Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
390KB
-
MD5
fea88576cbb2d3e369dd40f278405a50
-
SHA1
e74b84a70b50e258158bc31d039d76a02bbff8c8
-
SHA256
e90768d5c8ebcb6a2f6dbc0f4d95cfc85e4bb76b2156f6c08fc431df129e4419
-
SHA512
d180a9e485cc69179a45c0026ea27e068c725f2a192a9050471b766b0819c648056b59c0efaf1ce477686860af66e2ab450ca19a674379b6f06961a6db7a51d0
-
SSDEEP
3072:6nuteUyiHsKJOF6+bWQALHLQGAZzasJR/X4a+SFkVsYtTHTMT5NeVWmjjGF:6EeUyF6CbArLAZ26RQSFSTHAjhV
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pmoiqneg.exeBnmoijje.exeGnqfcbnj.exeFbajbi32.exeEfeihb32.exeMmpmnl32.exeIknmla32.exeJpfepf32.exeLqbncb32.exeEppjfgcp.exeHmbphg32.exeDmlkhofd.exeHifcgion.exeHgmgqc32.exeIjegcm32.exeNnicid32.exeOhmhmh32.exePkpmdbfd.exeLlodgnja.exePpgegd32.exeDgcihgaj.exeEjalcgkg.exeMaiccajf.exeAajohjon.exeBkjiao32.exeIibccgep.exeKomhll32.exeMjokgg32.exeNlkgmh32.exeQdaniq32.exeBaannc32.exeKcpahpmd.exePehngkcg.exeEnkdaepb.exeIepaaico.exePmblagmf.exeAdfgdpmi.exeAkblfj32.exeKggcnoic.exeImkbnf32.exeJphkkpbp.exeKnnhjcog.exeOpclldhj.exeCgqlcg32.exeJddnfd32.exeOjigdcll.exeOghghb32.exePpjbmc32.exeBakgoh32.exeJnlkedai.exeBacjdbch.exeLnohlgep.exeHmmfmhll.exeJlmfeg32.exeCfipef32.exeJpaekqhh.exeBkibgh32.exeFfobhg32.exePopbpqjh.exeHfhgkmpj.exeIpflihfq.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbajbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijegcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkgmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggcnoic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnhjcog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojigdcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlkedai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmfmhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfipef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgkmpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflihfq.exe -
Executes dropped EXE 64 IoCs
Processes:
Ahqddk32.exeAllpejfe.exeAojlaeei.exeAlnmjjdb.exeAakebqbj.exeAlqjpi32.exeAanbhp32.exeAhgjejhd.exeAbponp32.exeAleckinj.exeAbbkcpma.exeBlhpqhlh.exeBoflmdkk.exeBhoqeibl.exeBcddcbab.exeBjnmpl32.exeBokehc32.exeBjpjel32.exeBombmcec.exeBheffh32.exeCfigpm32.exeCobkhb32.exeCmflbf32.exeCkkiccep.exeCoiaiakf.exeCmmbbejp.exeDbjkkl32.exeDmoohe32.exeDblgpl32.exeDjcoai32.exeDmalne32.exeDckdjomg.exeDfjpfj32.exeDpbdopck.exeDjhimica.exeDpdaepai.exeDbcmakpl.exeDimenegi.exeDpgnjo32.exeEbejfk32.exeEjlbhh32.exeElnoopdj.exeEcefqnel.exeEfccmidp.exeEmmkiclm.exeEplgeokq.exeEbjcajjd.exeEjalcgkg.exeEmphocjj.exeEciplm32.exeEfhlhh32.exeEleepoob.exeEclmamod.exeEfjimhnh.exeEmdajb32.exeElgaeolp.exeFbajbi32.exeFikbocki.exeFpejlmcf.exeFfobhg32.exeFimodc32.exeFpggamqc.exeFbfcmhpg.exeFipkjb32.exepid process 2240 Ahqddk32.exe 1908 Allpejfe.exe 1396 Aojlaeei.exe 696 Alnmjjdb.exe 4636 Aakebqbj.exe 3568 Alqjpi32.exe 2704 Aanbhp32.exe 4268 Ahgjejhd.exe 3896 Abponp32.exe 2296 Aleckinj.exe 4592 Abbkcpma.exe 2840 Blhpqhlh.exe 4384 Boflmdkk.exe 4532 Bhoqeibl.exe 4416 Bcddcbab.exe 2024 Bjnmpl32.exe 3780 Bokehc32.exe 4520 Bjpjel32.exe 2992 Bombmcec.exe 4380 Bheffh32.exe 4980 Cfigpm32.exe 1664 Cobkhb32.exe 1284 Cmflbf32.exe 3944 Ckkiccep.exe 3528 Coiaiakf.exe 2392 Cmmbbejp.exe 1652 Dbjkkl32.exe 452 Dmoohe32.exe 4408 Dblgpl32.exe 928 Djcoai32.exe 448 Dmalne32.exe 4192 Dckdjomg.exe 2632 Dfjpfj32.exe 2748 Dpbdopck.exe 4872 Djhimica.exe 4316 Dpdaepai.exe 2228 Dbcmakpl.exe 1996 Dimenegi.exe 4488 Dpgnjo32.exe 3908 Ebejfk32.exe 1028 Ejlbhh32.exe 4252 Elnoopdj.exe 3968 Ecefqnel.exe 3288 Efccmidp.exe 3724 Emmkiclm.exe 1964 Eplgeokq.exe 4940 Ebjcajjd.exe 2724 Ejalcgkg.exe 3368 Emphocjj.exe 4432 Eciplm32.exe 4020 Efhlhh32.exe 3424 Eleepoob.exe 2820 Eclmamod.exe 400 Efjimhnh.exe 4076 Emdajb32.exe 2652 Elgaeolp.exe 4328 Fbajbi32.exe 2464 Fikbocki.exe 4536 Fpejlmcf.exe 4516 Ffobhg32.exe 1660 Fimodc32.exe 1988 Fpggamqc.exe 3680 Fbfcmhpg.exe 3576 Fipkjb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Akblfj32.exeIjcjmmil.exeCoohhlpe.exeOfhknodl.exeJnlbojee.exeLfgipd32.exeDbkqfe32.exeIliinc32.exeGdobnj32.exeIinqbn32.exeKkgiimng.exeOeokal32.exeKcbnnpka.exeLclpdncg.exeMjokgg32.exeImkbnf32.exeBlnoga32.exeGbchdp32.exeBgbpaipl.exeEleepoob.exeIcdheded.exeInjmcmej.exeGidnkkpc.exeLpfgmnfp.exeAdcjop32.exeGkkgpc32.exeOmqmop32.exeChglab32.exeLfjfecno.exePmnbfhal.exeFfobhg32.exeLgccinoe.exePmiikh32.exeAlnmjjdb.exeEiloco32.exeHefnkkkj.exeFiaael32.exeGimqajgh.exeLlodgnja.exeFffhifdk.exeHkdjfb32.exeChlflabp.exeLmpkadnm.exePaelfmaf.exeOmnjojpo.exeMgloefco.exeNfcabp32.exeAojefobm.exeCfnjpfcl.exeEnkdaepb.exeOjigdcll.exeFmmmfj32.exeFpggamqc.exeNflkbanj.exeKcmmhj32.exeKpanan32.exeHmbphg32.exeMjcngpjh.exeGlgcbf32.exeHfhgkmpj.exeBheffh32.exeCdnmfclj.exeCfbcke32.exedescription ioc process File created C:\Windows\SysWOW64\Aaldccip.exe Akblfj32.