Analysis
-
max time kernel
112s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:19
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
67KB
-
MD5
3439fa6301432090b864e34c1bb69bc0
-
SHA1
c8797b076edbace87ed34f7f4eb7df4c6ca46e40
-
SHA256
dea106414dd4b564489e1ab6f59a4c1c9f439be6afab5e7c6bdc51e623eb1ab8
-
SHA512
2217386f6b124bc208d858e2200579b19b866a5af89e0b02ebccd2ff44114e35340bf129c644d077510f8c91fe809c82e8d98f1241f7c3b7fc6cff9f08820dd4
-
SSDEEP
1536:Cq02tNJeQ2OW5c9a+hEDEErBm9Vz6x5Pd3E1cgCe8uC:l0U3rW5uxRABmXwZEugCe8uC
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pdebladb.exeMoijkk32.exePidhjg32.exePhkohkkh.exeLncodf32.exeIibgmk32.exeFgjnpb32.exeFcckjb32.exeKdckgc32.exeGbcgne32.exeAkahokho.exeNfjnja32.exeImmqeq32.exeNifhop32.exeGcqika32.exeAeommfnf.exePdhdcnng.exeGjhbic32.exeHjdkhpih.exePeclcc32.exeBoblbe32.exeAiagck32.exeKfbjlgnk.exeIackhb32.exeFlnpoe32.exeGpknjp32.exeBdidegec.exeMhjdpgic.exeHjgnhf32.exeGknhlj32.exeMkcjlhdh.exeEnblpe32.exeJlddbgai.exeIjgcmc32.exeGobnljhp.exeMncdhc32.exeOajpjq32.exeLpiqel32.exeBhglpqeo.exeHalkahoo.exeQgqlig32.exeQmijij32.exeJdodel32.exeFeiamj32.exeOgiqffhl.exePaagkq32.exeObhfhj32.exeBiegpl32.exeCckhlhcj.exeNjklioqd.exeLhhhjhkf.exeLigliagg.exeJofhqiec.exeDmfkcf32.exeJnmlgpeo.exeNhpadpke.exeMipjbokm.exeNkfaqkcq.exeHdlkpd32.exeIedmhlqf.exeLkbphfab.exeGbecce32.exeCckjeq32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdebladb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moijkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidhjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkohkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjnpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdckgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcgne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidhjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akahokho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjnja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immqeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifhop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcqika32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeommfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhdcnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjdkhpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peclcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boblbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiagck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbjlgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdidegec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjdpgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjgnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknhlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlddbgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobnljhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajpjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpiqel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhglpqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halkahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqlig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmijij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdodel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogiqffhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paagkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhfhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biegpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckhlhcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njklioqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhhjhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ligliagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofhqiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfkcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlgpeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpadpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipjbokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkfaqkcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedmhlqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbphfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbecce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckjeq32.exe -
Executes dropped EXE 64 IoCs
Processes:
