Analysis
-
max time kernel
62s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:19
Static task
static1
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
67KB
-
MD5
94cd92fb6e9ebc075f23dbd20fdade00
-
SHA1
c175630fc0f83c0bb202112675e9fd2c416aa7d9
-
SHA256
67d8d62e277264cdbc4feb16bb046c0dc79289f74bdf8c09e6d51be3ae6d0b2f
-
SHA512
53bdbace03855b4ddfecf5f1a407d633797cd70f60938b410acaf55689b99d776a43ae5962d934127d857f67e38f5a7dabd6c921c0dfbf4bc3dcd7ffc0d26d04
-
SSDEEP
768:xuU25ok2mtzzzOgX7QDeu9x2gxslkem9R1JtBdxVpNhC2a1aj0X/1H5rcEVErMEJ:AlJzZX0YgxsaC2sJifTduD4oTxw
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qbkljd32.exeJaahgd32.exeLhkiae32.exePembpkfi.exeHgobpd32.exeMjgclcjh.exeQggoeilh.exeNmkbfmpf.exeBjlpjp32.exeOmpgqonl.exeCjkcedgp.exeIigehk32.exePaemac32.exeFbhfcf32.exeJohlpoij.exeNqbdllld.exeLpfagd32.exeLpnobi32.exeNpngng32.exeCnekcblk.exeLcfhpf32.exeKfenjq32.exePpjjcogn.exeAgilkijf.exeOmjgkjof.exeBjlnaghp.exeHchbcmlh.exeDmgokcja.exeMhobldaf.exeMgdpnqfn.exeQjcmoqlf.exeIagchmjn.exeMjkmfn32.exeCklpml32.exeGpfpmonn.exeHgpeimhf.exeNgkfnp32.exeGbolce32.exeLckbkfbb.exeBlcmbmip.exeBfkakbpp.exeKbokda32.exeDpedmhfi.exeBjgdfg32.exeEbghkjjc.exeIcnbic32.exeGhqchi32.exeMhgpgjoj.exeEmnelbdi.exeChdjpl32.exeMfijfdca.exeJoepjokm.exeMhpigk32.exeFokaoh32.exeAecdpmbm.exeAapikqel.exeCbokoa32.exeBcmeogam.exeHmlmacfn.exeEeameodq.exeOnehadbj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbkljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaahgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pembpkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgobpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qggoeilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgobpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigehk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paemac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johlpoij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbdllld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfagd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnobi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnekcblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgclcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjjcogn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agilkijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjgkjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlnaghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchbcmlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgokcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhobldaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgdpnqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjcmoqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iagchmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklpml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfpmonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpeimhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckbkfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpedmhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgpgjoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnelbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joepjokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecdpmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aapikqel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmeogam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeameodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paemac32.exe -
Executes dropped EXE 64 IoCs
Processes:
Eigpmjqg.exeElgioe32.exeFebjmj32.exeFkapkq32.exeFnbhmlkk.exeGjkfglom.exeGhqchi32.exeGicpnhbb.exeGnphfppi.exeHelmiiec.exeHenjnica.exeHgobpd32.exeHpjgdf32.exeHajdniep.exeImqdcjkd.exeIigehk32.exeIlhnjfmi.exeIagchmjn.exeIjphqbpo.exeJhchjgoh.exeJpomnilc.exeJanihlcf.exeJbpfpd32.exeJbbbed32.exeJbdokceo.exeJinghn32.exeKokppd32.exeKkaaee32.exeKegebn32.exeKopikdgn.exeKgknpfdi.exeKpcbhlki.exeKkigfdjo.exeKpeonkig.exeKcdljghj.exeLnipgp32.exeLcfhpf32.exeLnlmmo32.exeLgdafeln.exeLlainlje.exeLckbkfbb.exeMbgela32.exeMjbiac32.exeMqlbnnej.exeMfijfdca.exeMqoocmcg.exeMgigpgkd.exeMjgclcjh.exeNpdkdjhp.exeNbbhpegc.exeNmhlnngi.exeNbddfe32.exeNlmiojla.exeNnkekfkd.exeNiaihojk.exeNpkaei32.exeNehjmppo.exeNaokbq32.exeOldooi32.exeOhkpdj32.exeOnehadbj.exeOiniaboi.exeOddmokoo.exeOlobcm32.exepid