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Cfipef32.exe Coohhlpe.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe File opened for modification C:\Windows\SysWOW64\Jqknkedi.exe Jnlbojee.exe File created C:\Windows\SysWOW64\Bgqoll32.dll Lfgipd32.exe File created C:\Windows\SysWOW64\Mhcmcm32.dll Dbkqfe32.exe File created C:\Windows\SysWOW64\Dfjehbcf.dll Iliinc32.exe File created C:\Windows\SysWOW64\Kkjaopom.dll Gdobnj32.exe File created C:\Windows\SysWOW64\Nhmhbpmi.dll Iinqbn32.exe File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Kkgiimng.exe File created C:\Windows\SysWOW64\Plopnh32.dll Oeokal32.exe File opened for modification C:\Windows\SysWOW64\Dmadco32.exe Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kcbnnpka.exe File opened for modification C:\Windows\SysWOW64\Lkchelci.exe Lclpdncg.exe File created C:\Windows\SysWOW64\Qbobmnod.dll Mjokgg32.exe File created C:\Windows\SysWOW64\Iomoenej.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Bomkcm32.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Gimqajgh.exe Gbchdp32.exe File opened for modification C:\Windows\SysWOW64\Boihcf32.exe Bgbpaipl.exe File opened for modification C:\Windows\SysWOW64\Eclmamod.exe Eleepoob.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Icdheded.exe File created C:\Windows\SysWOW64\Idcepgmg.exe Injmcmej.exe File created C:\Windows\SysWOW64\Gnqfcbnj.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Lpfgmnfp.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Adcjop32.exe File opened for modification C:\Windows\SysWOW64\Gdcliikj.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Bqbijpeo.dll Omqmop32.exe File created C:\Windows\SysWOW64\Ekfcklij.dll Chglab32.exe File created C:\Windows\SysWOW64\Dolqpa32.dll Lfjfecno.exe File created C:\Windows\SysWOW64\Pplobcpp.exe Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Fimodc32.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Ljaoeini.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Ppgegd32.exe Pmiikh32.exe File opened for modification C:\Windows\SysWOW64\Aakebqbj.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Hmmfmhll.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Jflbhhom.dll Fiaael32.exe File opened for modification C:\Windows\SysWOW64\Glkmmefl.exe Gimqajgh.exe File opened for modification C:\Windows\SysWOW64\Lomqcjie.exe Llodgnja.exe File opened for modification C:\Windows\SysWOW64\Fmpqfq32.exe Fffhifdk.exe File created C:\Windows\SysWOW64\Hmbfbn32.exe Hkdjfb32.exe File created C:\Windows\SysWOW64\Mbibld32.dll Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Lqkgbcff.exe Lmpkadnm.exe File opened for modification C:\Windows\SysWOW64\Peahgl32.exe Paelfmaf.exe File opened for modification C:\Windows\SysWOW64\Ocgbld32.exe Omnjojpo.exe File created C:\Windows\SysWOW64\Mjjkaabc.exe Mgloefco.exe File created C:\Windows\SysWOW64\Ojomcopk.exe Nfcabp32.exe File created C:\Windows\SysWOW64\Ogpoeg32.dll Aojefobm.exe File created C:\Windows\SysWOW64\Chlflabp.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Fnadil32.dll Enkdaepb.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Ojigdcll.exe File created C:\Windows\SysWOW64\Flpmagqi.exe Fmmmfj32.exe File created C:\Windows\SysWOW64\Fbfcmhpg.exe Fpggamqc.exe File created C:\Windows\SysWOW64\Jcleff32.dll Nflkbanj.exe File created C:\Windows\SysWOW64\Kgiiiidd.exe Kcmmhj32.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe Kpanan32.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hmbphg32.exe File created C:\Windows\SysWOW64\Nqmfdj32.exe Mjcngpjh.exe File opened for modification C:\Windows\SysWOW64\Gnepna32.exe Glgcbf32.exe File opened for modification C:\Windows\SysWOW64\Hifcgion.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Mhaimehd.dll Bheffh32.exe File created C:\Windows\SysWOW64\Ckhecmcf.