Dpenkgfq.exeDfbfcn32.exeDbighojl.exeDghlfe32.exeDqqqokla.exeEgmeadbk.exeEcdffe32.exeEgaoldnf.exeEickdlcd.exeEpopff32.exeEpamlegl.exeFpdjaeei.exeFlkjffkm.exeFdhlphff.exeFmqpinlf.exeGaoiol32.exeGfkagc32.exeGeqnho32.exeGoicaell.exeGokpgd32.exeGonlld32.exeHmcimq32.exeHdmajkdl.exeHmefcp32.exeHilghaqq.exeHdakej32.exeHcghffen.exeIpkhpk32.exeIpmeej32.exeIlcfjkgj.exeIcnngeof.exeIackhb32.exeIgpcpi32.exeIdcdjmao.exeJjqlbdog.exeJdfqomom.exeJggiah32.exeJgiffg32.exeJcpglhpo.exeJimodo32.exeJofhqiec.exeKkmhej32.exeKiaiooja.exeKbjmhd32.exeLpiqel32.exeLfbibfmi.exeLicbca32.exeLblflgqk.exeLejbhbpn.exeLldkem32.exeMihkoa32.exeMkihfi32.exeMacpcccp.exeMlidplcf.exeMmjqhd32.exeMgbeqjpd.exeMmlmmdga.exeMkqnghfk.exeMajfcb32.exeMkcjlhdh.exeNldgdpjf.exeNgikaijm.exeNlfdjphd.exeNeohbe32.exepid process 344 Dpenkgfq.exe 2428 Dfbfcn32.exe 2808 Dbighojl.exe 2728 Dghlfe32.exe 2616 Dqqqokla.exe 2596 Egmeadbk.exe 2104 Ecdffe32.exe 2696 Egaoldnf.exe 2268 Eickdlcd.exe 2500 Epopff32.exe 2864 Epamlegl.exe 1448 Fpdjaeei.exe 3008 Flkjffkm.exe 1372 Fdhlphff.exe 2168 Fmqpinlf.exe 1508 Gaoiol32.exe 1728 Gfkagc32.exe 764 Geqnho32.exe 944 Goicaell.exe 1676 Gokpgd32.exe 1004 Gonlld32.exe 1276 Hmcimq32.exe 1908 Hdmajkdl.exe 2676 Hmefcp32.exe 2124 Hilghaqq.exe 2908 Hdakej32.exe 2444 Hcghffen.exe 2704 Ipkhpk32.exe 2892 Ipmeej32.exe 2840 Ilcfjkgj.exe 2968 Icnngeof.exe 2044 Iackhb32.exe 2216 Igpcpi32.exe 2184 Idcdjmao.exe 2964 Jjqlbdog.exe 1864 Jdfqomom.exe 1860 Jggiah32.exe 1544 Jgiffg32.exe 1768 Jcpglhpo.exe 1488 Jimodo32.exe 2020 Jofhqiec.exe 1944 Kkmhej32.exe 460 Kiaiooja.exe 1808 Kbjmhd32.exe 1540 Lpiqel32.exe 916 Lfbibfmi.exe 1032 Licbca32.exe 2096 Lblflgqk.exe 864 Lejbhbpn.exe 2036 Lldkem32.exe 2736 Mihkoa32.exe 2800 Mkihfi32.exe 2912 Macpcccp.exe 1852 Mlidplcf.exe 2636 Mmjqhd32.exe 2656 Mgbeqjpd.exe 2632 Mmlmmdga.exe 2088 Mkqnghfk.exe 1496 Majfcb32.exe 2484 Mkcjlhdh.exe 2772 Nldgdpjf.exe 1952 Ngikaijm.exe 684 Nlfdjphd.exe 1644 Neohbe32.exe -
Loads dropped DLL 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeDpenkgfq.exeDfbfcn32.exeDbighojl.exeDghlfe32.exeDqqqokla.exeEgmeadbk.exeEcdffe32.exeEgaoldnf.exeEickdlcd.exeEpopff32.exeEpamlegl.exeFpdjaeei.exeFlkjffkm.exeFdhlphff.exeFmqpinlf.exeGaoiol32.exeGfkagc32.exeGeqnho32.exeGoicaell.exeGokpgd32.exeGonlld32.exeHmcimq32.exeHdmajkdl.exeHmefcp32.exeHilghaqq.exeHdakej32.exeHcghffen.exeIpkhpk32.exeIpmeej32.exeIlcfjkgj.exeIcnngeof.exepid process 1616 Backdoor.Win32.Berbew.exe 1616 Backdoor.Win32.Berbew.exe 344 Dpenkgfq.exe 344 Dpenkgfq.exe 2428 Dfbfcn32.exe 2428 Dfbfcn32.exe 2808 Dbighojl.exe 2808 Dbighojl.exe 2728 Dghlfe32.exe 2728 Dghlfe32.exe 2616 Dqqqokla.exe 2616 Dqqqokla.exe 2596 Egmeadbk.exe 2596 Egmeadbk.exe 2104 Ecdffe32.exe 2104 Ecdffe32.exe 2696 Egaoldnf.exe 2696 Egaoldnf.exe 2268 Eickdlcd.exe 2268 Eickdlcd.exe 2500 Epopff32.exe 2500 Epopff32.exe 2864 Epamlegl.exe 2864 Epamlegl.exe 1448 Fpdjaeei.exe 1448 Fpdjaeei.exe 3008 Flkjffkm.exe 3008 Flkjffkm.exe 1372 Fdhlphff.exe 1372 Fdhlphff.exe 2168 Fmqpinlf.exe 2168 Fmqpinlf.exe 1508 Gaoiol32.exe 1508 Gaoiol32.exe 1728 Gfkagc32.exe 1728 Gfkagc32.exe 764 Geqnho32.exe 764 Geqnho32.exe 944 Goicaell.exe 944 Goicaell.exe 1676 Gokpgd32.exe 1676 Gokpgd32.exe 1004 Gonlld32.exe 1004 Gonlld32.exe 1276 Hmcimq32.exe 1276 Hmcimq32.exe 1908 Hdmajkdl.exe 1908 Hdmajkdl.exe 2676 Hmefcp32.exe 2676 Hmefcp32.exe 2124 Hilghaqq.exe 2124 Hilghaqq.exe 2908 Hdakej32.exe 2908 Hdakej32.exe 2444 Hcghffen.exe 2444 Hcghffen.exe 2704 Ipkhpk32.exe 2704 Ipkhpk32.exe 2892 Ipmeej32.exe 2892 Ipmeej32.exe 2840 Ilcfjkgj.exe 2840 Ilcfjkgj.exe 2968 Icnngeof.exe 2968 Icnngeof.exe -
Drops file in System32 directory 64 IoCs
Processes:
Abghlk32.exeJggiah32.exeKhlhiijk.exePkalph32.exeIlianckh.exeFjimefie.exeJlgcqp32.exeEhnmgo32.exeJndjoi32.exeAiagck32.exeJflikm32.exeNbckeb32.exeEonhbg32.exeGjeedcjh.exeLnflif32.exeMncdhc32.exeLqknfq32.exeHnedfljc.exeOecpeqdo.exeDlepmnhq.exeNagakhfn.exeOieencik.exeAieihpgi.exeDopfpkng.exeCbjbof32.exeFjpbeecn.exeKjngjj32.exeEdgfpbcl.exeGmfnen32.exeHilghaqq.exeHjeojnep.exeKdfogiil.exeLqfbbh32.exeAoqjhiie.exeBcnomjbg.exeBknani32.exeNldbbbno.exeCckhlhcj.exeFcnmne32.exeGobnljhp.exeKefnjdgc.exeEpgqddoh.exeHcghffen.exeBonepo32.exeImppciin.exeOgnakk32.exeBeqogc32.exeQjaejbmq.exeIljjabfh.exeDmklikob.exeAhijpa32.exeJfhpkbbj.exeIcnngeof.exeGeqnho32.exeIpedihgm.exeLpfmefdc.exeDhadhakp.exeHekfpo32.exeJnjoap32.exeCefpmiji.exeGhjkki32.exeCpccnp32.exeImmnlh32.exedescription ioc process File created C:\Windows\SysWOW64\Abkdac32.dll Abghlk32.exe File created C:\Windows\SysWOW64\Imcamh32.dll Jggiah32.exe File created C:\Windows\SysWOW64\Aeegdc32.dll Khlhiijk.exe File created C:\Windows\SysWOW64\Pdjqinld.exe Pkalph32.exe File created C:\Windows\SysWOW64\Jeafgiai.exe Ilianckh.exe File opened for modification C:\Windows\SysWOW64\Fqbeapqb.exe Fjimefie.exe File opened for modification C:\Windows\SysWOW64\Kmfpjb32.exe Jlgcqp32.exe File opened for modification C:\Windows\SysWOW64\Eafapd32.exe Ehnmgo32.exe File opened for modification C:\Windows\SysWOW64\Jgmnhojl.exe Jndjoi32.exe File opened for modification C:\Windows\SysWOW64\Adglqd32.exe Aiagck32.exe File created C:\Windows\SysWOW64\Ildgdpca.dll Jflikm32.exe File opened for modification C:\Windows\SysWOW64\Neagan32.exe Nbckeb32.exe File created C:\Windows\SysWOW64\Ledkdoii.dll Eonhbg32.exe File created C:\Windows\SysWOW64\Kqeeabhm.dll Gjeedcjh.exe File opened for modification C:\Windows\SysWOW64\Lpdhea32.exe Lnflif32.exe File created C:\Windows\SysWOW64\Moijkk32.exe Mncdhc32.exe File created C:\Windows\SysWOW64\Nhbmjp32.dll Lqknfq32.exe File created C:\Windows\SysWOW64\Hhmioa32.exe Hnedfljc.exe File created C:\Windows\SysWOW64\Ieebfp32.dll