjcjf32.exeEhmpeb32.exeFejfmk32.exeGaeqmk32.exeJkimpfmg.exeLfippfej.exeQnqjkh32.exeQldjdlgb.exeAjjgei32.exeCdnncfoe.exeJihdnk32.exeJkfpjf32.exeMiocmq32.exeNaegmabc.exeNknkeg32.exeBefnbd32.exeClnehado.exeBccoeo32.exeIcdeee32.exeKjpceebh.exePiadma32.exeKihpmnbb.exeNnodgbed.exeCqleifna.exeInepgn32.exeJgpndg32.exeOiahnnji.exeAmmmlcgi.exeEgcfdn32.exeBooiep32.exeDfpcblfp.exeFacdgl32.exeJnemfa32.exeMhkfnlme.exeOdacbpee.exePmhgba32.exeBdckobhd.exeCnipak32.exeIdmlniea.exeOfobgc32.exeDhiphb32.exeDnkhfnck.exeGdfiofhn.exeKbnhpdke.exedescription ioc process File created C:\Windows\SysWOW64\Eelgcg32.exe Enbogmnc.exe File created C:\Windows\SysWOW64\Knijnb32.dll Hijhhl32.exe File created C:\Windows\SysWOW64\Aaknah32.dll Hgiked32.exe File opened for modification C:\Windows\SysWOW64\Mclqqeaq.exe Mlahdkjc.exe File created C:\Windows\SysWOW64\Mafick32.dll Ncnjeh32.exe File created C:\Windows\SysWOW64\Ogbldk32.exe Oiokholk.exe File created C:\Windows\SysWOW64\Mbendkpn.dll Aicmadmm.exe File created C:\Windows\SysWOW64\Aocbokia.exe Aldfcpjn.exe File created C:\Windows\SysWOW64\Nliqma32.dll Cpgecq32.exe File created C:\Windows\SysWOW64\Dboglhna.exe Doqkpl32.exe File created C:\Windows\SysWOW64\Amogaa32.dll Qanmcdlm.exe File created C:\Windows\SysWOW64\Bomlppdb.exe Bedhgj32.exe File created C:\Windows\SysWOW64\Ealahi32.exe Enneln32.exe File opened for modification C:\Windows\SysWOW64\Eiciig32.exe Eegmhhie.exe File created C:\Windows\SysWOW64\Bekmeeno.dll Gmnngl32.exe File created C:\Windows\SysWOW64\Landhm32.dll Iokfjf32.exe File created C:\Windows\SysWOW64\Ncgfge32.dll Ldhgnk32.exe File created C:\Windows\SysWOW64\Ebdqhg32.dll Miapbpmb.exe File created C:\Windows\SysWOW64\Nhaiccmq.dll Aompambg.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gdjcjf32.exe File created C:\Windows\SysWOW64\Efppqoil.exe Ehmpeb32.exe File opened for modification C:\Windows\SysWOW64\Fhhbif32.exe Fejfmk32.exe File opened for modification C:\Windows\SysWOW64\Ghoijebj.exe Gaeqmk32.exe File opened for modification C:\Windows\SysWOW64\Jaeehmko.exe Jkimpfmg.exe File created C:\Windows\SysWOW64\Lophacfl.exe Lfippfej.exe File created C:\Windows\SysWOW64\Ihcbim32.dll Qnqjkh32.exe File created C:\Windows\SysWOW64\Bidjckae.dll Qldjdlgb.exe File created C:\Windows\SysWOW64\Amhcad32.exe Ajjgei32.exe File opened for modification C:\Windows\SysWOW64\Ckhfpp32.exe Cdnncfoe.exe File created C:\Windows\SysWOW64\Jgkdigfa.exe Jihdnk32.exe File created C:\Windows\SysWOW64\Maflig32.dll Jkfpjf32.exe File created C:\Windows\SysWOW64\Mlmoilni.exe Miocmq32.exe File created C:\Windows\SysWOW64\Nacjlp32.dll Naegmabc.exe File opened for modification C:\Windows\SysWOW64\Njalacon.exe Nknkeg32.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Befnbd32.exe File created C:\Windows\SysWOW64\Jmhdkakc.dll Clnehado.exe File opened for modification C:\Windows\SysWOW64\Bgokfnij.exe Bccoeo32.exe File created C:\Windows\SysWOW64\Kbhgal32.dll Icdeee32.exe File created C:\Windows\SysWOW64\Lolofd32.exe Kjpceebh.exe File created C:\Windows\SysWOW64\Djqdbbek.dll Piadma32.exe File created C:\Windows\SysWOW64\Dofohkkf.dll Kihpmnbb.exe File created C:\Windows\SysWOW64\Hcdkmafl.dll Nnodgbed.exe File created C:\Windows\SysWOW64\Ejnjabpb.dll Cqleifna.exe File created C:\Windows\SysWOW64\Calonebc.dll Inepgn32.exe File opened for modification C:\Windows\SysWOW64\Jjnjqb32.exe Jgpndg32.exe File opened for modification C:\Windows\SysWOW64\Okpdjjil.exe Oiahnnji.exe File created C:\Windows\SysWOW64\Adgein32.exe Ammmlcgi.exe File created C:\Windows\SysWOW64\Ejabqi32.exe Egcfdn32.exe File opened for modification C:\Windows\SysWOW64\Bfiabjjm.exe Booiep32.exe File opened for modification C:\Windows\SysWOW64\Decdmi32.exe Dfpcblfp.exe File created C:\Windows\SysWOW64\Fenphjei.exe Facdgl32.exe File opened for modification C:\Windows\SysWOW64\Jbphgpfg.exe Jnemfa32.exe File created C:\Windows\SysWOW64\Bdedod32.dll Mhkfnlme.exe File created C:\Windows\SysWOW64\Omhkcnfg.exe Odacbpee.exe File opened for modification C:\Windows\SysWOW64\Pcbookpp.exe Pmhgba32.exe File created C:\Windows\SysWOW64\Amoibc32.exe Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Bgahkngh.exe Bdckobhd.exe File created C:\Windows\SysWOW64\Cdedde32.exe Cnipak32.exe File opened for modification C:\Windows\SysWOW64\Igkhjdde.exe Idmlniea.exe File opened for modification C:\Windows\SysWOW64\Odacbpee.exe Ofobgc32.exe File created C:\Windows\SysWOW64\Malbbh32.dll Dhiphb32.exe File created C:\Windows\SysWOW64\Dbgdgm32.exe Dnkhfnck.exe File opened for modification C:\Windows\SysWOW64\Ggdekbgb.exe Gdfiofhn.exe File created C:\Windows\SysWOW64\Pomebdea.dll Kbnhpdke.