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Dmlkhofd.exe Cfbcke32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 13380 12740 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nagiji32.exePmblagmf.exeBaannc32.exeManmoq32.exeOejbfmpg.exeBffcpg32.exeAdfnofpd.exeCkclhn32.exeLcnfohmi.exeMcelpggq.exePjbcplpe.exeFbajbi32.exeInqbclob.exeKmkbfeab.exeAdkqoohc.exeGnqfcbnj.exeKmaopfjm.exePmoiqneg.exeAhdged32.exeEkkkoj32.exeIfomll32.exeOghghb32.exeIjcjmmil.exeMebcop32.exeNlhkgi32.exeBobabg32.exeBhkfkmmg.exeEplgeokq.exeJgnqgqan.exeLfbped32.exePdhbmh32.exeBepmoh32.exeHibafp32.exeNjpdnedf.exeOjigdcll.exePoimpapp.exeChlflabp.exeQjfmkk32.exeMjaabq32.exeQobhkjdi.exeDblgpl32.exeKjlopc32.exeMjjkaabc.exeAdcjop32.exeKjccdkki.exeMalpia32.exeJgpfbjlo.exeKpmdfonj.exeNggnadib.exeQjiipk32.exeDfjpfj32.exeBochmn32.exeKgdpni32.exeElgaeolp.exeJklinohd.exeJcanll32.exePjdpelnc.exeAhdpjn32.exeDpbdopck.exeQhmqdemc.exeGbnoiqdq.exeEblimcdf.exeEiloco32.exeCoegoe32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffcpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfnofpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkbfeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkqoohc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifomll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpdnedf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojigdcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlflabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaabq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malpia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggnadib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbdopck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmqdemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblimcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe -
Modifies registry class 64 IoCs
Processes:
Hoobdp32.exeNcnofeof.exeKmfhkf32.exeNnbnhedj.exePoimpapp.exeBakgoh32.exeCkclhn32.exeLflbkcll.exeChlflabp.exeMmkdcm32.exeCpmapodj.exeCaageq32.exeIgajal32.exeKcpjnjii.exeAagkhd32.exeJqknkedi.exeEehicoel.exeFihnomjp.exePocpfphe.exeCoohhlpe.exeGlgcbf32.exeCncnob32.exeIpgbdbqb.exeCmmbbejp.exeNghekkmn.exeDigehphc.exeEofgpikj.exeEecphp32.exeHfhgkmpj.exeDbjkkl32.exeGoglcahb.exeEmphocjj.exeEfhlhh32.exeCfnjpfcl.exeNagiji32.exeDafppp32.exeBoflmdkk.exeDjcoai32.exePldcjeia.exeJgnqgqan.exeEejeiocj.exeFlpmagqi.exeLlmhaold.exeBaannc32.exeDhbebj32.exeKdigadjo.exeDkhnjk32.exeNgndaccj.exeCdbfab32.exeOmnjojpo.exeCgqlcg32.exeIinqbn32.exeIbaeen32.exeJgpfbjlo.exeMgbefe32.exeDpbdopck.exeFbfcmhpg.exeFnipbc32.exeIibccgep.exeGkkgpc32.exeOcgbld32.exeBgelgi32.exeNjinmf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicbkkca.dll" Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqglioac.dll" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecakqg32.dll" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" Igajal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpjnjii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Eehicoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioodcbn.dll" Pocpfphe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgcbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hfhgkmpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goglcahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeifngp.dll" Efhlhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbjqfjb.dll" Nagiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apedgj32.dll" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pldcjeia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" Flpmagqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baannc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phdpmbnc.dll" Kdigadjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll" Ngndaccj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmhbpmi.dll" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgllk32.dll" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll" Mgbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbdopck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbfcmhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibccgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgbld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamjbp32.dll" Njinmf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.AA.exeAhqddk32.exeAllpejfe.exeAojlaeei.exeAlnmjjdb.exeAakebqbj.exeAlqjpi32.exeAanbhp32.exeAhgjejhd.exeAbponp32.exeAleckinj.exeAbbkcpma.exeBlhpqhlh.exeBoflmdkk.exeBhoqeibl.exeBcddcbab.exeBjnmpl32.exeBokehc32.exeBjpjel32.exeBombmcec.exeBheffh32.exeCfigpm32.exedescription