Oecpeqdo.exe File created C:\Windows\SysWOW64\Hdpbnp32.dll Dlepmnhq.exe File created C:\Windows\SysWOW64\Ojpedn32.exe Nagakhfn.exe File opened for modification C:\Windows\SysWOW64\Ockiklha.exe Oieencik.exe File opened for modification C:\Windows\SysWOW64\Agkfil32.exe Aieihpgi.exe File created C:\Windows\SysWOW64\Mlhfno32.dll Dopfpkng.exe File opened for modification C:\Windows\SysWOW64\Chgkgmoo.exe Cbjbof32.exe File created C:\Windows\SysWOW64\Fdgoff32.dll Fjpbeecn.exe File created C:\Windows\SysWOW64\Kdckgc32.exe Kjngjj32.exe File created C:\Windows\SysWOW64\Emojih32.exe Edgfpbcl.exe File created C:\Windows\SysWOW64\Bebbbi32.dll Gmfnen32.exe File created C:\Windows\SysWOW64\Gqhkqk32.dll Hilghaqq.exe File created C:\Windows\SysWOW64\Ojjaac32.dll Hjeojnep.exe File opened for modification C:\Windows\SysWOW64\Knocpn32.exe Kdfogiil.exe File opened for modification C:\Windows\SysWOW64\Ljogknmf.exe Lqfbbh32.exe File created C:\Windows\SysWOW64\Kicmee32.dll Aoqjhiie.exe File created C:\Windows\SysWOW64\Aofnic32.dll Bcnomjbg.exe File created C:\Windows\SysWOW64\Bgebcj32.exe Bknani32.exe File created C:\Windows\SysWOW64\Bndckc32.exe Bcnomjbg.exe File created C:\Windows\SysWOW64\Gedelbdk.dll Nldbbbno.exe File created C:\Windows\SysWOW64\Cjepib32.exe Cckhlhcj.exe File created C:\Windows\SysWOW64\Gnhffghb.dll Fcnmne32.exe File created C:\Windows\SysWOW64\Gjhbic32.exe Gobnljhp.exe File created C:\Windows\SysWOW64\Llpmjepo.dll Kefnjdgc.exe File created C:\Windows\SysWOW64\Lbpkgl32.dll Epgqddoh.exe File created C:\Windows\SysWOW64\Ipkhpk32.exe Hcghffen.exe File opened for modification C:\Windows\SysWOW64\Bhfjid32.exe Bonepo32.exe File created C:\Windows\SysWOW64\Ibmhlpge.exe Imppciin.exe File created C:\Windows\SysWOW64\Amgdol32.dll Ognakk32.exe File created C:\Windows\SysWOW64\Coidpiac.exe Beqogc32.exe File created C:\Windows\SysWOW64\Ajcbpbkn.exe Qjaejbmq.exe File created C:\Windows\SysWOW64\Ohkmdami.dll Iljjabfh.exe File created C:\Windows\SysWOW64\Pcknjb32.dll Dmklikob.exe File created C:\Windows\SysWOW64\Pbmhomoj.dll Ahijpa32.exe File opened for modification C:\Windows\SysWOW64\Jppedg32.exe Jfhpkbbj.exe File created C:\Windows\SysWOW64\Iackhb32.exe Icnngeof.exe File created C:\Windows\SysWOW64\Djlfjh32.dll Geqnho32.exe File created C:\Windows\SysWOW64\Nlngdfab.dll Ipedihgm.exe File created C:\Windows\SysWOW64\Ngknpb32.dll Lpfmefdc.exe File opened for modification C:\Windows\SysWOW64\Deeeafii.exe Dhadhakp.exe File created C:\Windows\SysWOW64\Hjgnhf32.exe Hekfpo32.exe File created C:\Windows\SysWOW64\Jgccjenb.exe Jnjoap32.exe File opened for modification C:\Windows\SysWOW64\Clphjc32.exe Cefpmiji.exe File created C:\Windows\SysWOW64\Odjhea32.dll Ghjkki32.exe File created C:\Windows\SysWOW64\Dmhcgd32.exe Cpccnp32.exe File created C:\Windows\SysWOW64\Idffib32.exe Immnlh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4516 4356 WerFault.exe Jppedg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fobodn32.exePfiafk32.exeIibgmk32.exeEpdafl32.exeKlniao32.exeJfbnmckp.exeNjlnbg32.exeOdiagj32.exeNacgpi32.exeJankcafl.exeJfhpkbbj.exeGekncjfe.exeBndckc32.exeDpoapf32.exeEbaggaeo.exeKbjmhd32.exeFmqpinlf.exeOimpppoj.exeBbnlia32.exeDolondiq.exeOnognkne.exeLpiqel32.exePhdiglap.exeGndedhdj.exeJbhlilip.exeGdlplb32.exeBgmagh32.exeCknikooe.exeGaoiol32.exeFgjnpb32.exeEfgnfi32.exeDccgpf32.exeNdcqbdge.exeMkgllndq.exeEaacch32.exeBbmeokdm.exeKbikah32.exeMkihfi32.exeHhqmogam.exeGjhbic32.exeNcqmbn32.exeLicbca32.exeImokbhjf.exeQmmbhegc.exePdjqinld.exeAhijpa32.exeKlaojm32.exeOpohil32.exeCjbccb32.exeDeckeo32.exeMbadih32.exeMbiokdam.exeOpmnle32.exeNmdfglhm.exeAdglqd32.exeJegknp32.exeCidhcg32.exeEpgqddoh.exeBpmajb32.exeCmkkhfmn.exeHjeojnep.exeIlohnopg.exeKmfpjb32.exeAbacjd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibgmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klniao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbnmckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jankcafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhpkbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekncjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpoapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaggaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjmhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmqpinlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimpppoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnlia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolondiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onognkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiqel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdiglap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndedhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhlilip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cknikooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaoiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjnpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dccgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcqbdge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgllndq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaacch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmeokdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbikah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkihfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokbhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjqinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahijpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klaojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opohil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deckeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbadih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbiokdam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmnle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdfglhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adglqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegknp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgqddoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeojnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abacjd32.exe -
Modifies registry class 64 IoCs
Processes:
Jlnadiko.exeHdikch32.exeEickdlcd.exeDiljpn32.exeHmqjoljn.exeQhadob32.exeGeqnho32.exeCmkkhfmn.exeOnognkne.exeHbblbb32.exeHdkhihdn.exeCaajmilh.exeJpkgggnh.exeBcnomjbg.exeEnblpe32.exeFjpbeecn.exeDcpagg32.exeHpehje32.exePokkkgpo.exeEnliaf32.exePlbbmjhf.exeCkhdihlp.exeDlkfli32.exeKdhgkk32.exeNhmdoq32.exeEllfmm32.exeOjpedn32.exeGbcgne32.exePfabbmeh.exeJcekdg32.exeKhlhiijk.exePofqhdnd.exeBokfaflj.exeKefnjdgc.exePleqkb32.exePmpcoabe.exeAjcbpbkn.exeIljjabfh.exeInecnh32.exeCgicko32.exeLcbbidgl.exeOabdol32.exeEjoagm32.exeHfanlpff.exeMbiokdam.exeBbnjphpe.exeEgmhjm32.exeFphgpnhm.exeAalemg32.exeGcqika32.exeOgldfl32.exeAmdhidqk.exeKbdmboqk.exeImmnlh32.exeNlieqa32.exeBhfjid32.exeCnanbijd.exeHdfoni32.exeIffggo32.exePkalph32.exeAcdcdm32.exeAiioanpf.exeOelcjkgk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdikch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eickdlcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diljpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmqjoljn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhadob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djlfjh32.dll" Geqnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmkkhfmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onognkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmopefo.dll" Hdkhihdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caajmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpkgggnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpipo32.dll" Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgoff32.dll" Fjpbeecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpepjid.dll" Hpehje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pokkkgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpiiajg.dll" Enliaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhdihlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdcnhdo.dll" Dlkfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafqmpa.dll" Kdhgkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmdoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Digipn32.dll" Ellfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojpedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfabbmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnllccc.dll" Jcekdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlhiijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pofqhdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokfaflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefnjdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pleqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpcoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajcbpbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljjabfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbohioq.dll" Inecnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpjkiol.dll" Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqcdgj32.dll" Lcbbidgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejoagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anflgdik.dll" Hfanlpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbiokdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnolgkcg.dll" Bbnjphpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egaoij32.dll" Egmhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fphgpnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhgqehfk.dll" Aalemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcqika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogldfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabjgoga.dll" Amdhidqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inknaqhd.dll" Kbdmboqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Immnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlieqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbcooei.dll" Cnanbijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpebpdb.dll" Iffggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkalph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnedbof.dll" Acdcdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcpnn32.dll" Aiioanpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelcjkgk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeDpenkgfq.exeDfbfcn32.exeDbighojl.exeDghlfe32.exeDqqqokla.exeEgmeadbk.exeEcdffe32.exeEgaoldnf.exeEickdlcd.exeEpopff32.exeEpamlegl.exeFpdjaeei.exeFlkjffkm.exeFdhlphff.exeFmqpinlf.exedescription