Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:19
Static task
static1
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
67KB
-
MD5
94cd92fb6e9ebc075f23dbd20fdade00
-
SHA1
c175630fc0f83c0bb202112675e9fd2c416aa7d9
-
SHA256
67d8d62e277264cdbc4feb16bb046c0dc79289f74bdf8c09e6d51be3ae6d0b2f
-
SHA512
53bdbace03855b4ddfecf5f1a407d633797cd70f60938b410acaf55689b99d776a43ae5962d934127d857f67e38f5a7dabd6c921c0dfbf4bc3dcd7ffc0d26d04
-
SSDEEP
768:xuU25ok2mtzzzOgX7QDeu9x2gxslkem9R1JtBdxVpNhC2a1aj0X/1H5rcEVErMEJ:AlJzZX0YgxsaC2sJifTduD4oTxw
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eipilmgh.exeJginej32.exeFkbkoo32.exeKjlmbnof.exeKmobii32.exeLhogamih.exeCppelkeb.exeCqghcn32.exeMhefhf32.exeOpopdd32.exeGmdoel32.exeLmiljn32.exePgbkgmao.exeAjodef32.exeDpjompqc.exeMaoakaip.exeEpiaig32.exeFhefmjlp.exeDnghhqdk.exeKmhlijpm.exeHnmnengg.exeEoekde32.exeFekclnif.exeHcbpme32.exeIfnbph32.exeFjpoio32.exeLcdjba32.exeGfjfhbpb.exeLoiong32.exeAijeme32.exeCfljnejl.exeFhgccijm.exeKfhnme32.exeLfcmhc32.exeAhgamo32.exeJjknakhq.exeKhfdlnab.exeGkcdfl32.exeDidqkeeq.exeEleimp32.exeGlabolja.exeJabiie32.exeJmijnfgd.exeBecknc32.exeEllicihn.exeJchaoe32.exeCicjokll.exeKkmijf32.exeJcaeea32.exeNkgoke32.exeHlhaee32.exeKmeiie32.exeEikpan32.exeLipmoo32.exeDnnoip32.exeJhcmbm32.exeLajhpbme.exeAfnefieo.exeFhllni32.exeFikihlmj.exeGebimmco.exeEblgon32.exeGehice32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipilmgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jginej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbkoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlmbnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmobii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhogamih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppelkeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqghcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhefhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opopdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmiljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbkgmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjompqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoakaip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epiaig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnghhqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmhlijpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmnengg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fekclnif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnbph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjfhbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijeme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgccijm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjknakhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfdlnab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcdfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didqkeeq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glabolja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmijnfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becknc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ellicihn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicjokll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmijf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaeea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhefhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikpan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipmoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhcmbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhpbme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikihlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gebimmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblgon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehice32.exe -
Executes dropped EXE 64 IoCs
Processes:
Cfjeckpj.exeCpcila32.exeCbaehl32.exeCiknefmk.exeClijablo.exeDfonnk32.exeDmifkecb.exeDbfoclai.exeDedkogqm.exeDpjompqc.exeDgdgijhp.exeDdhhbngi.exeDidqkeeq.exeDlcmgqdd.exeDghadidj.exeEleimp32.exeElhfbp32.exeEljchpnl.exeEmioab32.exeEdfddl32.exeFlaiho32.exeFnqebaog.exeFgijkgeh.exeFdmjdkda.exeFneoma32.exeFgncff32.exeFnglcqio.exeFpfholhc.exeGlmhdm32.exeGphddlfp.exeGgbmafnm.exeGnlenp32.exeGdfmkjlg.exeGjcfcakn.exeGlabolja.exeGdhjpjjd.exeGfjfhbpb.exeGmdoel32.exeGdkffi32.exeGcngafol.exeGjhonp32.exeGcpcgfmi.exeGglpgd32.exeHfnpca32.exeHcbpme32.exeHnhdjn32.exeHjoeoo32.exeHnmnengg.exeHcifmdeo.exeHmbkfjko.exeIggocbke.exeIgjlibib.exeIcqmncof.exeIqdmghnp.exeIebfmfdg.exeJgcooaah.exeJakchf32.exeJgekdq32.exeJnocakfb.exeJeilne32.exeJfkhfmdm.exeJjfdfl32.exeJelhcd32.exeJfmekm32.exepid