pid process target process PID 3272 wrote to memory of 2240 3272 Backdoor.Win32.Berbew.AA.exe Ahqddk32.exe PID 3272 wrote to memory of 2240 3272 Backdoor.Win32.Berbew.AA.exe Ahqddk32.exe PID 3272 wrote to memory of 2240 3272 Backdoor.Win32.Berbew.AA.exe Ahqddk32.exe PID 2240 wrote to memory of 1908 2240 Ahqddk32.exe Allpejfe.exe PID 2240 wrote to memory of 1908 2240 Ahqddk32.exe Allpejfe.exe PID 2240 wrote to memory of 1908 2240 Ahqddk32.exe Allpejfe.exe PID 1908 wrote to memory of 1396 1908 Allpejfe.exe Aojlaeei.exe PID 1908 wrote to memory of 1396 1908 Allpejfe.exe Aojlaeei.exe PID 1908 wrote to memory of 1396 1908 Allpejfe.exe Aojlaeei.exe PID 1396 wrote to memory of 696 1396 Aojlaeei.exe Alnmjjdb.exe PID 1396 wrote to memory of 696 1396 Aojlaeei.exe Alnmjjdb.exe PID 1396 wrote to memory of 696 1396 Aojlaeei.exe Alnmjjdb.exe PID 696 wrote to memory of 4636 696 Alnmjjdb.exe Aakebqbj.exe PID 696 wrote to memory of 4636 696 Alnmjjdb.exe Aakebqbj.exe PID 696 wrote to memory of 4636 696 Alnmjjdb.exe Aakebqbj.exe PID 4636 wrote to memory of 3568 4636 Aakebqbj.exe Alqjpi32.exe PID 4636 wrote to memory of 3568 4636 Aakebqbj.exe Alqjpi32.exe PID 4636 wrote to memory of 3568 4636 Aakebqbj.exe Alqjpi32.exe PID 3568 wrote to memory of 2704 3568 Alqjpi32.exe Aanbhp32.exe PID 3568 wrote to memory of 2704 3568 Alqjpi32.exe Aanbhp32.exe PID 3568 wrote to memory of 2704 3568 Alqjpi32.exe Aanbhp32.exe PID 2704 wrote to memory of 4268 2704 Aanbhp32.exe Ahgjejhd.exe PID 2704 wrote to memory of 4268 2704 Aanbhp32.exe Ahgjejhd.exe PID 2704 wrote to memory of 4268 2704 Aanbhp32.exe Ahgjejhd.exe PID 4268 wrote to memory of 3896 4268 Ahgjejhd.exe Abponp32.exe PID 4268 wrote to memory of 3896 4268 Ahgjejhd.exe Abponp32.exe PID 4268 wrote to memory of 3896 4268 Ahgjejhd.exe Abponp32.exe PID 3896 wrote to memory of 2296 3896 Abponp32.exe Aleckinj.exe PID 3896 wrote to memory of 2296 3896 Abponp32.exe Aleckinj.exe PID 3896 wrote to memory of 2296 3896 Abponp32.exe Aleckinj.exe PID 2296 wrote to memory of 4592 2296 Aleckinj.exe Abbkcpma.exe PID 2296 wrote to memory of 4592 2296 Aleckinj.exe Abbkcpma.exe PID 2296 wrote to memory of 4592 2296 Aleckinj.exe Abbkcpma.exe PID 4592 wrote to memory of 2840 4592 Abbkcpma.exe Blhpqhlh.exe PID 4592 wrote to memory of 2840 4592 Abbkcpma.exe Blhpqhlh.exe PID 4592 wrote to memory of 2840 4592 Abbkcpma.exe Blhpqhlh.exe PID 2840 wrote to memory of 4384 2840 Blhpqhlh.exe Boflmdkk.exe PID 2840 wrote to memory of 4384 2840 Blhpqhlh.exe Boflmdkk.exe PID 2840 wrote to memory of 4384 2840 Blhpqhlh.exe Boflmdkk.exe PID 4384 wrote to memory of 4532 4384 Boflmdkk.exe Bhoqeibl.exe PID 4384 wrote to memory of 4532 4384 Boflmdkk.exe Bhoqeibl.exe PID 4384 wrote to memory of 4532 4384 Boflmdkk.exe Bhoqeibl.exe PID 4532 wrote to memory of 4416 4532 Bhoqeibl.exe Bcddcbab.exe PID 4532 wrote to memory of 4416 4532 Bhoqeibl.exe Bcddcbab.exe PID 4532 wrote to memory of 4416 4532 Bhoqeibl.exe Bcddcbab.exe PID 4416 wrote to memory of 2024 4416 Bcddcbab.exe Bjnmpl32.exe PID 4416 wrote to memory of 2024 4416 Bcddcbab.exe Bjnmpl32.exe PID 4416 wrote to memory of 2024 4416 Bcddcbab.exe Bjnmpl32.exe PID 2024 wrote to memory of 3780 2024 Bjnmpl32.exe Bokehc32.exe PID 2024 wrote to memory of 3780 2024 Bjnmpl32.exe Bokehc32.exe PID 2024 wrote to memory of 3780 2024 Bjnmpl32.exe Bokehc32.exe PID 3780 wrote to memory of 4520 3780 Bokehc32.exe Bjpjel32.exe PID 3780 wrote to memory of 4520 3780 Bokehc32.exe Bjpjel32.exe PID 3780 wrote to memory of 4520 3780 Bokehc32.exe Bjpjel32.exe PID 4520 wrote to memory of 2992 4520 Bjpjel32.exe Bombmcec.exe PID 4520 wrote to memory of 2992 4520 Bjpjel32.exe Bombmcec.exe PID 4520 wrote to memory of 2992 4520 Bjpjel32.exe Bombmcec.exe PID 2992 wrote to memory of 4380 2992 Bombmcec.exe Bheffh32.exe PID 2992 wrote to memory of 4380 2992 Bombmcec.exe Bheffh32.exe PID 2992 wrote to memory of 4380 2992 Bombmcec.exe Bheffh32.exe PID 4380 wrote to memory of 4980 4380 Bheffh32.exe Cfigpm32.exe PID 4380 wrote to memory of 4980 4380 Bheffh32.exe Cfigpm32.exe PID 4380 wrote to memory of 4980 4380 Bheffh32.exe Cfigpm32.exe PID 4980 wrote to memory of 1664 4980 Cfigpm32.exe