pid process target process PID 1616 wrote to memory of 344 1616 Backdoor.Win32.Berbew.exe Dpenkgfq.exe PID 1616 wrote to memory of 344 1616 Backdoor.Win32.Berbew.exe Dpenkgfq.exe PID 1616 wrote to memory of 344 1616 Backdoor.Win32.Berbew.exe Dpenkgfq.exe PID 1616 wrote to memory of 344 1616 Backdoor.Win32.Berbew.exe Dpenkgfq.exe PID 344 wrote to memory of 2428 344 Dpenkgfq.exe Dfbfcn32.exe PID 344 wrote to memory of 2428 344 Dpenkgfq.exe Dfbfcn32.exe PID 344 wrote to memory of 2428 344 Dpenkgfq.exe Dfbfcn32.exe PID 344 wrote to memory of 2428 344 Dpenkgfq.exe Dfbfcn32.exe PID 2428 wrote to memory of 2808 2428 Dfbfcn32.exe Dbighojl.exe PID 2428 wrote to memory of 2808 2428 Dfbfcn32.exe Dbighojl.exe PID 2428 wrote to memory of 2808 2428 Dfbfcn32.exe Dbighojl.exe PID 2428 wrote to memory of 2808 2428 Dfbfcn32.exe Dbighojl.exe PID 2808 wrote to memory of 2728 2808 Dbighojl.exe Dghlfe32.exe PID 2808 wrote to memory of 2728 2808 Dbighojl.exe Dghlfe32.exe PID 2808 wrote to memory of 2728 2808 Dbighojl.exe Dghlfe32.exe PID 2808 wrote to memory of 2728 2808 Dbighojl.exe Dghlfe32.exe PID 2728 wrote to memory of 2616 2728 Dghlfe32.exe Dqqqokla.exe PID 2728 wrote to memory of 2616 2728 Dghlfe32.exe Dqqqokla.exe PID 2728 wrote to memory of 2616 2728 Dghlfe32.exe Dqqqokla.exe PID 2728 wrote to memory of 2616 2728 Dghlfe32.exe Dqqqokla.exe PID 2616 wrote to memory of 2596 2616 Dqqqokla.exe Egmeadbk.exe PID 2616 wrote to memory of 2596 2616 Dqqqokla.exe Egmeadbk.exe PID 2616 wrote to memory of 2596 2616 Dqqqokla.exe Egmeadbk.exe PID 2616 wrote to memory of 2596 2616 Dqqqokla.exe Egmeadbk.exe PID 2596 wrote to memory of 2104 2596 Egmeadbk.exe Ecdffe32.exe PID 2596 wrote to memory of 2104 2596 Egmeadbk.exe Ecdffe32.exe PID 2596 wrote to memory of 2104 2596 Egmeadbk.exe Ecdffe32.exe PID 2596 wrote to memory of 2104 2596 Egmeadbk.exe Ecdffe32.exe PID 2104 wrote to memory of 2696 2104 Ecdffe32.exe Egaoldnf.exe PID 2104 wrote to memory of 2696 2104 Ecdffe32.exe Egaoldnf.exe PID 2104 wrote to memory of 2696 2104 Ecdffe32.exe Egaoldnf.exe PID 2104 wrote to memory of 2696 2104 Ecdffe32.exe Egaoldnf.exe PID 2696 wrote to memory of 2268 2696 Egaoldnf.exe Eickdlcd.exe PID 2696 wrote to memory of 2268 2696 Egaoldnf.exe Eickdlcd.exe PID 2696 wrote to memory of 2268 2696 Egaoldnf.exe Eickdlcd.exe PID 2696 wrote to memory of 2268 2696 Egaoldnf.exe Eickdlcd.exe PID 2268 wrote to memory of 2500 2268 Eickdlcd.exe Epopff32.exe PID 2268 wrote to memory of 2500 2268 Eickdlcd.exe Epopff32.exe PID 2268 wrote to memory of 2500 2268 Eickdlcd.exe Epopff32.exe PID 2268 wrote to memory of 2500 2268 Eickdlcd.exe Epopff32.exe PID 2500 wrote to memory of 2864 2500 Epopff32.exe Epamlegl.exe PID 2500 wrote to memory of 2864 2500 Epopff32.exe Epamlegl.exe PID 2500 wrote to memory of 2864 2500 Epopff32.exe Epamlegl.exe PID 2500 wrote to memory of 2864 2500 Epopff32.exe Epamlegl.exe PID 2864 wrote to memory of 1448 2864 Epamlegl.exe Fpdjaeei.exe PID 2864 wrote to memory of 1448 2864 Epamlegl.exe Fpdjaeei.exe PID 2864 wrote to memory of 1448 2864 Epamlegl.exe Fpdjaeei.exe PID 2864 wrote to memory of 1448 2864 Epamlegl.exe Fpdjaeei.exe PID 1448 wrote to memory of 3008 1448 Fpdjaeei.exe Flkjffkm.exe PID 1448 wrote to memory of 3008 1448 Fpdjaeei.exe Flkjffkm.exe PID 1448 wrote to memory of 3008 1448 Fpdjaeei.exe Flkjffkm.exe PID 1448 wrote to memory of 3008 1448 Fpdjaeei.exe Flkjffkm.exe PID 3008 wrote to memory of 1372 3008 Flkjffkm.exe Fdhlphff.exe PID 3008 wrote to memory of 1372 3008 Flkjffkm.exe Fdhlphff.exe PID 3008 wrote to memory of 1372 3008 Flkjffkm.exe Fdhlphff.exe PID 3008 wrote to memory of 1372 3008 Flkjffkm.exe Fdhlphff.exe PID 1372 wrote to memory of 2168 1372 Fdhlphff.exe Fmqpinlf.exe PID 1372 wrote to memory of 2168 1372 Fdhlphff.exe Fmqpinlf.exe PID 1372 wrote to memory of 2168 1372 Fdhlphff.exe Fmqpinlf.exe PID 1372 wrote to memory of 2168 1372 Fdhlphff.exe Fmqpinlf.exe PID 2168 wrote to memory of 1508 2168 Fmqpinlf.exe Gaoiol32.exe PID 2168 wrote to memory of 1508 2168 Fmqpinlf.exe Gaoiol32.exe PID 2168 wrote to memory of 1508 2168 Fmqpinlf.exe Gaoiol32.exe PID 2168 wrote to memory of 1508 2168 Fmqpinlf.exe