process 4900 Cfjeckpj.exe 3252 Cpcila32.exe 456 Cbaehl32.exe 2164 Ciknefmk.exe 3700 Clijablo.exe 2940 Dfonnk32.exe 860 Dmifkecb.exe 3620 Dbfoclai.exe 2088 Dedkogqm.exe 2248 Dpjompqc.exe 944 Dgdgijhp.exe 1616 Ddhhbngi.exe 4440 Didqkeeq.exe 3772 Dlcmgqdd.exe 1652 Dghadidj.exe 3044 Eleimp32.exe 928 Elhfbp32.exe 636 Eljchpnl.exe 3848 Emioab32.exe 5056 Edfddl32.exe 1824 Flaiho32.exe 5072 Fnqebaog.exe 4208 Fgijkgeh.exe 1992 Fdmjdkda.exe 1564 Fneoma32.exe 4420 Fgncff32.exe 2856 Fnglcqio.exe 4604 Fpfholhc.exe 1648 Glmhdm32.exe 3628 Gphddlfp.exe 4564 Ggbmafnm.exe 4744 Gnlenp32.exe 2920 Gdfmkjlg.exe 2916 Gjcfcakn.exe 3108 Glabolja.exe 4840 Gdhjpjjd.exe 3760 Gfjfhbpb.exe 4348 Gmdoel32.exe 980 Gdkffi32.exe 1068 Gcngafol.exe 2404 Gjhonp32.exe 60 Gcpcgfmi.exe 4572 Gglpgd32.exe 1392 Hfnpca32.exe 936 Hcbpme32.exe 4560 Hnhdjn32.exe 4876 Hjoeoo32.exe 2508 Hnmnengg.exe 2956 Hcifmdeo.exe 4464 Hmbkfjko.exe 2252 Iggocbke.exe 3248 Igjlibib.exe 4360 Icqmncof.exe 2936 Iqdmghnp.exe 2568 Iebfmfdg.exe 4080 Jgcooaah.exe 3608 Jakchf32.exe 2792 Jgekdq32.exe 5092 Jnocakfb.exe 3196 Jeilne32.exe 4424 Jfkhfmdm.exe 3500 Jjfdfl32.exe 996 Jelhcd32.exe 2816 Jfmekm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kcgekjgp.exeLmiljn32.exeEljchpnl.exeOhpiphlb.exeGohapb32.exeLckglc32.exeJfkhfmdm.exeDhgjll32.exeMjdbda32.exeMiipencp.exeFjpoio32.exeHoefgj32.exeDghadidj.exeCgaqphgl.exeClbmfm32.exeFlghognq.exeKfdklllb.exeAhngmnnd.exeGehice32.exePkedbmab.exeAjodef32.exeDicbfhni.exeIapbodql.exePfbfjk32.exeChinkndp.exeIoicnn32.exeOgpfko32.exeDdhhbngi.exeMkicjgnn.exeOpopdd32.exePaaidf32.exeBpdfpmoo.exeEpbkhhel.exeBdnkhn32.exeLpgalc32.exeQgehml32.exeKidmcqeg.exeMjfoja32.exeAkfdcq32.exeEbeapc32.exeIoffhn32.exeKkmijf32.exeKcdakd32.exeAddhbo32.exeFlaiho32.exeLkiiee32.exeHkaqgjme.exeCfjeckpj.exeGcpcgfmi.exeEoekde32.exeDlnlak32.exeDbfoclai.exeGlbapoqh.exeFneoma32.exePjoknhbe.exeDgmpkg32.exeLfmghdpl.exeGgoiap32.exeCicjokll.exeJokiig32.exeJjbjlpga.exePaocim32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Kfeagefd.exe Kcgekjgp.exe File opened for modification C:\Windows\SysWOW64\Lpghfi32.exe Lmiljn32.exe File created C:\Windows\SysWOW64\Emioab32.exe Eljchpnl.exe File opened for modification C:\Windows\SysWOW64\Oojalb32.exe Ohpiphlb.exe File created C:\Windows\SysWOW64\Nbddah32.dll Gohapb32.exe File created C:\Windows\SysWOW64\Hlibnkcm.dll Lckglc32.exe File created C:\Windows\SysWOW64\Jjfdfl32.exe Jfkhfmdm.exe File created C:\Windows\SysWOW64\Doqbifpl.exe Dhgjll32.exe File created C:\Windows\SysWOW64\Ejqmmlpm.dll Mjdbda32.exe File created C:\Windows\SysWOW64\Mpchbhjl.exe Miipencp.exe File created C:\Windows\SysWOW64\Folkjnbc.exe Fjpoio32.exe File opened for modification C:\Windows\SysWOW64\Hikkdc32.exe Hoefgj32.exe File created C:\Windows\SysWOW64\Dejhkj32.dll Dghadidj.exe File opened for modification C:\Windows\SysWOW64\Cnkilbni.exe Cgaqphgl.exe File opened for modification C:\Windows\SysWOW64\Cfgace32.exe Clbmfm32.exe File opened for modification C:\Windows\SysWOW64\Fofdkcmd.exe Flghognq.exe File created C:\Windows\SysWOW64\Kmncif32.exe Kfdklllb.exe File created C:\Windows\SysWOW64\Ajodef32.exe Ahngmnnd.exe File created C:\Windows\SysWOW64\Jqfkba32.dll Gehice32.exe File opened for modification C:\Windows\SysWOW64\Pjgemi32.exe Pkedbmab.exe File opened for modification C:\Windows\SysWOW64\Aqilaplo.exe Ajodef32.exe File created C:\Windows\SysWOW64\Dhfcae32.exe Dicbfhni.exe File created C:\Windows\SysWOW64\Ihjjln32.exe Iapbodql.exe File opened for modification C:\Windows\SysWOW64\Pkonbamc.exe Pfbfjk32.exe File created C:\Windows\SysWOW64\Cppelkeb.exe Chinkndp.exe File created C:\Windows\SysWOW64\Ifckkhfi.exe Ioicnn32.exe File created C:\Windows\SysWOW64\Ljdjpm32.dll Ogpfko32.exe File created C:\Windows\SysWOW64\Didqkeeq.exe Ddhhbngi.exe File opened for modification C:\Windows\SysWOW64\Mmhofbma.exe Mkicjgnn.exe File created C:\Windows\SysWOW64\Phfhfa32.exe Opopdd32.exe File created C:\Windows\SysWOW64\Edmleg32.dll Paaidf32.exe File created C:\Windows\SysWOW64\Cgnhmg32.dll Bpdfpmoo.exe File opened for modification C:\Windows\SysWOW64\Eoekde32.exe Epbkhhel.exe File opened for modification C:\Windows\SysWOW64\Bglgdi32.exe Bdnkhn32.exe File opened for modification C:\Windows\SysWOW64\Ljleil32.exe Lpgalc32.exe File opened for modification C:\Windows\SysWOW64\Qajlje32.exe Qgehml32.exe File opened for modification C:\Windows\SysWOW64\Kciaqi32.exe Kidmcqeg.exe File created C:\Windows\SysWOW64\Miipencp.exe Mjfoja32.exe File opened for modification C:\Windows\SysWOW64\Afkipi32.exe Akfdcq32.exe File opened for modification C:\Windows\SysWOW64\Eipilmgh.exe