Cobkhb32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe23⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe24⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe25⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe26⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe29⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe32⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe33⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe36⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe37⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe38⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe39⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe40⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe41⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe42⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe43⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe44⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe45⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe46⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe48⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe51⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe55⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe56⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe59⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe60⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe62⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe65⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe66⤵PID:4088
-
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe67⤵PID:2348
-
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe68⤵PID:1500
-
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe69⤵PID:3920
-
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe70⤵PID:5036
-
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe71⤵
- Drops file in System32 directory
PID:3236 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe72⤵PID:2612
-
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe73⤵PID:1036
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe74⤵PID:4960
-
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe75⤵PID:756
-
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe76⤵PID:2544
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe77⤵PID:3728
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe78⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe79⤵PID:1272
-
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe80⤵PID:4588
-
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe82⤵PID:2272
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe83⤵PID:3136
-
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe84⤵PID:3080
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe85⤵PID:4220
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe87⤵PID:3384
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe88⤵PID:3024
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe89⤵PID:464
-
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe90⤵PID:2420
-
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe91⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe92⤵PID:4012
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe93⤵PID:4848
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe94⤵PID:1408
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe95⤵PID:4336
-
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe96⤵PID:2548
-
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe98⤵PID:5168
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe100⤵
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe102⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe103⤵PID:5396
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe105⤵PID:5484
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe106⤵PID:5528
-
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe108⤵PID:5616
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe109⤵PID:5660
-
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe110⤵PID:5704
-
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe112⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe113⤵PID:5836
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe114⤵PID:5880
-
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe115⤵PID:5924
-
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe116⤵PID:5968