Gaoiol32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Dfbfcn32.exeC:\Windows\system32\Dfbfcn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Dghlfe32.exeC:\Windows\system32\Dghlfe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Gfkagc32.exeC:\Windows\system32\Gfkagc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Hmcimq32.exeC:\Windows\system32\Hmcimq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe34⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe35⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe36⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe37⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe39⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe40⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe41⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe43⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe44⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe47⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe49⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe50⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe51⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe52⤵PID:2544
-
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe53⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe56⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe57⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe58⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe59⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe61⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe63⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe64⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe65⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe66⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe67⤵
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe68⤵PID:912
-
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe70⤵PID:1492
-
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe71⤵PID:2464
-
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe72⤵PID:2904
-
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe74⤵PID:2960
-
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe75⤵PID:2592
-
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe76⤵PID:2624
-
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe77⤵PID:1324
-
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe78⤵PID:2084
-
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe79⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe80⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe81⤵PID:2208
-
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe82⤵PID:1612
-
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe83⤵PID:2476
-
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe85⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe86⤵PID:2172
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe87⤵PID:848
-
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe88⤵PID:2780
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe89⤵PID:2052
-
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe90⤵PID:2756
-
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe91⤵PID:2672
-
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe92⤵PID:2092
-
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe93⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe94⤵PID:2076
-
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe95⤵PID:856
-
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe96⤵PID:2236
-
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe97⤵PID:2252
-
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe98⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe100⤵PID:2188
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe101⤵PID:2432
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe102⤵PID:784
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe103⤵PID:2724
-
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe104⤵PID:2628
-
C:\Windows\SysWOW64\Boohgk32.exeC:\Windows\system32\Boohgk32.exe105⤵PID:2128
-
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe107⤵PID:2848
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe108⤵PID:1580
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe109⤵PID:1772
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe110⤵PID:1104
-
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe111⤵PID:2180
-
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe112⤵PID:600
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe114⤵PID:1636
-
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe115⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe116⤵PID:2828
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe117⤵PID:1660
-
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe119⤵PID:2380
-
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe120⤵PID:968
-
C:\Windows\SysWOW64\Caajmilh.exeC:\Windows\system32\Caajmilh.exe121⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe122⤵PID:1468
-
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe123⤵PID:756
-