Ebeapc32.exe File opened for modification C:\Windows\SysWOW64\Ifqoehhl.exe Ioffhn32.exe File created C:\Windows\SysWOW64\Pmiiej32.dll Kkmijf32.exe File created C:\Windows\SysWOW64\Kjnihnmd.exe Kcdakd32.exe File created C:\Windows\SysWOW64\Ajaqjfbp.exe Addhbo32.exe File created C:\Windows\SysWOW64\Fnqebaog.exe Flaiho32.exe File created C:\Windows\SysWOW64\Lcpqgbkj.exe Lkiiee32.exe File created C:\Windows\SysWOW64\Hchihhng.exe Hkaqgjme.exe File opened for modification C:\Windows\SysWOW64\Cpcila32.exe Cfjeckpj.exe File created C:\Windows\SysWOW64\Gglpgd32.exe Gcpcgfmi.exe File created C:\Windows\SysWOW64\Hnphkj32.dll Eoekde32.exe File opened for modification C:\Windows\SysWOW64\Dfcqod32.exe Dlnlak32.exe File opened for modification C:\Windows\SysWOW64\Dedkogqm.exe Dbfoclai.exe File created C:\Windows\SysWOW64\Jommakge.dll Glbapoqh.exe File opened for modification C:\Windows\SysWOW64\Fgncff32.exe Fneoma32.exe File created C:\Windows\SysWOW64\Beefhclj.dll Epbkhhel.exe File created C:\Windows\SysWOW64\Fkgeam32.dll Pjoknhbe.exe File opened for modification C:\Windows\SysWOW64\Djklgb32.exe Dgmpkg32.exe File created C:\Windows\SysWOW64\Icgdelol.dll Lfmghdpl.exe File created C:\Windows\SysWOW64\Ffdcne32.dll Ggoiap32.exe File created C:\Windows\SysWOW64\Affgmbdd.dll Pkedbmab.exe File opened for modification C:\Windows\SysWOW64\Ckafkfkp.exe Cicjokll.exe File created C:\Windows\SysWOW64\Jhcmbm32.exe Jokiig32.exe File created C:\Windows\SysWOW64\Clmbea32.dll Jjbjlpga.exe File created C:\Windows\SysWOW64\Pdnpeh32.exe Paocim32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12760 12684 WerFault.exe Mbldhn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dlnlak32.exeKidmcqeg.exeLhopgg32.exeGnlenp32.exeKpilekqj.exeQpkppbho.exeDabhomea.exeDioiki32.exeFoakpc32.exeFhllni32.exeHcdfho32.exeJpdbjleo.exeIfnkeb32.exeJcaeea32.exeCbaehl32.exeFpeaeedg.exeLagepl32.exeOpopdd32.exeHcofbifb.exeEmioab32.exeGgoiap32.exeJflgfpkc.exeKmobii32.exeJcgldl32.exeKanidd32.exeGcfjfqah.exeGolcak32.exeJopiom32.exeIameid32.exeGdhjpjjd.exeLfgahikm.exeOdkcpi32.exeDhgjll32.exeGohapb32.exeJmmcgbnf.exeJhhgmlli.exeCbnbhfde.exeOhkijc32.exeHnhdjn32.exeCfgace32.exeMdjjgggk.exeAjodef32.exeGgbmafnm.exeAkjnnpcf.exeKfhnme32.exeBdnkhn32.exeFdmjdkda.exeNkbfpeec.exeHebkid32.exeOajccgmd.exeGmdoel32.exeLfddci32.exeAbipfifn.exeDonecfao.exeFlghognq.exeNaqqmieo.exeMkicjgnn.exeGikbneio.exeDhpdkm32.exeJikjmbmb.exeDhfcae32.exeLckglc32.exeKhcgfo32.exeMehafq32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidmcqeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhopgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlenp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpilekqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpkppbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhomea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dioiki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foakpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhllni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdbjleo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifnkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeaeedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lagepl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opopdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcofbifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emioab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggoiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflgfpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmobii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfjfqah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golcak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jopiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iameid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhjpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgahikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgjll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmcgbnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhgmlli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnbhfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjjgggk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajodef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbmafnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjnnpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjdkda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbfpeec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebkid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajccgmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfddci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abipfifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donecfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flghognq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naqqmieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkicjgnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikbneio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpdkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikjmbmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehafq32.exe -
