Analysis
-
max time kernel
113s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
51KB
-
MD5
16536ca0c117cf88075166b54d111c10
-
SHA1
3f4c75d793701229b175a6f12807221f69112ff4
-
SHA256
0eb71d6d12a05b1027c0d9372e99f3ba8701905231db6e14e36bd89b4347d195
-
SHA512
d3c79df6467703e7e69ef35cbc38840ab713f2e5c6acc9ab8927035d811bb3709029bf0ee193b494a84fbe74028ab382bd72ea486083459e82bc4200be2312f0
-
SSDEEP
1536:QOoJfqSL3l84YCTGggri6Zh5EnyDClWbzB:bQqSZEx/jWcx
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijcpmhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilpfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkdohg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhblllfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geanfelc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ledoegkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbimjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmfefni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajaelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbphglbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddcenpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmidnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpiqehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkibgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhimhobl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddnic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhiemoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odbgdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnnfalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelonkph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagqgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjldk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qelcamcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiopca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acppddig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebkge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnedgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janghmia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopcbo32.exe -
Executes dropped EXE 64 IoCs
pid Process 5596 Mqfpckhm.exe 2420 Moipoh32.exe 2436 Mjodla32.exe 5048 Mqimikfj.exe 4868 Mcgiefen.exe 4632 Mfeeabda.exe 5020 Mnmmboed.exe 4824 Mqkiok32.exe 3408 Mcifkf32.exe 2392 Mjcngpjh.exe 5420 Nqmfdj32.exe 3772 Nclbpf32.exe 2608 Njfkmphe.exe 5732 Nqpcjj32.exe 3160 Njhgbp32.exe 5000 Npepkf32.exe 3532 Nnfpinmi.exe 3236 Nfaemp32.exe 1584 Ngqagcag.exe 1180 Onkidm32.exe 5536 Oplfkeob.exe 5032 Ojajin32.exe 4408 Oakbehfe.exe 3704 Ogekbb32.exe 2884 Onocomdo.exe 1152 Oclkgccf.exe 3096 Ofkgcobj.exe 692 Omdppiif.exe 388 Ogjdmbil.exe 1668 Oabhfg32.exe 5288 Pfoann32.exe 1820 Ppgegd32.exe 5232 Pccahbmn.exe 5720 Ppjbmc32.exe 3896 Pjpfjl32.exe 2764 Paiogf32.exe 5916 Phcgcqab.exe 1640 Pnmopk32.exe 3108 Ppolhcnm.exe 404 Pfiddm32.exe 1736 Pmblagmf.exe 3720 Pdmdnadc.exe 4976 Qobhkjdi.exe 4220 Qfmmplad.exe 348 Qmgelf32.exe 3604 Qpeahb32.exe 2572 Ahmjjoig.exe 4248 Aaenbd32.exe 5332 Adcjop32.exe 1008 Aoioli32.exe 2336 Apjkcadp.exe 4636 Ahaceo32.exe 5488 Amnlme32.exe 6136 Apmhiq32.exe 4988 Aggpfkjj.exe 1520 Amqhbe32.exe 4480 Ahfmpnql.exe 5516 Amcehdod.exe 3768 Bdmmeo32.exe 4884 Bhhiemoj.exe 1032 Bobabg32.exe 2320 Baannc32.exe 5308 Bdojjo32.exe 2216 Bacjdbch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnnnfkal.dll Gicgpelg.exe File opened for modification C:\Windows\SysWOW64\Kiikpnmj.exe Kabcopmg.exe File opened for modification C:\Windows\SysWOW64\Qbonoghb.exe Qppaclio.exe File created C:\Windows\SysWOW64\Nmlpen32.dll Dcnlnaom.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe Omdppiif.exe File created C:\Windows\SysWOW64\Hepgkohh.exe Gnfooe32.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Phcgcqab.exe File created C:\Windows\SysWOW64\Lcckiibj.dll Aibibp32.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Ecdbop32.exe Edaaccbj.exe File created C:\Windows\SysWOW64\Kofmfi32.dll Oplfkeob.exe File created C:\Windows\SysWOW64\Adnbpqkj.dll Bacjdbch.exe File created C:\Windows\SysWOW64\Hpfiln32.dll Gqpapacd.exe File opened for modification C:\Windows\SysWOW64\Ibpgqa32.exe Indkpcdk.exe File created C:\Windows\SysWOW64\Dempqa32.dll Nfaemp32.exe File created C:\Windows\SysWOW64\Pmbegqjk.exe Pfhmjf32.exe File opened for modification C:\Windows\SysWOW64\Lkiamp32.exe Kdpiqehp.exe File opened for modification C:\Windows\SysWOW64\Qobhkjdi.