C:\Windows\SysWOW64\Dklkkoqf.exeC:\Windows\system32\Dklkkoqf.exe124⤵PID:532
-
C:\Windows\SysWOW64\Dcgppana.exeC:\Windows\system32\Dcgppana.exe125⤵PID:2752
-
C:\Windows\SysWOW64\Dnmdmj32.exeC:\Windows\system32\Dnmdmj32.exe126⤵PID:2768
-
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe127⤵PID:2608
-
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe128⤵PID:1176
-
C:\Windows\SysWOW64\Efakhk32.exeC:\Windows\system32\Efakhk32.exe129⤵PID:1516
-
C:\Windows\SysWOW64\Eqninhmc.exeC:\Windows\system32\Eqninhmc.exe130⤵PID:2288
-
C:\Windows\SysWOW64\Ekcmkamj.exeC:\Windows\system32\Ekcmkamj.exe131⤵PID:2320
-
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe132⤵PID:1384
-
C:\Windows\SysWOW64\Fgjnpb32.exeC:\Windows\system32\Fgjnpb32.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe134⤵PID:2248
-
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe135⤵PID:2764
-
C:\Windows\SysWOW64\Fimgmj32.exeC:\Windows\system32\Fimgmj32.exe136⤵PID:2524
-
C:\Windows\SysWOW64\Fcckjb32.exeC:\Windows\system32\Fcckjb32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Flnpoe32.exeC:\Windows\system32\Flnpoe32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe139⤵PID:1360
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe140⤵PID:1320
-
C:\Windows\SysWOW64\Fpliec32.exeC:\Windows\system32\Fpliec32.exe141⤵PID:2120
-
C:\Windows\SysWOW64\Feiamj32.exeC:\Windows\system32\Feiamj32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Fpnekc32.exeC:\Windows\system32\Fpnekc32.exe143⤵PID:1948
-
C:\Windows\SysWOW64\Gekncjfe.exeC:\Windows\system32\Gekncjfe.exe144⤵
- System Location Discovery: System Language Discovery
PID:816 -
C:\Windows\SysWOW64\Glefpd32.exeC:\Windows\system32\Glefpd32.exe145⤵PID:576
-
C:\Windows\SysWOW64\Gabohk32.exeC:\Windows\system32\Gabohk32.exe146⤵PID:2420
-
C:\Windows\SysWOW64\Gjjcqpbj.exeC:\Windows\system32\Gjjcqpbj.exe147⤵PID:1924
-
C:\Windows\SysWOW64\Gdchifik.exeC:\Windows\system32\Gdchifik.exe148⤵PID:2008
-
C:\Windows\SysWOW64\Gdedoegh.exeC:\Windows\system32\Gdedoegh.exe149⤵PID:1600
-
C:\Windows\SysWOW64\Gmmihk32.exeC:\Windows\system32\Gmmihk32.exe150⤵PID:2372
-
C:\Windows\SysWOW64\Ghcmedmo.exeC:\Windows\system32\Ghcmedmo.exe151⤵PID:2932
-
C:\Windows\SysWOW64\Hmpemkkf.exeC:\Windows\system32\Hmpemkkf.exe152⤵PID:1972
-
C:\Windows\SysWOW64\Hfhjfp32.exeC:\Windows\system32\Hfhjfp32.exe153⤵PID:2256
-
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe155⤵PID:2680
-
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe156⤵PID:2348
-
C:\Windows\SysWOW64\Hpehje32.exeC:\Windows\system32\Hpehje32.exe157⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe158⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Iedmhlqf.exeC:\Windows\system32\Iedmhlqf.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Ikafpbon.exeC:\Windows\system32\Ikafpbon.exe160⤵PID:1336
-
C:\Windows\SysWOW64\Ihefjg32.exeC:\Windows\system32\Ihefjg32.exe161⤵PID:956
-
C:\Windows\SysWOW64\Iankbldh.exeC:\Windows\system32\Iankbldh.exe162⤵PID:900
-
C:\Windows\SysWOW64\Igjckcbo.exeC:\Windows\system32\Igjckcbo.exe163⤵PID:2416
-
C:\Windows\SysWOW64\Indkgm32.exeC:\Windows\system32\Indkgm32.exe164⤵PID:1272
-
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe165⤵PID:2384
-
C:\Windows\SysWOW64\Ipedihgm.exeC:\Windows\system32\Ipedihgm.exe166⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Ijmibn32.exeC:\Windows\system32\Ijmibn32.exe167⤵PID:2888
-
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe168⤵PID:2684
-
C:\Windows\SysWOW64\Jlnadiko.exeC:\Windows\system32\Jlnadiko.exe169⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Jakjlpif.exeC:\Windows\system32\Jakjlpif.exe170⤵PID:868
-
C:\Windows\SysWOW64\Jbmgapgc.exeC:\Windows\system32\Jbmgapgc.exe171⤵PID:3000
-
C:\Windows\SysWOW64\Jdlcnkfg.exeC:\Windows\system32\Jdlcnkfg.exe172⤵PID:2156
-
C:\Windows\SysWOW64\Jndgfqlh.exeC:\Windows\system32\Jndgfqlh.exe173⤵PID:1928
-
C:\Windows\SysWOW64\Jkhhpeka.exeC:\Windows\system32\Jkhhpeka.exe174⤵PID:2712
-
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe175⤵PID:2488
-
C:\Windows\SysWOW64\Khlhiijk.exeC:\Windows\system32\Khlhiijk.exe176⤵
- Drops file in System32 directory
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Kbdmboqk.exeC:\Windows\system32\Kbdmboqk.exe177⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Kceijg32.exeC:\Windows\system32\Kceijg32.exe178⤵PID:1856
-
C:\Windows\SysWOW64\Kdefdjnl.exeC:\Windows\system32\Kdefdjnl.exe179⤵PID:1696
-
C:\Windows\SysWOW64\Kffblb32.exeC:\Windows\system32\Kffblb32.exe180⤵PID:2980
-
C:\Windows\SysWOW64\Kcjcefbd.exeC:\Windows\system32\Kcjcefbd.exe181⤵PID:2572
-
C:\Windows\SysWOW64\Kigkmmql.exeC:\Windows\system32\Kigkmmql.exe182⤵PID:1512
-
C:\Windows\SysWOW64\Kfklgape.exeC:\Windows\system32\Kfklgape.exe183⤵PID:2744
-
C:\Windows\SysWOW64\Kkhdohnm.exeC:\Windows\system32\Kkhdohnm.exe184⤵PID:1028
-
C:\Windows\SysWOW64\Lepihndm.exeC:\Windows\system32\Lepihndm.exe185⤵PID:3096
-
C:\Windows\SysWOW64\Lpfmefdc.exeC:\Windows\system32\Lpfmefdc.exe186⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Linanl32.exeC:\Windows\system32\Linanl32.exe187⤵PID:3180