process 2948 Eigpmjqg.exe 2868 Elgioe32.exe 2904 Febjmj32.exe 2236 Fkapkq32.exe 2692 Fnbhmlkk.exe 1076 Gjkfglom.exe 2184 Ghqchi32.exe 1132 Gicpnhbb.exe 1744 Gnphfppi.exe 2620 Helmiiec.exe 1436 Henjnica.exe 2844 Hgobpd32.exe 2460 Hpjgdf32.exe 2496 Hajdniep.exe 788 Imqdcjkd.exe 1756 Iigehk32.exe 1952 Ilhnjfmi.exe 2188 Iagchmjn.exe 924 Ijphqbpo.exe 2360 Jhchjgoh.exe 1580 Jpomnilc.exe 1604 Janihlcf.exe 2588 Jbpfpd32.exe 2428 Jbbbed32.exe 1716 Jbdokceo.exe 2804 Jinghn32.exe 2900 Kokppd32.exe 2764 Kkaaee32.exe 2724 Kegebn32.exe 2484 Kopikdgn.exe 1208 Kgknpfdi.exe 2432 Kpcbhlki.exe 2544 Kkigfdjo.exe 2112 Kpeonkig.exe 1568 Kcdljghj.exe 2908 Lnipgp32.exe 1840 Lcfhpf32.exe 2056 Lnlmmo32.exe 1688 Lgdafeln.exe 1640 Llainlje.exe 1732 Lckbkfbb.exe 2316 Mbgela32.exe 2552 Mjbiac32.exe 2032 Mqlbnnej.exe 1708 Mfijfdca.exe 2228 Mqoocmcg.exe 2296 Mgigpgkd.exe 308 Mjgclcjh.exe 2328 Npdkdjhp.exe 2896 Nbbhpegc.exe 3064 Nmhlnngi.exe 2848 Nbddfe32.exe 2648 Nlmiojla.exe 2728 Nnkekfkd.exe 1796 Niaihojk.exe 1928 Npkaei32.exe 1808 Nehjmppo.exe 2752 Naokbq32.exe 900 Oldooi32.exe 1664 Ohkpdj32.exe 3008 Onehadbj.exe 2480 Oiniaboi.exe 3016 Oddmokoo.exe 828 Olobcm32.exe -
Loads dropped DLL 64 IoCs
Processes:
TrojanDownloader.Win32.Berbew.exeEigpmjqg.exeElgioe32.exeFebjmj32.exeFkapkq32.exeFnbhmlkk.exeGjkfglom.exeGhqchi32.exeGicpnhbb.exeGnphfppi.exeHelmiiec.exeHenjnica.exeHgobpd32.exeHpjgdf32.exeHajdniep.exeImqdcjkd.exeIigehk32.exeIlhnjfmi.exeIagchmjn.exeIjphqbpo.exeJhchjgoh.exeJpomnilc.exeJanihlcf.exeJbpfpd32.exeJbbbed32.exeJbdokceo.exeJinghn32.exeKokppd32.exeKkaaee32.exeKegebn32.exeKopikdgn.exeKgknpfdi.exepid process 280 TrojanDownloader.Win32.Berbew.exe 280 TrojanDownloader.Win32.Berbew.exe 2948 Eigpmjqg.exe 2948 Eigpmjqg.exe 2868 Elgioe32.exe 2868 Elgioe32.exe 2904 Febjmj32.exe 2904 Febjmj32.exe 2236 Fkapkq32.exe 2236 Fkapkq32.exe 2692 Fnbhmlkk.exe 2692 Fnbhmlkk.exe 1076 Gjkfglom.exe 1076 Gjkfglom.exe 2184 Ghqchi32.exe 2184 Ghqchi32.exe 1132 Gicpnhbb.exe 1132 Gicpnhbb.exe 1744 Gnphfppi.exe 1744 Gnphfppi.exe 2620 Helmiiec.exe 2620 Helmiiec.exe 1436 Henjnica.exe 1436 Henjnica.exe 2844 Hgobpd32.exe 2844 Hgobpd32.exe 2460 Hpjgdf32.exe 2460 Hpjgdf32.exe 2496 Hajdniep.exe 2496 Hajdniep.exe 788 Imqdcjkd.exe 788 Imqdcjkd.exe 1756 Iigehk32.exe 1756 Iigehk32.exe 1952 Ilhnjfmi.exe 1952 Ilhnjfmi.exe 2188 Iagchmjn.exe 2188 Iagchmjn.exe 924 Ijphqbpo.exe 924 Ijphqbpo.exe 2360 Jhchjgoh.exe 2360 Jhchjgoh.exe 1580 Jpomnilc.exe 1580 Jpomnilc.exe 1604 Janihlcf.exe 1604 Janihlcf.exe 2588 Jbpfpd32.exe 2588 Jbpfpd32.exe 2428 Jbbbed32.exe 2428 Jbbbed32.exe 1716 Jbdokceo.exe 1716 Jbdokceo.exe 2804 Jinghn32.exe 2804 Jinghn32.exe 2900 Kokppd32.exe 2900 Kokppd32.exe 2764 Kkaaee32.exe 2764 Kkaaee32.exe 2724 Kegebn32.exe 2724 Kegebn32.exe 2484 Kopikdgn.exe 2484 Kopikdgn.exe 1208 Kgknpfdi.exe 1208 Kgknpfdi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ppjjcogn.exeLolbjahp.exeFioajqmb.exeJpomnilc.exeNpkaei32.exeBjlnaghp.exeBiakbc32.exeJoepjokm.exeLhpmhgbf.exePhelnhnb.exeQbkljd32.exeIjphqbpo.exeMqoocmcg.exeLddjmb32.exeDmalmdcg.exeHojqjp32.exeIeiegf32.exeDnpedghl.exeKlocba32.exeBoifinfg.exeImaglc32.exeFooghg32.exeJafilj32.exePpogok32.exeAhancp32.exeDpedmhfi.exeLcfhpf32.exeNnkekfkd.exeBcjhig32.exeCbihpbpl.exeEaegaaah.exeAgilkijf.exeMoahdd32.exeNpngng32.exeJbgbjh32.exeHoegoqng.exeImkqmh32.exeDijjgegh.exeLaenqg32.exeNoighakn.exeDpbgghhl.exeEnokidgl.exeMgigpgkd.exeAenileon.exeGklnmgic.exeEmnelbdi.exeBpfhfjgq.exeFhifmcfa.exeNmkbfmpf.exeCkamihfm.exeDfbdje32.exeOmjgkjof.exeGbolce32.exeKcdljghj.exeLckbkfbb.exeCqqbgoba.exeFgffck32.exeJpfehq32.exeLldhldpg.exeNgfhbd32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Qajfmbna.exe Ppjjcogn.exe File opened for modification C:\Windows\SysWOW64\Lpnobi32.exe Lolbjahp.exe File created C:\Windows\SysWOW64\Eafhchmp.dll Fioajqmb.exe File created C:\Windows\SysWOW64\Janihlcf.exe Jpomnilc.exe File opened for modification C:\Windows\SysWOW64\Nehjmppo.exe Npkaei32.exe File created C:\Windows\SysWOW64\Boifinfg.exe Bjlnaghp.exe File created C:\Windows\SysWOW64\Kjgkiddo.dll Biakbc32.exe File opened for modification C:\Windows\SysWOW64\Jephgi32.exe Joepjokm.exe File created C:\Windows\SysWOW64\Pdbabndd.dll Lhpmhgbf.exe File created C:\Windows\SysWOW64\Chmpml32.dll Phelnhnb.