Modifies registry class 64 IoCs
Processes:
Khfdlnab.exeGhqeihbb.exeTrojanDownloader.Win32.Berbew.exeIgjlibib.exeKmaooihb.exeJflgfpkc.exeCppelkeb.exeKfhnme32.exeDmifkecb.exeKmeiie32.exeGimoce32.exeDpjompqc.exeIameid32.exeQdllffpo.exeClbmfm32.exeFekclnif.exeElkbhbeb.exeElhfbp32.exeIebfmfdg.exeIobmmoed.exeMffjnc32.exeBdiamnpc.exeGcpcgfmi.exeKhhaanop.exeJhhgmlli.exeEpbkhhel.exeHcipcnac.exeMdjjgggk.exeIlgcblnp.exeOojalb32.exeFgijkgeh.exeGeklckkd.exeOdfcjc32.exeBdnkhn32.exeHkodak32.exeFpqgjf32.exeJjemle32.exeOgjpld32.exeBpdfpmoo.exeAeeomegd.exeAqilaplo.exeDnghhqdk.exeLjephmgl.exeMdmngm32.exeFoonjd32.exePgbkgmao.exeDlcmgqdd.exeGiboijgb.exeFkbkoo32.exeKceoppmo.exeHokgmpkl.exeFejlbgek.exeQkcackeb.exeAamipe32.exeOhkijc32.exeMhkgnkoj.exeLpjelibg.exeHlgjko32.exeFlddoa32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higpgk32.dll" Khfdlnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaalbnpg.dll" Ghqeihbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcihengm.dll" Igjlibib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaooihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpnhpba.dll" Jflgfpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppelkeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmifkecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alihodif.dll" Gimoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjompqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iameid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popdldep.dll" Qdllffpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clbmfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollhping.dll" Elkbhbeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elhfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfdca32.dll" Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjfda32.dll" Iobmmoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bliplndi.dll" Mffjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdiamnpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcpcgfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljen32.dll" Khhaanop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhhgmlli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgoiid32.dll" Hcipcnac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdjjgggk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilgcblnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oojalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgijkgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geklckkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagfblqi.dll" Odfcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afafnj32.dll" Bdnkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkodak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceiemclg.dll" Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpqgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpocpj32.dll" Jjemle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdfpmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqilaplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnghhqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogdhape.dll" Ljephmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifofkacc.dll" Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foonjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kohcfcqo.dll" Pgbkgmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlcmgqdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giboijgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efacbf32.dll" Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll" Kmeiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghqeihbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faijmmkf.dll" Fejlbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhomk32.dll" Kmaooihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcmgqdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccigdih.dll" Qkcackeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npnjcb32.dll" Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkfal32.dll" Mhkgnkoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjelibg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flddoa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TrojanDownloader.Win32.Berbew.exeCfjeckpj.exeCpcila32.exeCbaehl32.exeCiknefmk.exeClijablo.exeDfonnk32.exeDmifkecb.exeDbfoclai.exeDedkogqm.exeDpjompqc.exeDgdgijhp.exeDdhhbngi.exeDidqkeeq.exeDlcmgqdd.exeDghadidj.exeEleimp32.exeElhfbp32.exeEljchpnl.exeEmioab32.exeEdfddl32.exeFlaiho32.exedescription