-
C:\Windows\SysWOW64\Lnkjfcik.exeC:\Windows\system32\Lnkjfcik.exe188⤵PID:3220
-
C:\Windows\SysWOW64\Liqnclia.exeC:\Windows\system32\Liqnclia.exe189⤵PID:3260
-
C:\Windows\SysWOW64\Lnmglbgh.exeC:\Windows\system32\Lnmglbgh.exe190⤵PID:3300
-
C:\Windows\SysWOW64\Llagegfb.exeC:\Windows\system32\Llagegfb.exe191⤵PID:3340
-
C:\Windows\SysWOW64\Lanpmn32.exeC:\Windows\system32\Lanpmn32.exe192⤵PID:3380
-
C:\Windows\SysWOW64\Lhhhjhkf.exeC:\Windows\system32\Lhhhjhkf.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3420 -
C:\Windows\SysWOW64\Mmepboin.exeC:\Windows\system32\Mmepboin.exe194⤵PID:3464
-
C:\Windows\SysWOW64\Mhjdpgic.exeC:\Windows\system32\Mhjdpgic.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3504 -
C:\Windows\SysWOW64\Mabihm32.exeC:\Windows\system32\Mabihm32.exe196⤵PID:3544
-
C:\Windows\SysWOW64\Mlljiklc.exeC:\Windows\system32\Mlljiklc.exe197⤵PID:3584
-
C:\Windows\SysWOW64\Mipjbokm.exeC:\Windows\system32\Mipjbokm.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3624 -
C:\Windows\SysWOW64\Mbiokdam.exeC:\Windows\system32\Mbiokdam.exe199⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Opllclcb.exeC:\Windows\system32\Opllclcb.exe200⤵PID:3708
-
C:\Windows\SysWOW64\Opohil32.exeC:\Windows\system32\Opohil32.exe201⤵
- System Location Discovery: System Language Discovery
PID:3748 -
C:\Windows\SysWOW64\Ogiqffhl.exeC:\Windows\system32\Ogiqffhl.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Opaeok32.exeC:\Windows\system32\Opaeok32.exe203⤵PID:3828
-
C:\Windows\SysWOW64\Oenngb32.exeC:\Windows\system32\Oenngb32.exe204⤵PID:3872
-
C:\Windows\SysWOW64\Okkfoikl.exeC:\Windows\system32\Okkfoikl.exe205⤵PID:3916
-
C:\Windows\SysWOW64\Ohofimje.exeC:\Windows\system32\Ohofimje.exe206⤵PID:3956
-
C:\Windows\SysWOW64\Onkoadhm.exeC:\Windows\system32\Onkoadhm.exe207⤵PID:3996
-
C:\Windows\SysWOW64\Pokkkgpo.exeC:\Windows\system32\Pokkkgpo.exe208⤵
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Pdhdcnng.exeC:\Windows\system32\Pdhdcnng.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4076 -
C:\Windows\SysWOW64\Pkalph32.exeC:\Windows\system32\Pkalph32.exe210⤵
- Drops file in System32 directory
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Pdjqinld.exeC:\Windows\system32\Pdjqinld.exe211⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Windows\SysWOW64\Pjgiad32.exeC:\Windows\system32\Pjgiad32.exe212⤵PID:3176
-
C:\Windows\SysWOW64\Pqaanoah.exeC:\Windows\system32\Pqaanoah.exe213⤵PID:3228
-
C:\Windows\SysWOW64\Pfnjfepp.exeC:\Windows\system32\Pfnjfepp.exe214⤵PID:3276
-
C:\Windows\SysWOW64\Pqcncnpe.exeC:\Windows\system32\Pqcncnpe.exe215⤵PID:3324
-
C:\Windows\SysWOW64\Pfpflenm.exeC:\Windows\system32\Pfpflenm.exe216⤵PID:3388
-
C:\Windows\SysWOW64\Qohkdkdn.exeC:\Windows\system32\Qohkdkdn.exe217⤵PID:3392
-
C:\Windows\SysWOW64\Qfbcae32.exeC:\Windows\system32\Qfbcae32.exe218⤵PID:3480
-
C:\Windows\SysWOW64\Qkolil32.exeC:\Windows\system32\Qkolil32.exe219⤵PID:3536
-
C:\Windows\SysWOW64\Qbidffao.exeC:\Windows\system32\Qbidffao.exe220⤵PID:3580
-
C:\Windows\SysWOW64\Akahokho.exeC:\Windows\system32\Akahokho.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3640 -
C:\Windows\SysWOW64\Aieihpgi.exeC:\Windows\system32\Aieihpgi.exe222⤵
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Agkfil32.exeC:\Windows\system32\Agkfil32.exe223⤵PID:3732
-
C:\Windows\SysWOW64\Acafnm32.exeC:\Windows\system32\Acafnm32.exe224⤵PID:3796
-
C:\Windows\SysWOW64\Amjkgbhe.exeC:\Windows\system32\Amjkgbhe.exe225⤵PID:3836
-
C:\Windows\SysWOW64\Acdcdm32.exeC:\Windows\system32\Acdcdm32.exe226⤵
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Amlhmb32.exeC:\Windows\system32\Amlhmb32.exe227⤵PID:3936
-
C:\Windows\SysWOW64\Bgaljk32.exeC:\Windows\system32\Bgaljk32.exe228⤵PID:3992
-
C:\Windows\SysWOW64\Bmndbb32.exeC:\Windows\system32\Bmndbb32.exe229⤵PID:4024
-
C:\Windows\SysWOW64\Bfgikgjq.exeC:\Windows\system32\Bfgikgjq.exe230⤵PID:4092
-
C:\Windows\SysWOW64\Bbnjphpe.exeC:\Windows\system32\Bbnjphpe.exe231⤵
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Bigbmb32.exeC:\Windows\system32\Bigbmb32.exe232⤵PID:3164
-
C:\Windows\SysWOW64\Bndjei32.exeC:\Windows\system32\Bndjei32.exe233⤵PID:2876
-
C:\Windows\SysWOW64\Bijobb32.exeC:\Windows\system32\Bijobb32.exe234⤵PID:3288
-
C:\Windows\SysWOW64\Beqogc32.exeC:\Windows\system32\Beqogc32.exe235⤵
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Coidpiac.exeC:\Windows\system32\Coidpiac.exe236⤵PID:3408
-
C:\Windows\SysWOW64\Clmdjmpm.exeC:\Windows\system32\Clmdjmpm.exe237⤵PID:3436
-
C:\Windows\SysWOW64\Cmnqae32.exeC:\Windows\system32\Cmnqae32.exe238⤵PID:3524
-
C:\Windows\SysWOW64\Conmkh32.exeC:\Windows\system32\Conmkh32.exe239⤵PID:3620
-
C:\Windows\SysWOW64\Cdkfco32.exeC:\Windows\system32\Cdkfco32.exe240⤵PID:3684
-
C:\Windows\SysWOW64\Cdmbiojc.exeC:\Windows\system32\Cdmbiojc.exe241⤵PID:3680
-
C:\Windows\SysWOW64\Cpccnp32.exeC:\Windows\system32\Cpccnp32.exe242⤵
- Drops file in System32 directory
PID:3808