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qbkljd32.exe File created C:\Windows\SysWOW64\Jhchjgoh.exe Ijphqbpo.exe File opened for modification C:\Windows\SysWOW64\Mgigpgkd.exe Mqoocmcg.exe File opened for modification C:\Windows\SysWOW64\Liqcei32.exe Lddjmb32.exe File opened for modification C:\Windows\SysWOW64\Dbneekan.exe Dmalmdcg.exe File created C:\Windows\SysWOW64\Mhmplgki.dll Hojqjp32.exe File created C:\Windows\SysWOW64\Epljpl32.dll Ieiegf32.exe File created C:\Windows\SysWOW64\Jephgi32.exe Joepjokm.exe File created C:\Windows\SysWOW64\Bjmgmelp.dll Dnpedghl.exe File created C:\Windows\SysWOW64\Oflpgp32.dll Klocba32.exe File opened for modification C:\Windows\SysWOW64\Janihlcf.exe Jpomnilc.exe File created C:\Windows\SysWOW64\Gkblpcle.dll Boifinfg.exe File opened for modification C:\Windows\SysWOW64\Ioochn32.exe Imaglc32.exe File created C:\Windows\SysWOW64\Ffeoid32.exe Fooghg32.exe File created C:\Windows\SysWOW64\Oljagk32.dll Jafilj32.exe File created C:\Windows\SysWOW64\Lojeda32.exe Lhpmhgbf.exe File created C:\Windows\SysWOW64\Paqdgcfl.exe Ppogok32.exe File created C:\Windows\SysWOW64\Pbpilaid.dll Ahancp32.exe File created C:\Windows\SysWOW64\Efiamj32.dll Dpedmhfi.exe File created C:\Windows\SysWOW64\Lnlmmo32.exe Lcfhpf32.exe File opened for modification C:\Windows\SysWOW64\Niaihojk.exe Nnkekfkd.exe File opened for modification C:\Windows\SysWOW64\Blcmbmip.exe Bcjhig32.exe File opened for modification C:\Windows\SysWOW64\Ccjehkek.exe Cbihpbpl.exe File created C:\Windows\SysWOW64\Okmkebdg.dll Eaegaaah.exe File created C:\Windows\SysWOW64\Eabgpg32.dll Agilkijf.exe File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe Moahdd32.exe File created C:\Windows\SysWOW64\Giemhaee.dll Npngng32.exe File created C:\Windows\SysWOW64\Hmmckh32.dll Jbgbjh32.exe File opened for modification C:\Windows\SysWOW64\Hfookk32.exe Hoegoqng.exe File opened for modification C:\Windows\SysWOW64\Ipimic32.exe Imkqmh32.exe File created C:\Windows\SysWOW64\Dbcnpk32.exe Dijjgegh.exe File created C:\Windows\SysWOW64\Inajql32.exe Ieiegf32.exe File created C:\Windows\SysWOW64\Jjddkg32.dll Laenqg32.exe File opened for modification C:\Windows\SysWOW64\Nbgcdmjb.exe Noighakn.exe File created C:\Windows\SysWOW64\Dpedmhfi.exe Dpbgghhl.exe File created C:\Windows\SysWOW64\Cjmfag32.dll Enokidgl.exe File created C:\Windows\SysWOW64\Mjgclcjh.exe Mgigpgkd.exe File created C:\Windows\SysWOW64\Apdminod.exe Aenileon.exe File created C:\Windows\SysWOW64\Logkbl32.dll Gklnmgic.exe File opened for modification C:\Windows\SysWOW64\Eeijpdbd.exe Emnelbdi.exe File opened for modification C:\Windows\SysWOW64\Bfcqoqeh.exe Bpfhfjgq.exe File created C:\Windows\SysWOW64\Mlnccahb.dll Fhifmcfa.exe File created C:\Windows\SysWOW64\Nqgngk32.exe Nmkbfmpf.exe File created C:\Windows\SysWOW64\Iqidng32.dll Ckamihfm.exe File created C:\Windows\SysWOW64\Edbminqj.dll Dfbdje32.exe File opened for modification C:\Windows\SysWOW64\Ojnhdn32.exe Omjgkjof.exe File opened for modification C:\Windows\SysWOW64\Gemhpq32.exe Gbolce32.exe File created C:\Windows\SysWOW64\Lnipgp32.exe Kcdljghj.exe File created C:\Windows\SysWOW64\Mbgela32.exe Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Cgjjdijo.exe Cqqbgoba.exe File opened for modification C:\Windows\SysWOW64\Fmpnpe32.exe Fgffck32.exe File opened for modification C:\Windows\SysWOW64\Jfpndkel.exe Jpfehq32.exe File created C:\Windows\SysWOW64\Fhlnomha.dll Lldhldpg.exe File created C:\Windows\SysWOW64\Ooghbhgn.dll Ngfhbd32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5892 5868 WerFault.exe Gmmgobfd.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nbbhpegc.exeCkijdm32.exeEmnelbdi.exeBdmklico.exeDijjgegh.exeNqijmkfm.exeCnpieceq.exeKejdqffo.exeOblmom32.exeKblooa32.exeCbihpbpl.exeLgdcom32.exeBfcqoqeh.exeKdeehe32.exeIflhjh32.exeDpbgghhl.exeDihmae32.exeKpeonkig.exeCacegd32.exeEhpgha32.exePapmlmbp.exeFokaoh32.exeGnenfjdh.exeJoepjokm.exeGmmgobfd.exeLndlamke.exeMkconepp.exeGcapckod.exeMhgpgjoj.exeBpfhfjgq.exeCcgahe32.exeMjbiac32.exeDnlolhoo.exeAfqeaemk.exeKdgane32.exeOkdahbmm.exeCbcdjpba.exeJbpfpd32.exeKmmiaknb.exeImqdcjkd.exeNqgngk32.exeNncaejie.exeBjlpjp32.exeElbkbh32.exeJpomnilc.exeMfijfdca.exePpogok32.exeBjlnaghp.exeLkccob32.exeHfalaj32.exeMpmdff32.exeKpcbhlki.exeDbcnpk32.exeKfenjq32.exeKlocba32.exeOahpahel.exeEibbqmhd.exeNpdkdjhp.exeBcmeogam.exeFhlogo32.exeLcnqin32.exePembpkfi.exeNlmiojla.exeJjdcdjcm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbhpegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckijdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijjgegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqijmkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcqoqeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbgghhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeonkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papmlmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnenfjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmgobfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkconepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcapckod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfhfjgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgahe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbiac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlolhoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqeaemk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdahbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcdjpba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmiaknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imqdcjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncaejie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpomnilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppogok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcnpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klocba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahpahel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibbqmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdkdjhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnqin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pembpkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe -
Modifies registry class 64 IoCs
Processes:
Nbbhpegc.exeAhancp32.exeNccmng32.exeIkkmho32.exeMkbhco32.exeTrojanDownloader.Win32.Berbew.exeMbgela32.exeCgjjdijo.exeJckkhplq.exeMlhbgc32.exeOmjgkjof.exePblinp32.exeAefaemqj.exeHajdniep.exeMqoocmcg.exeGddpndhp.exeIpimic32.exeElcbmn32.exeHfdbji32.exeLgdcom32.exeGjkfglom.exeBfcqoqeh.exeNjlopkmg.exeGnmdfi32.exeBgagnjbi.exeLicpki32.exeJbdokceo.exeMjbiac32.exeFhifmcfa.exeAkjjifji.exeFpcghl32.exeLggpdmap.exeNonqca32.exeKokppd32.exeOfefqf32.exeIefeaj32.exeNgafdepl.exePapmlmbp.exeBhqdgm32.exeEbhani32.exeJfkdik32.exeFnbhmlkk.exeMkconepp.exeEbmjihqn.exeGkfkoi32.exeMoikinib.exeHkpaoape.exeNehjmppo.exeAfqeaemk.exeCkijdm32.exeKbokda32.exeOhcohh32.exeJcmhmp32.exeJbpfpd32.exeCifdmbib.exeFhlogo32.exeBkefcc32.exeBjlpjp32.exeKkigfdjo.exeMkiemqdo.exeCbokoa32.exePacqlcdi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbhpegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahancp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkbhco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbgela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jckkhplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhbgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pblinp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefaemqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcbjm32.dll" Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqoocmcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddpndhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Elcbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoacabb.dll" Lgdcom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkfglom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfcqoqeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclbgadl.dll" Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokofini.dll" Gnmdfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgagnjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdokceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhifmcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjjifji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Fpcghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjelpcob.dll" Lggpdmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcdaglf.dll" Nonqca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elefkiaj.dll" Kokppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afobkm32.dll" Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngafdepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engebqqm.dll" Papmlmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhqdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkdik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbhmlkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkconepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmjihqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkfkoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moikinib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afqeaemk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckijdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofledji.dll" Ohcohh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmhmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deacbgdc.dll" Cifdmbib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papmlmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkefcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamppgp.dll" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkiemqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdknm32.dll" Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacqlcdi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TrojanDownloader.Win32.Berbew.exeEigpmjqg.exeElgioe32.exeFebjmj32.exeFkapkq32.exeFnbhmlkk.exeGjkfglom.exeGhqchi32.exeGicpnhbb.exeGnphfppi.exeHelmiiec.exeHenjnica.exeHgobpd32.exeHpjgdf32.exeHajdniep.exeImqdcjkd.exedescription pid process target process PID 280 wrote to memory of 2948 280 TrojanDownloader.Win32.Berbew.exe Eigpmjqg.exe PID 280 wrote to memory of 2948 280 TrojanDownloader.Win32.Berbew.exe Eigpmjqg.exe PID 280 wrote to memory of 2948 280 TrojanDownloader.Win32.Berbew.exe Eigpmjqg.exe PID 280 wrote to memory of 2948 280 TrojanDownloader.Win32.Berbew.exe Eigpmjqg.exe PID 2948 wrote to memory of 2868 2948 Eigpmjqg.exe Elgioe32.exe PID 2948 wrote to memory of 2868 2948 Eigpmjqg.exe Elgioe32.exe PID 2948 wrote to memory of 2868 2948 Eigpmjqg.exe Elgioe32.exe PID 2948 wrote to memory of 2868 2948 Eigpmjqg.exe Elgioe32.exe PID 2868 wrote to memory of 2904 2868 Elgioe32.exe Febjmj32.exe PID 2868 wrote to memory of 2904 2868 Elgioe32.exe Febjmj32.exe PID 2868 wrote to memory of 2904 2868 Elgioe32.exe Febjmj32.exe PID 2868 wrote to memory of 2904 2868 Elgioe32.exe Febjmj32.exe PID 2904 wrote to memory of 2236 2904 Febjmj32.exe Fkapkq32.exe PID 2904 wrote to memory of 2236 2904 Febjmj32.exe Fkapkq32.exe PID 2904 wrote to memory of 2236 2904 Febjmj32.exe Fkapkq32.exe PID 2904 wrote to memory of 2236 2904 Febjmj32.exe Fkapkq32.exe PID 2236 wrote to memory of 2692 2236 Fkapkq32.exe Fnbhmlkk.exe PID 2236 wrote to memory of 2692 2236 Fkapkq32.exe Fnbhmlkk.exe PID 2236 wrote to memory of 2692 2236 Fkapkq32.exe Fnbhmlkk.exe PID 2236 wrote to memory of 2692 2236 Fkapkq32.exe Fnbhmlkk.exe PID 2692 wrote to memory of 1076 2692 Fnbhmlkk.exe Gjkfglom.exe PID 2692 wrote to memory of 1076 2692 Fnbhmlkk.exe Gjkfglom.exe PID 2692 wrote to memory of 1076 2692 Fnbhmlkk.exe Gjkfglom.exe PID 2692 wrote to memory of 1076 2692 Fnbhmlkk.exe Gjkfglom.exe PID 1076 wrote to memory of 2184 1076 Gjkfglom.exe Ghqchi32.exe PID 1076 wrote to memory of 2184 1076 Gjkfglom.exe Ghqchi32.exe PID 1076 wrote to memory of 2184 1076 Gjkfglom.exe Ghqchi32.exe PID 1076 wrote to memory of 2184 1076 Gjkfglom.exe Ghqchi32.exe PID 2184 wrote to memory of 1132 2184 Ghqchi32.exe Gicpnhbb.exe PID 2184 wrote to memory of 1132 2184 Ghqchi32.exe Gicpnhbb.exe PID 2184 wrote to memory of 1132 2184 Ghqchi32.exe Gicpnhbb.exe PID 2184 wrote to memory of 1132 2184 Ghqchi32.exe Gicpnhbb.exe PID 1132 wrote to memory of 1744 1132 Gicpnhbb.exe Gnphfppi.exe PID 1132 wrote to memory of 1744 1132 Gicpnhbb.exe Gnphfppi.exe PID 1132 wrote to memory of 1744 1132 Gicpnhbb.exe Gnphfppi.exe PID 1132 wrote to memory of 1744 1132 Gicpnhbb.exe Gnphfppi.exe PID 1744 wrote to memory of 2620 1744 Gnphfppi.exe Helmiiec.exe PID 1744 wrote to memory of 2620 1744 Gnphfppi.exe Helmiiec.exe PID 1744 wrote to memory