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Ipkdek32.exe Iialhaad.exe File created C:\Windows\SysWOW64\Gcqjal32.exe Gbpnjdkg.exe File created C:\Windows\SysWOW64\Koajmepf.exe Klbnajqc.exe File created C:\Windows\SysWOW64\Binfdh32.dll Ecdbop32.exe File created C:\Windows\SysWOW64\Lpochfji.exe Ljdkll32.exe File created C:\Windows\SysWOW64\Ckpamabg.exe Bbhildae.exe File created C:\Windows\SysWOW64\Kannaq32.dll Pkoemhao.exe File created C:\Windows\SysWOW64\Ieojgc32.exe Iacngdgj.exe File created C:\Windows\SysWOW64\Lafmjp32.exe Lljdai32.exe File created C:\Windows\SysWOW64\Oqmhqapg.exe Ocihgnam.exe File created C:\Windows\SysWOW64\Fboecfii.exe Fjhmbihg.exe File opened for modification C:\Windows\SysWOW64\Dcibca32.exe Dnljkk32.exe File opened for modification C:\Windows\SysWOW64\Odedipge.exe Oohkai32.exe File created C:\Windows\SysWOW64\Ilibdmgp.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Fbbnpn32.dll Mhoahh32.exe File created C:\Windows\SysWOW64\Blqhpg32.dll Onkidm32.exe File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe Pciqnk32.exe File created C:\Windows\SysWOW64\Dpjkgoka.dll Lkiamp32.exe File opened for modification C:\Windows\SysWOW64\Mqfpckhm.exe Backdoor.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Giljfddl.exe Geanfelc.exe File created C:\Windows\SysWOW64\Jgqjbf32.dll Mqfpckhm.exe File opened for modification C:\Windows\SysWOW64\Piaiqlak.exe Pbgqdb32.exe File created C:\Windows\SysWOW64\Mmdaih32.dll Kabcopmg.exe File created C:\Windows\SysWOW64\Ndnoffic.dll Kajfdk32.exe File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe Ogjdmbil.exe File created C:\Windows\SysWOW64\Ekgqennl.exe Dcphdqmj.exe File created C:\Windows\SysWOW64\Qckfid32.exe Qkdohg32.exe File created C:\Windows\SysWOW64\Coegoe32.exe Cdpcal32.exe File opened for modification C:\Windows\SysWOW64\Nqfbpb32.exe Niojoeel.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Enhpao32.exe File created C:\Windows\SysWOW64\Dooaccfg.dll Cgiohbfi.exe File opened for modification C:\Windows\SysWOW64\Fnalmh32.exe Fjeplijj.exe File created C:\Windows\SysWOW64\Mkgmoncl.exe Mdnebc32.exe File created C:\Windows\SysWOW64\Aojbfccl.dll Mccokj32.exe File created C:\Windows\SysWOW64\Qhomgchl.dll Jhkljfok.exe File created C:\Windows\SysWOW64\Mbdpdane.dll Lcjldk32.exe File opened for modification C:\Windows\SysWOW64\Mlgjhp32.exe Mdpagc32.exe File created C:\Windows\SysWOW64\Flekgd32.dll Nconfh32.exe File opened for modification C:\Windows\SysWOW64\Ncaklhdi.exe Nlgbon32.exe File opened for modification C:\Windows\SysWOW64\Amhdmi32.exe Afnlpohj.exe File opened for modification C:\Windows\SysWOW64\Mjcngpjh.exe Mcifkf32.exe File opened for modification C:\Windows\SysWOW64\Pbcncibp.exe Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Pilpfm32.exe Pfncia32.exe File created C:\Windows\SysWOW64\Flpoofmk.dll Gnnccl32.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Fkhpfbce.exe File created C:\Windows\SysWOW64\Dahkpm32.dll Jidinqpb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnajppda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbajjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkiamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqnbjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dickplko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaaccbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnlpohj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakikoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcndeen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geanfelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpamabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddnic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhfif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmafcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoapenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocknbglo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhfknjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkdek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmjhfjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqpapacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlikkkhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnljkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnnianm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimogakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpiqehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlkdhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgmoncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciqnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnccl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnlnaom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclhpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noaeqjpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfihbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfaigclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loopdmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfidb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgdhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfncia32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll" Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edfknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll" Fqphic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcljmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll" Namegfql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbeibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnljkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbcncibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooangh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll" Afnlpohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll" Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll" Enlcahgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll" Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciihjmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll" Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmfmgnc.dll" Egened32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqncnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhoahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcigjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll" Kkpnga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icajjnkn.dll" Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll" Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Ogekbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcajc32.dll" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqphic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll" Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfomcn32.dll" Pcbdcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acicqigg.dll" Nefdbekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koonge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifojnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaajhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklociap.dll" Noaeqjpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll" Oloipmfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll" Cacmpj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4284 wrote to memory of 5596 4284 Backdoor.Win32.Berbew.exe 82 PID 4284 wrote to memory of 5596 4284 Backdoor.Win32.Berbew.exe 82 PID 4284 wrote to memory of 5596 4284 Backdoor.Win32.Berbew.exe 82 PID 5596 wrote to memory of 2420 5596 Mqfpckhm.exe 83 PID 5596 wrote to memory of 2420 5596 Mqfpckhm.exe 83 PID 5596 wrote to memory of 2420 5596 Mqfpckhm.exe 83 PID 2420 wrote to memory of 2436 2420 Moipoh32.exe 84 PID 2420 wrote to memory of 2436 2420 Moipoh32.exe 84 PID 2420 wrote to memory of 2436 2420 Moipoh32.exe 84 PID 2436 wrote to memory of 5048 2436 Mjodla32.exe 85 PID 2436 wrote to memory of 5048 2436 Mjodla32.exe 85 PID 2436 wrote to memory of 5048 2436 Mjodla32.exe 85 PID 5048 wrote to memory of 4868 5048 Mqimikfj.exe 86 PID 5048 wrote to memory of 4868 5048 Mqimikfj.exe 86 PID 5048 wrote to memory of 4868 5048 Mqimikfj.exe 86 PID 4868 wrote to memory of 4632 4868 Mcgiefen.exe 87 PID 4868 wrote to memory of 4632 4868 Mcgiefen.exe 87 PID 4868 wrote to memory of 4632 4868 Mcgiefen.exe 87 PID 4632 wrote to memory of 5020 4632 Mfeeabda.exe 88 PID 4632 wrote to memory of 5020 4632 Mfeeabda.exe 88 PID 4632 wrote to memory of 5020 4632 Mfeeabda.exe 88 PID 5020 wrote to memory of 4824 5020 Mnmmboed.exe 89 PID 5020 wrote to memory of 4824 5020 Mnmmboed.exe 89 PID 5020 wrote to memory of 4824 5020 Mnmmboed.exe 89 PID 4824 wrote to memory of 3408 4824 Mqkiok32.exe 90 PID 4824 wrote to memory of 3408 4824 