pid process target process PID 788 wrote to memory of 4900 788 TrojanDownloader.Win32.Berbew.exe Cfjeckpj.exe PID 788 wrote to memory of 4900 788 TrojanDownloader.Win32.Berbew.exe Cfjeckpj.exe PID 788 wrote to memory of 4900 788 TrojanDownloader.Win32.Berbew.exe Cfjeckpj.exe PID 4900 wrote to memory of 3252 4900 Cfjeckpj.exe Cpcila32.exe PID 4900 wrote to memory of 3252 4900 Cfjeckpj.exe Cpcila32.exe PID 4900 wrote to memory of 3252 4900 Cfjeckpj.exe Cpcila32.exe PID 3252 wrote to memory of 456 3252 Cpcila32.exe Cbaehl32.exe PID 3252 wrote to memory of 456 3252 Cpcila32.exe Cbaehl32.exe PID 3252 wrote to memory of 456 3252 Cpcila32.exe Cbaehl32.exe PID 456 wrote to memory of 2164 456 Cbaehl32.exe Ciknefmk.exe PID 456 wrote to memory of 2164 456 Cbaehl32.exe Ciknefmk.exe PID 456 wrote to memory of 2164 456 Cbaehl32.exe Ciknefmk.exe PID 2164 wrote to memory of 3700 2164 Ciknefmk.exe Clijablo.exe PID 2164 wrote to memory of 3700 2164 Ciknefmk.exe Clijablo.exe PID 2164 wrote to memory of 3700 2164 Ciknefmk.exe Clijablo.exe PID 3700 wrote to memory of 2940 3700 Clijablo.exe Dfonnk32.exe PID 3700 wrote to memory of 2940 3700 Clijablo.exe Dfonnk32.exe PID 3700 wrote to memory of 2940 3700 Clijablo.exe Dfonnk32.exe PID 2940 wrote to memory of 860 2940 Dfonnk32.exe Dmifkecb.exe PID 2940 wrote to memory of 860 2940 Dfonnk32.exe Dmifkecb.exe PID 2940 wrote to memory of 860 2940 Dfonnk32.exe Dmifkecb.exe PID 860 wrote to memory of 3620 860 Dmifkecb.exe Dbfoclai.exe PID 860 wrote to memory of 3620 860 Dmifkecb.exe Dbfoclai.exe PID 860 wrote to memory of 3620 860 Dmifkecb.exe Dbfoclai.exe PID 3620 wrote to memory of 2088 3620 Dbfoclai.exe Dedkogqm.exe PID 3620 wrote to memory of 2088 3620 Dbfoclai.exe Dedkogqm.exe PID 3620 wrote to memory of 2088 3620 Dbfoclai.exe Dedkogqm.exe PID 2088 wrote to memory of 2248 2088 Dedkogqm.exe Dpjompqc.exe PID 2088 wrote to memory of 2248 2088 Dedkogqm.exe Dpjompqc.exe PID 2088 wrote to memory of 2248 2088 Dedkogqm.exe Dpjompqc.exe PID 2248 wrote to memory of 944 2248 Dpjompqc.exe Dgdgijhp.exe PID 2248 wrote to memory of 944 2248 Dpjompqc.exe Dgdgijhp.exe PID 2248 wrote to memory of 944 2248 Dpjompqc.exe Dgdgijhp.exe PID 944 wrote to memory of 1616 944 Dgdgijhp.exe Ddhhbngi.exe PID 944 wrote to memory of 1616 944 Dgdgijhp.exe Ddhhbngi.exe PID 944 wrote to memory of 1616 944 Dgdgijhp.exe Ddhhbngi.exe PID 1616 wrote to memory of 4440 1616 Ddhhbngi.exe Didqkeeq.exe PID 1616 wrote to memory of 4440 1616 Ddhhbngi.exe Didqkeeq.exe PID 1616 wrote to memory of 4440 1616 Ddhhbngi.exe Didqkeeq.exe PID 4440 wrote to memory of 3772 4440 Didqkeeq.exe Dlcmgqdd.exe PID 4440 wrote to memory of 3772 4440 Didqkeeq.exe Dlcmgqdd.exe PID 4440 wrote to memory of 3772 4440 Didqkeeq.exe Dlcmgqdd.exe PID 3772 wrote to memory of 1652 3772 Dlcmgqdd.exe Dghadidj.exe PID 3772 wrote to memory of 1652 3772 Dlcmgqdd.exe Dghadidj.exe PID 3772 wrote to memory of 1652 3772 Dlcmgqdd.exe Dghadidj.exe PID 1652 wrote to memory of 3044 1652 Dghadidj.exe Eleimp32.exe PID 1652 wrote to memory of 3044 1652 Dghadidj.exe Eleimp32.exe PID 1652 wrote to memory of 3044 1652 Dghadidj.exe Eleimp32.exe PID 3044 wrote to memory of 928 3044 Eleimp32.exe Elhfbp32.exe PID 3044 wrote to memory of 928 3044 Eleimp32.exe Elhfbp32.exe PID 3044 wrote to memory of 928 3044 Eleimp32.exe Elhfbp32.exe PID 928 wrote to memory of 636 928 Elhfbp32.exe Eljchpnl.exe PID 928 wrote to memory of 636 928 Elhfbp32.exe Eljchpnl.exe PID 928 wrote to memory of 636 928 Elhfbp32.exe Eljchpnl.exe PID 636 wrote to memory of 3848 636 Eljchpnl.exe Emioab32.exe PID 636 wrote to memory of 3848 636 Eljchpnl.exe Emioab32.exe PID 636 wrote to memory of 3848 636 Eljchpnl.exe Emioab32.exe PID 3848 wrote to memory of 5056 3848 Emioab32.exe Edfddl32.exe PID 3848 wrote to memory of 5056 3848 Emioab32.exe Edfddl32.exe PID 3848 wrote to memory of 5056 3848 Emioab32.exe Edfddl32.exe PID 5056 wrote to memory of 1824 5056 Edfddl32.exe Flaiho32.exe PID 5056 wrote to memory of 1824 5056 Edfddl32.exe Flaiho32.exe PID 5056 wrote to memory of 1824 5056 Edfddl32.exe Flaiho32.exe PID 1824 wrote to memory of 5072 1824 Flaiho32.exe Fnqebaog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe23⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe27⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe28⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe29⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe30⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe31⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe34⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4840 -