of 2620 1744 Gnphfppi.exe Helmiiec.exe PID 1744 wrote to memory of 2620 1744 Gnphfppi.exe Helmiiec.exe PID 2620 wrote to memory of 1436 2620 Helmiiec.exe Henjnica.exe PID 2620 wrote to memory of 1436 2620 Helmiiec.exe Henjnica.exe PID 2620 wrote to memory of 1436 2620 Helmiiec.exe Henjnica.exe PID 2620 wrote to memory of 1436 2620 Helmiiec.exe Henjnica.exe PID 1436 wrote to memory of 2844 1436 Henjnica.exe Hgobpd32.exe PID 1436 wrote to memory of 2844 1436 Henjnica.exe Hgobpd32.exe PID 1436 wrote to memory of 2844 1436 Henjnica.exe Hgobpd32.exe PID 1436 wrote to memory of 2844 1436 Henjnica.exe Hgobpd32.exe PID 2844 wrote to memory of 2460 2844 Hgobpd32.exe Hpjgdf32.exe PID 2844 wrote to memory of 2460 2844 Hgobpd32.exe Hpjgdf32.exe PID 2844 wrote to memory of 2460 2844 Hgobpd32.exe Hpjgdf32.exe PID 2844 wrote to memory of 2460 2844 Hgobpd32.exe Hpjgdf32.exe PID 2460 wrote to memory of 2496 2460 Hpjgdf32.exe Hajdniep.exe PID 2460 wrote to memory of 2496 2460 Hpjgdf32.exe Hajdniep.exe PID 2460 wrote to memory of 2496 2460 Hpjgdf32.exe Hajdniep.exe PID 2460 wrote to memory of 2496 2460 Hpjgdf32.exe Hajdniep.exe PID 2496 wrote to memory of 788 2496 Hajdniep.exe Imqdcjkd.exe PID 2496 wrote to memory of 788 2496 Hajdniep.exe Imqdcjkd.exe PID 2496 wrote to memory of 788 2496 Hajdniep.exe Imqdcjkd.exe PID 2496 wrote to memory of 788 2496 Hajdniep.exe Imqdcjkd.exe PID 788 wrote to memory of 1756 788 Imqdcjkd.exe Iigehk32.exe PID 788 wrote to memory of 1756 788 Imqdcjkd.exe Iigehk32.exe PID 788 wrote to memory of 1756 788 Imqdcjkd.exe Iigehk32.exe PID 788 wrote to memory of 1756 788 Imqdcjkd.exe Iigehk32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Hajdniep.exeC:\Windows\system32\Hajdniep.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe39⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe40⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe45⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe52⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe56⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe59⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe60⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe61⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe63⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe64⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe65⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe66⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe67⤵PID:2220
-
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe68⤵PID:956
-
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe70⤵PID:880
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe71⤵PID:1020
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe72⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe75⤵PID:2136
-
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe77⤵PID:1820
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe79⤵PID:564
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe81⤵PID:2500
-
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe82⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe83⤵PID:1972
-
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe85⤵PID:2516
-
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe87⤵PID:628
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe88⤵PID:2216
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe90⤵PID:2052
-
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe91⤵PID:1620
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe93⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe94⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe95⤵PID:1576
-
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe96⤵PID:1260
-
C:\Windows\SysWOW64\Cifdmbib.exeC:\Windows\system32\Cifdmbib.exe97⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Cncmei32.exeC:\Windows\system32\Cncmei32.exe98⤵PID:2376
-
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe99⤵PID:2668
-
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe100⤵PID:2556
-
C:\Windows\SysWOW64\Cacegd32.exeC:\Windows\system32\Cacegd32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Cbcbag32.exeC:\Windows\system32\Cbcbag32.exe103⤵PID:2012
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe105⤵PID:1560