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe117⤵PID:6012
-
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe119⤵PID:6100
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe121⤵PID:5184
-
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe123⤵PID:5316
-
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe124⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe127⤵PID:5592
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe128⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe129⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe130⤵PID:5804
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe131⤵
- System Location Discovery: System Language Discovery
PID:5864 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe132⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe133⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe135⤵PID:6136
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe136⤵PID:5204
-
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe137⤵PID:5328
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe138⤵PID:5408
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe139⤵PID:5564
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe140⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe142⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe143⤵PID:6064
-
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe144⤵PID:5156
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe145⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe146⤵PID:5548
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe147⤵
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe148⤵PID:5936
-
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe149⤵PID:6108
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe150⤵PID:5292
-
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe151⤵PID:5740
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe152⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe153⤵PID:5300
-
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe154⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe155⤵PID:5404
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe156⤵PID:5140
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe157⤵PID:5556
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6164 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe159⤵PID:6212
-
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe160⤵
- Drops file in System32 directory
PID:6256 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe161⤵PID:6300
-
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe162⤵PID:6344
-
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe163⤵PID:6388
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe164⤵PID:6432
-
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe165⤵PID:6476
-
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe166⤵PID:6520
-
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6564 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe168⤵PID:6608
-
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe169⤵PID:6652
-
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe170⤵PID:6696
-
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe171⤵PID:6740
-
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe172⤵PID:6784
-
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe173⤵PID:6828
-
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe174⤵
- System Location Discovery: System Language Discovery
PID:6872 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe175⤵PID:6916
-
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6960 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7004 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe178⤵PID:7044
-
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe179⤵PID:7088
-
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe180⤵PID:7132
-
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe181⤵
- System Location Discovery: System Language Discovery
PID:6148 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe182⤵PID:6224
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe183⤵PID:6292
-
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe184⤵
- System Location Discovery: System Language Discovery
PID:6360 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe185⤵PID:6428