C:\Windows\SysWOW64\Gfjfhbpb.exeC:\Windows\system32\Gfjfhbpb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe40⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe41⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe42⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe44⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe45⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe48⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe50⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe51⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe52⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe54⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe55⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe57⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe58⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe59⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Jnocakfb.exeC:\Windows\system32\Jnocakfb.exe60⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe61⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe63⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe64⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe66⤵PID:3332
-
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4680 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe71⤵PID:4476
-
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe72⤵PID:3900
-
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe73⤵PID:5032
-
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe74⤵PID:4540
-
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe75⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe76⤵
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe77⤵PID:5116
-
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe78⤵PID:8
-
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe79⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe81⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe82⤵PID:5188
-
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe83⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe84⤵PID:5308
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe86⤵PID:5396
-
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe87⤵PID:5440
-
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe90⤵PID:5572
-
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe91⤵
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe92⤵PID:5660
-
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe94⤵
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe95⤵PID:5792
-
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe98⤵PID:5944
-
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe99⤵PID:6004
-
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe101⤵PID:6124
-
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe102⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe103⤵PID:5304
-
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe104⤵PID:5404
-
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe105⤵PID:5520
-
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe106⤵PID:5608
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe107⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe109⤵PID:5832
-
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe110⤵PID:5952
-
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe111⤵PID:6052
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe112⤵PID:5128
-
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe113⤵PID:5268
-
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe114⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe115⤵PID:5584
-
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe116⤵PID:5700
-
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe118⤵PID:6016
-
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe119⤵PID:5160
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe120⤵PID:5424
-
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe121⤵PID:5876
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe122⤵PID:5808
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe123⤵PID:5168
-
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe124⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe125⤵