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5436 5412 WerFault.exe Flnndp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ebfqfpop.exeOiahnnji.exeOnoqfehp.exeAjjgei32.exeDjicmk32.exeCceapl32.exeBdckobhd.exeEcmjid32.exeEjklan32.exeJaeehmko.exeEmdhhdqb.exeEiciig32.exeIblola32.exeKhojcj32.exeKhagijcd.exeLdkdckff.exeMobaef32.exePiohgbng.exeEegmhhie.exeMlolnllf.exeAfgnkilf.exeCkecpjdh.exeEiilge32.exeIngmmn32.exeCpdhna32.exeGoiafp32.exeHeqimm32.exeKecjmodq.exePjhnqfla.exeQekbgbpf.exeCglcek32.exeCkhfpp32.exeFmlecinf.exeEifobe32.exeJnemfa32.exeNfjildbp.exePcnfdl32.exeDkgldm32.exeBackdoor.Win32.Berbew.AA.exeDnkhfnck.exeFpjaodmj.exeMehpga32.exeChlgid32.exeFopnpaba.exeMpkhoj32.exeGhoijebj.exeHlhddh32.exeHonfqb32.exeKihpmnbb.exeGgiofa32.exeOiokholk.exeBhjneadb.exeBgahkngh.exeHhaanh32.exeJbphgpfg.exeLkgifd32.exeAhngomkd.exeBpboinpd.exeEgcfdn32.exeJkimpfmg.exeNhhehpbc.exeIejkhlip.exeDcjaeamd.exeHijhhl32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqfpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onoqfehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djicmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdckobhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmjid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejklan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeehmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khojcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khagijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkdckff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegmhhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhfpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlecinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjildbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Berbew.AA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkhfnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjaodmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlgid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnpaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkhoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honfqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihpmnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgahkngh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaanh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphgpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejkhlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjaeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe -
Modifies registry class 64 IoCs
Processes:
Boobki32.exeCgjgol32.exeColadm32.exeEikimeff.exeDinpnged.exeHjggap32.exeOnoqfehp.exePcnfdl32.exeDdbmcb32.exeBngfmhbj.exeBgahkngh.exeInepgn32.exeNjhbabif.exeOdacbpee.exePefhlcdk.exeBakaaepk.exeEfmckpko.exeEpfhde32.exeJgpndg32.exeCamnge32.exeDhgccbhp.exeNgpcohbm.exeBgokfnij.exeFegjgkla.exeIbibfa32.exeHijhhl32.exeKbpefc32.exeOnamle32.exeAedlhg32.exeFejfmk32.exeFlhhed32.exeBkqiek32.exeDijfch32.exeEfppqoil.exeMaldfbjn.exeMldeik32.exeNhhehpbc.exePcpbik32.exeEmdhhdqb.exeGlfgnh32.exeJaeehmko.exeKaholp32.exeCccdjl32.exeQbafalph.exeAfcdpi32.exeBogljj32.exeDbdagg32.exeAokckm32.exeGigkbm32.exeHokjkbkp.exeEepmlf32.exeOmcngamh.exeAejnfe32.exeDkeoongd.exeGgdekbgb.exeGcppkbia.exeDfhgggim.exeDbadagln.exeEiilge32.exeFhmldfdm.exeHeqimm32.exeMiapbpmb.exeNfjildbp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boobki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll" Coladm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlnjmna.dll" Dinpnged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bngfmhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calonebc.dll" Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifijkq32.dll" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhegcc.dll" Pefhlcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbieg32.dll" Bakaaepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epfhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnlpkh32.dll" Jgpndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Camnge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kembmblk.dll" Ngpcohbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmip32.dll" Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knijnb32.dll" Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onamle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmf32.dll" Fejfmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidncq32.dll" Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhcopq.dll" Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpmmn32.dll" Maldfbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adjgmhgl.dll" Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdhhdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaeehmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll" Cccdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbafalph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll" Dbdagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokckm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hokjkbkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemqa32.dll" Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apafhqnp.dll" Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdekbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnginii.dll" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll" Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almpdj32.dll" Eiilge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmldfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlhlg32.dll" Heqimm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miapbpmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjildbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.AA.exeQanmcdlm.exeQfkelkkd.exeQiiahgjh.exeQbafalph.exeAiknnf32.exeAljjjb32.exeAfpogk32.exeAphcppmo.exeAokckm32.exeAedlhg32.exeAhchdb32.exeAompambg.exeAdjhicpo.exeAhedjb32.exeAoomflpd.exedescription