-
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe186⤵
- Modifies registry class
PID:6516 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe187⤵
- Modifies registry class
PID:6584 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe188⤵PID:6640
-
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe189⤵PID:6704
-
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe190⤵
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe191⤵PID:6820
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe192⤵PID:6892
-
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe193⤵PID:6956
-
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe194⤵
- System Location Discovery: System Language Discovery
PID:7032 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe195⤵PID:7108
-
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe196⤵PID:5920
-
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6272 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6376 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe199⤵PID:6472
-
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe200⤵PID:6604
-
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe201⤵PID:6680
-
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe202⤵
- System Location Discovery: System Language Discovery
PID:6772 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe203⤵PID:6904
-
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe204⤵PID:7012
-
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe205⤵PID:7120
-
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe206⤵
- Drops file in System32 directory
PID:6252 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe207⤵PID:6352
-
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe208⤵PID:6572
-
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe209⤵PID:6724
-
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe210⤵PID:6884
-
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe211⤵
- System Location Discovery: System Language Discovery
PID:7084 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe212⤵PID:6288
-
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe213⤵PID:6508
-
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe214⤵PID:6780
-
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe215⤵PID:7064
-
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe216⤵PID:6532
-
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6868 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe218⤵PID:6268
-
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe219⤵
- Drops file in System32 directory
PID:6860 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6796 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe221⤵PID:6336
-
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe222⤵
- Drops file in System32 directory
PID:7184 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe223⤵PID:7236
-
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe224⤵PID:7280
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe225⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7324 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe226⤵PID:7368
-
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe227⤵PID:7412
-
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7448 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:7504 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe230⤵PID:7588
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe231⤵
- System Location Discovery: System Language Discovery
PID:7628 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe232⤵PID:7876
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe233⤵PID:7920
-
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe234⤵PID:7968
-
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8024 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe236⤵PID:8072
-
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe237⤵PID:8156
-
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7208 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe239⤵PID:7264
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe240⤵
- Modifies registry class
PID:7356 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe241⤵
- Modifies registry class
PID:7424 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe242⤵PID:7488