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe126⤵PID:6132
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe127⤵PID:5668
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe128⤵PID:5384
-
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe129⤵PID:5336
-
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe130⤵PID:5892
-
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe131⤵PID:6164
-
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe132⤵
- System Location Discovery: System Language Discovery
PID:6208 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe133⤵
- Modifies registry class
PID:6252 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe134⤵
- Drops file in System32 directory
PID:6296 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe135⤵PID:6340
-
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe136⤵PID:6392
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe137⤵PID:6436
-
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe138⤵PID:6480
-
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe139⤵PID:6524
-
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe140⤵PID:6568
-
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe141⤵
- Drops file in System32 directory
PID:6612 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe142⤵PID:6656
-
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe143⤵PID:6700
-
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe144⤵PID:6744
-
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe145⤵PID:6788
-
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe146⤵PID:6836
-
C:\Windows\SysWOW64\Qnbdjl32.exeC:\Windows\system32\Qnbdjl32.exe147⤵PID:6880
-
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe148⤵
- Modifies registry class
PID:6924 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe149⤵
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe150⤵PID:7012
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7056 -
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe152⤵PID:7100
-
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7144 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe154⤵
- System Location Discovery: System Language Discovery
PID:6176 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe155⤵PID:6236
-
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe156⤵PID:6308
-
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe157⤵PID:6372
-
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe158⤵PID:6448
-
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe159⤵
- Modifies registry class
PID:6532 -
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe160⤵
- System Location Discovery: System Language Discovery
PID:6640 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe161⤵PID:6708
-
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe162⤵PID:6760
-
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe163⤵PID:6828
-
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe164⤵PID:6888
-
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe165⤵PID:6956
-
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe166⤵PID:6996
-
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe167⤵PID:7044
-
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe168⤵PID:7116
-
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe169⤵
- Drops file in System32 directory
- Modifies registry class
PID:6156 -
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe170⤵PID:6312
-
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe171⤵PID:6376
-
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe172⤵PID:6536
-
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe173⤵PID:6644
-
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6736 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe175⤵PID:6844
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe176⤵PID:6936
-
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe177⤵PID:2812
-
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe178⤵PID:4128
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe179⤵
- Drops file in System32 directory
- Modifies registry class
PID:6148 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe180⤵
- System Location Discovery: System Language Discovery
PID:6328 -
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe181⤵
- Drops file in System32 directory
PID:6476 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6696 -
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe183⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe184⤵PID:6984
-
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe185⤵PID:7048
-