pid process target process PID 2324 wrote to memory of 2760 2324 Backdoor.Win32.Berbew.AA.exe Qanmcdlm.exe PID 2324 wrote to memory of 2760 2324 Backdoor.Win32.Berbew.AA.exe Qanmcdlm.exe PID 2324 wrote to memory of 2760 2324 Backdoor.Win32.Berbew.AA.exe Qanmcdlm.exe PID 2324 wrote to memory of 2760 2324 Backdoor.Win32.Berbew.AA.exe Qanmcdlm.exe PID 2760 wrote to memory of 2560 2760 Qanmcdlm.exe Qfkelkkd.exe PID 2760 wrote to memory of 2560 2760 Qanmcdlm.exe Qfkelkkd.exe PID 2760 wrote to memory of 2560 2760 Qanmcdlm.exe Qfkelkkd.exe PID 2760 wrote to memory of 2560 2760 Qanmcdlm.exe Qfkelkkd.exe PID 2560 wrote to memory of 2576 2560 Qfkelkkd.exe Qiiahgjh.exe PID 2560 wrote to memory of 2576 2560 Qfkelkkd.exe Qiiahgjh.exe PID 2560 wrote to memory of 2576 2560 Qfkelkkd.exe Qiiahgjh.exe PID 2560 wrote to memory of 2576 2560 Qfkelkkd.exe Qiiahgjh.exe PID 2576 wrote to memory of 2564 2576 Qiiahgjh.exe Qbafalph.exe PID 2576 wrote to memory of 2564 2576 Qiiahgjh.exe Qbafalph.exe PID 2576 wrote to memory of 2564 2576 Qiiahgjh.exe Qbafalph.exe PID 2576 wrote to memory of 2564 2576 Qiiahgjh.exe Qbafalph.exe PID 2564 wrote to memory of 2236 2564 Qbafalph.exe Aiknnf32.exe PID 2564 wrote to memory of 2236 2564 Qbafalph.exe Aiknnf32.exe PID 2564 wrote to memory of 2236 2564 Qbafalph.exe Aiknnf32.exe PID 2564 wrote to memory of 2236 2564 Qbafalph.exe Aiknnf32.exe PID 2236 wrote to memory of 1904 2236 Aiknnf32.exe Aljjjb32.exe PID 2236 wrote to memory of 1904 2236 Aiknnf32.exe Aljjjb32.exe PID 2236 wrote to memory of 1904 2236 Aiknnf32.exe Aljjjb32.exe PID 2236 wrote to memory of 1904 2236 Aiknnf32.exe Aljjjb32.exe PID 1904 wrote to memory of 2984 1904 Aljjjb32.exe Afpogk32.exe PID 1904 wrote to memory of 2984 1904 Aljjjb32.exe Afpogk32.exe PID 1904 wrote to memory of 2984 1904 Aljjjb32.exe Afpogk32.exe PID 1904 wrote to memory of 2984 1904 Aljjjb32.exe Afpogk32.exe PID 2984 wrote to memory of 2252 2984 Afpogk32.exe Aphcppmo.exe PID 2984 wrote to memory of 2252 2984 Afpogk32.exe Aphcppmo.exe PID 2984 wrote to memory of 2252 2984 Afpogk32.exe Aphcppmo.exe PID 2984 wrote to memory of 2252 2984 Afpogk32.exe Aphcppmo.exe PID 2252 wrote to memory of 1492 2252 Aphcppmo.exe Aokckm32.exe PID 2252 wrote to memory of 1492 2252 Aphcppmo.exe Aokckm32.exe PID 2252 wrote to memory of 1492 2252 Aphcppmo.exe Aokckm32.exe PID 2252 wrote to memory of 1492 2252 Aphcppmo.exe Aokckm32.exe PID 1492 wrote to memory of 764 1492 Aokckm32.exe Aedlhg32.exe PID 1492 wrote to memory of 764 1492 Aokckm32.exe Aedlhg32.exe PID 1492 wrote to memory of 764 1492 Aokckm32.exe Aedlhg32.exe PID 1492 wrote to memory of 764 1492 Aokckm32.exe Aedlhg32.exe PID 764 wrote to memory of 444 764 Aedlhg32.exe Ahchdb32.exe PID 764 wrote to memory of 444 764 Aedlhg32.exe Ahchdb32.exe PID 764 wrote to memory of 444 764 Aedlhg32.exe Ahchdb32.exe PID 764 wrote to memory of 444 764 Aedlhg32.exe Ahchdb32.exe PID 444 wrote to memory of 1908 444 Ahchdb32.exe Aompambg.exe PID 444 wrote to memory of 1908 444 Ahchdb32.exe Aompambg.exe PID 444 wrote to memory of 1908 444 Ahchdb32.exe Aompambg.exe PID 444 wrote to memory of 1908 444 Ahchdb32.exe Aompambg.exe PID 1908 wrote to memory of 592 1908 Aompambg.exe Adjhicpo.exe PID 1908 wrote to memory of 592 1908 Aompambg.exe Adjhicpo.exe PID 1908 wrote to memory of 592 1908 Aompambg.exe Adjhicpo.exe PID 1908 wrote to memory of 592 1908 Aompambg.exe Adjhicpo.exe PID 592 wrote to memory of 2084 592 Adjhicpo.exe Ahedjb32.exe PID 592 wrote to memory of 2084 592 Adjhicpo.exe Ahedjb32.exe PID 592 wrote to memory of 2084 592 Adjhicpo.exe Ahedjb32.exe PID 592 wrote to memory of 2084 592 Adjhicpo.exe Ahedjb32.exe PID 2084 wrote to memory of 3012 2084 Ahedjb32.exe Aoomflpd.exe PID 2084 wrote to memory of 3012 2084 Ahedjb32.exe Aoomflpd.exe PID 2084 wrote to memory of 3012 2084 Ahedjb32.exe Aoomflpd.exe PID 2084 wrote to memory of 3012 2084 Ahedjb32.exe Aoomflpd.exe PID 3012 wrote to memory of 1932 3012 Aoomflpd.exe Adleoc32.exe PID 3012 wrote to memory of 1932 3012 Aoomflpd.exe Adleoc32.exe PID 3012 wrote to memory of 1932 3012 Aoomflpd.exe Adleoc32.exe PID 3012 wrote to memory of 1932 3012 Aoomflpd.exe Adleoc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe33⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe36⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe37⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe41⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe42⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe45⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe46⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe48⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe49⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe50⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe52⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe53⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe54⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe56⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe57⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe58⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe60⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe62⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe64⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe65⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe66⤵PID:1608