-
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe106⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe107⤵PID:2664
-
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe108⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe109⤵PID:1676
-
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe114⤵PID:1044
-
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe116⤵PID:1092
-
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe117⤵PID:1428
-
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe118⤵PID:2388
-
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe120⤵
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Ggncop32.exeC:\Windows\system32\Ggncop32.exe121⤵PID:2912
-
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe122⤵PID:1720
-
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe123⤵PID:2356
-
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe124⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe125⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Ggeiooea.exeC:\Windows\system32\Ggeiooea.exe126⤵PID:2124
-
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe127⤵PID:2280
-
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe128⤵PID:1544
-
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe129⤵PID:3004
-
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe130⤵PID:1120
-
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe131⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe132⤵PID:1788
-
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe133⤵PID:2936
-
C:\Windows\SysWOW64\Hfalaj32.exeC:\Windows\system32\Hfalaj32.exe134⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe135⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe136⤵PID:1496
-
C:\Windows\SysWOW64\Hkpaoape.exeC:\Windows\system32\Hkpaoape.exe137⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Ibjikk32.exeC:\Windows\system32\Ibjikk32.exe138⤵PID:832
-
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe139⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Inajql32.exeC:\Windows\system32\Inajql32.exe140⤵PID:884
-
C:\Windows\SysWOW64\Icnbic32.exeC:\Windows\system32\Icnbic32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe142⤵PID:1172
-
C:\Windows\SysWOW64\Iimhfj32.exeC:\Windows\system32\Iimhfj32.exe143⤵PID:848
-
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe144⤵PID:792
-
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe145⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe146⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe147⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe148⤵PID:2520
-
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe149⤵PID:2476
-
C:\Windows\SysWOW64\Jlbjcd32.exeC:\Windows\system32\Jlbjcd32.exe150⤵PID:656
-
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe151⤵PID:2672
-
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe152⤵PID:1008
-
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe153⤵PID:2436
-
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe154⤵PID:2756
-
C:\Windows\SysWOW64\Jbooen32.exeC:\Windows\system32\Jbooen32.exe155⤵PID:2580
-
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe156⤵PID:1628
-
C:\Windows\SysWOW64\Jlgcncli.exeC:\Windows\system32\Jlgcncli.exe157⤵PID:2492
-
C:\Windows\SysWOW64\Joepjokm.exeC:\Windows\system32\Joepjokm.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Jephgi32.exeC:\Windows\system32\Jephgi32.exe159⤵PID:2300
-
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe160⤵PID:1520
-
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe162⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe163⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe164⤵PID:2308
-
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe165⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe166⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Kfenjq32.exeC:\Windows\system32\Kfenjq32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe168⤵PID:1800
-
C:\Windows\SysWOW64\Kpnbcfkc.exeC:\Windows\system32\Kpnbcfkc.exe169⤵PID:2168
-
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe170⤵
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe171⤵PID:2704
-
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe173⤵PID:1596