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6196 -
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe187⤵PID:6452
-
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe188⤵PID:6720
-
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe189⤵PID:6892
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe190⤵
- System Location Discovery: System Language Discovery
PID:7108 -
C:\Windows\SysWOW64\Dbehienn.exeC:\Windows\system32\Dbehienn.exe191⤵PID:4088
-
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe192⤵PID:6596
-
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe193⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe194⤵PID:6268
-
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe195⤵PID:6732
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe196⤵
- System Location Discovery: System Language Discovery
PID:6264 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe197⤵PID:7004
-
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe198⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7160 -
C:\Windows\SysWOW64\Doqbifpl.exeC:\Windows\system32\Doqbifpl.exe199⤵PID:6932
-
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe200⤵PID:7200
-
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe201⤵PID:7244
-
C:\Windows\SysWOW64\Ebokodfc.exeC:\Windows\system32\Ebokodfc.exe202⤵PID:7288
-
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe203⤵PID:7332
-
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe204⤵
- Drops file in System32 directory
- Modifies registry class
PID:7376 -
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7420 -
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7464 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe207⤵PID:7508
-
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe208⤵PID:7552
-
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7596 -
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe210⤵
- Drops file in System32 directory
PID:7640 -
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7684 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7728 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe213⤵PID:7772
-
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7816 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe215⤵
- Modifies registry class
PID:7860 -
C:\Windows\SysWOW64\Feifgnki.exeC:\Windows\system32\Feifgnki.exe216⤵PID:7904
-
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7952 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe218⤵
- System Location Discovery: System Language Discovery
PID:7996 -
C:\Windows\SysWOW64\Fekclnif.exeC:\Windows\system32\Fekclnif.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8040 -
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe220⤵
- Modifies registry class
PID:8084 -
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:8136 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe222⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6684 -
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe223⤵PID:7284
-
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe224⤵PID:7384
-
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe225⤵PID:7448
-
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe226⤵PID:7520
-
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7648 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe228⤵PID:7724
-
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe229⤵
- System Location Discovery: System Language Discovery
PID:7804 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe230⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7868 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe231⤵PID:7948
-
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe232⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:8004 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8072 -
C:\Windows\SysWOW64\Ghqeihbb.exeC:\Windows\system32\Ghqeihbb.exe234⤵
- Modifies registry class
PID:7196 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe235⤵PID:7304
-
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe236⤵
- System Location Discovery: System Language Discovery
PID:7460 -
C:\Windows\SysWOW64\Gpjjpe32.exeC:\Windows\system32\Gpjjpe32.exe237⤵PID:7524
-
C:\Windows\SysWOW64\Giboijgb.exeC:\Windows\system32\Giboijgb.exe238⤵
- Modifies registry class
PID:7712 -
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe239⤵PID:7824
-
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe240⤵
- Modifies registry class
PID:7916 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe241⤵PID:8036
-
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe242⤵PID:8188