-
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe67⤵PID:564
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe68⤵PID:2460
-
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe69⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe70⤵PID:2832
-
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe72⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe73⤵PID:1692
-
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe74⤵PID:584
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe75⤵PID:2780
-
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe76⤵PID:2440
-
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe78⤵PID:2232
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe79⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe80⤵PID:2208
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe81⤵PID:1436
-
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe82⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe83⤵PID:1816
-
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe84⤵PID:3024
-
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe85⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe86⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe87⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe89⤵PID:2628
-
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe90⤵PID:1592
-
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe91⤵PID:1680
-
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe92⤵PID:3032
-
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe93⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe94⤵PID:2968
-
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe95⤵PID:952
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe96⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe97⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe98⤵PID:2928
-
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe100⤵
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe101⤵PID:2060
-
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe102⤵PID:480
-
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe103⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe104⤵PID:1888
-
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe106⤵PID:1872
-
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe107⤵PID:760
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe108⤵PID:2912
-
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe109⤵PID:2464
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe110⤵PID:2492
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe111⤵PID:2032
-
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe112⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe114⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe115⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe116⤵PID:2380
-
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe118⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Ghoijebj.exeC:\Windows\system32\Ghoijebj.exe119⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe120⤵PID:1156
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe122⤵PID:3000
-
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe123⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe124⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe126⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe127⤵PID:3044
-
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe128⤵PID:2692
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe129⤵PID:1716
-
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe131⤵PID:2200
-
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe132⤵
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe134⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe135⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Goddjc32.exeC:\Windows\system32\Goddjc32.exe136⤵PID:2844
-
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe138⤵PID:2128
-
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe139⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe141⤵PID:2308
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe142⤵PID:3060
-
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe143⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Hjlemlnk.exeC:\Windows\system32\Hjlemlnk.exe144⤵PID:2100
-
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe145⤵PID:2620
-
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe146⤵PID:860
-
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe147⤵PID:524
-
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe148⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe149⤵PID:2160
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe150⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe151⤵PID:2376