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe174⤵PID:1352
-
C:\Windows\SysWOW64\Kadhen32.exeC:\Windows\system32\Kadhen32.exe175⤵PID:2700
-
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe176⤵PID:2676
-
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe177⤵PID:2916
-
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe178⤵PID:568
-
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe179⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe180⤵PID:2128
-
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe181⤵PID:284
-
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe182⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Lpnobi32.exeC:\Windows\system32\Lpnobi32.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe184⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe185⤵PID:3000
-
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe186⤵PID:696
-
C:\Windows\SysWOW64\Lndlamke.exeC:\Windows\system32\Lndlamke.exe187⤵
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe188⤵PID:3124
-
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe190⤵PID:3204
-
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe191⤵PID:3244
-
C:\Windows\SysWOW64\Mhpigk32.exeC:\Windows\system32\Mhpigk32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe193⤵PID:3324
-
C:\Windows\SysWOW64\Mjofanld.exeC:\Windows\system32\Mjofanld.exe194⤵PID:3364
-
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe195⤵PID:3404
-
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe196⤵PID:3444
-
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe197⤵PID:3484
-
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe198⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe199⤵PID:3564
-
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe201⤵
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3684 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe203⤵PID:3724
-
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe204⤵PID:3768
-
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe205⤵
- Modifies registry class
PID:3808 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe206⤵PID:3848
-
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe208⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe209⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe210⤵PID:4008
-
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe211⤵
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe212⤵PID:4088
-
C:\Windows\SysWOW64\Nmpkal32.exeC:\Windows\system32\Nmpkal32.exe213⤵PID:3108
-
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe215⤵PID:3100
-
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe216⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3312 -
C:\Windows\SysWOW64\Pdjpmi32.exeC:\Windows\system32\Pdjpmi32.exe218⤵PID:3360
-
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe219⤵
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe220⤵PID:3460
-
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe221⤵PID:3508
-
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe222⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe223⤵PID:3496
-
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe224⤵PID:3660
-
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe225⤵PID:3624
-
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe226⤵PID:3756
-
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe227⤵PID:3816
-
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe228⤵PID:3884
-
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe229⤵PID:3912
-
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe230⤵PID:3976
-
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe232⤵PID:4064
-
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe233⤵PID:3092
-
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe235⤵PID:3188
-
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe236⤵PID:3272
-
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe237⤵PID:3332
-
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe238⤵
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe239⤵PID:3456
-
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe240⤵PID:3520
-
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe241⤵PID:3592
-
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe242⤵PID:3640