-
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe152⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe153⤵PID:1760
-
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe154⤵PID:2480
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe155⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe156⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe157⤵PID:2192
-
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe158⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe159⤵PID:2744
-
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe161⤵PID:1892
-
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe162⤵PID:2336
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe165⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe166⤵PID:1372
-
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe167⤵PID:696
-
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe168⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe169⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe173⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe174⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe175⤵PID:1952
-
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe176⤵PID:1740
-
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1200 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe179⤵PID:3124
-
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe180⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe181⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe182⤵
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe183⤵PID:3288
-
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe184⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe186⤵
- Drops file in System32 directory
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe187⤵PID:3448
-
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe188⤵PID:3488
-
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe189⤵PID:3528
-
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe190⤵PID:3568
-
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe192⤵PID:3648
-
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe193⤵PID:3688
-
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe195⤵
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe196⤵PID:3808
-
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe198⤵PID:3888
-
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe199⤵PID:3928
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe200⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe201⤵PID:4008
-
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe202⤵PID:4048
-
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe203⤵PID:4088
-
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe204⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe205⤵PID:3156
-
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe206⤵PID:3188
-
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe207⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe208⤵
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe209⤵
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe210⤵
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3464 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe212⤵PID:3500
-
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe213⤵
- Drops file in System32 directory
PID:3560 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe214⤵PID:3580
-
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3668 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe216⤵PID:3712
-
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe217⤵PID:3760
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe218⤵
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe219⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe221⤵PID:3952
-
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe222⤵PID:4016
-
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe223⤵PID:4020
-
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe224⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe225⤵PID:3160
-
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe226⤵PID:3224
-
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe227⤵PID:3256
-
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3396 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe230⤵PID:3384
-
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe231⤵PID:3524
-
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe232⤵PID:3540
-
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe233⤵PID:3644
-
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe234⤵
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe235⤵PID:3740
-
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe237⤵PID:3912
-
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe238⤵
- Drops file in System32 directory
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe239⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe240⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe241⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe242⤵
- System Location Discovery: System Language Discovery
PID:3192