Mqkiok32.exe 90 PID 4824 wrote to memory of 3408 4824 Mqkiok32.exe 90 PID 3408 wrote to memory of 2392 3408 Mcifkf32.exe 91 PID 3408 wrote to memory of 2392 3408 Mcifkf32.exe 91 PID 3408 wrote to memory of 2392 3408 Mcifkf32.exe 91 PID 2392 wrote to memory of 5420 2392 Mjcngpjh.exe 92 PID 2392 wrote to memory of 5420 2392 Mjcngpjh.exe 92 PID 2392 wrote to memory of 5420 2392 Mjcngpjh.exe 92 PID 5420 wrote to memory of 3772 5420 Nqmfdj32.exe 93 PID 5420 wrote to memory of 3772 5420 Nqmfdj32.exe 93 PID 5420 wrote to memory of 3772 5420 Nqmfdj32.exe 93 PID 3772 wrote to memory of 2608 3772 Nclbpf32.exe 94 PID 3772 wrote to memory of 2608 3772 Nclbpf32.exe 94 PID 3772 wrote to memory of 2608 3772 Nclbpf32.exe 94 PID 2608 wrote to memory of 5732 2608 Njfkmphe.exe 95 PID 2608 wrote to memory of 5732 2608 Njfkmphe.exe 95 PID 2608 wrote to memory of 5732 2608 Njfkmphe.exe 95 PID 5732 wrote to memory of 3160 5732 Nqpcjj32.exe 96 PID 5732 wrote to memory of 3160 5732 Nqpcjj32.exe 96 PID 5732 wrote to memory of 3160 5732 Nqpcjj32.exe 96 PID 3160 wrote to memory of 5000 3160 Njhgbp32.exe 97 PID 3160 wrote to memory of 5000 3160 Njhgbp32.exe 97 PID 3160 wrote to memory of 5000 3160 Njhgbp32.exe 97 PID 5000 wrote to memory of 3532 5000 Npepkf32.exe 98 PID 5000 wrote to memory of 3532 5000 Npepkf32.exe 98 PID 5000 wrote to memory of 3532 5000 Npepkf32.exe 98 PID 3532 wrote to memory of 3236 3532 Nnfpinmi.exe 99 PID 3532 wrote to memory of 3236 3532 Nnfpinmi.exe 99 PID 3532 wrote to memory of 3236 3532 Nnfpinmi.exe 99 PID 3236 wrote to memory of 1584 3236 Nfaemp32.exe 100 PID 3236 wrote to memory of 1584 3236 Nfaemp32.exe 100 PID 3236 wrote to memory of 1584 3236 Nfaemp32.exe 100 PID 1584 wrote to memory of 1180 1584 Ngqagcag.exe 101 PID 1584 wrote to memory of 1180 1584 Ngqagcag.exe 101 PID 1584 wrote to memory of 1180 1584 Ngqagcag.exe 101 PID 1180 wrote to memory of 5536 1180 Onkidm32.exe 102 PID 1180 wrote to memory of 5536 1180 Onkidm32.exe 102 PID 1180 wrote to memory of 5536 1180 Onkidm32.exe 102 PID 5536 wrote to memory of 5032 5536 Oplfkeob.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5596 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5732 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe23⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe24⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe26⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe27⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe28⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe31⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Pfoann32.exeC:\Windows\system32\Pfoann32.exe32⤵
- Executes dropped EXE
PID:5288 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe34⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe37⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe41⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe45⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe46⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe48⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe49⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe50⤵
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe51⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe52⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe53⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe54⤵
- Executes dropped EXE
PID:5488 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe56⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe58⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe59⤵
- Executes dropped EXE
PID:5516 -
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe60⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe63⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4444 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe67⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe69⤵PID:5088
-
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:412 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe71⤵PID:2396
-
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4380 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe74⤵
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe75⤵PID:1356
-
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe76⤵PID:4404
-
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe77⤵PID:3292
-
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe79⤵PID:3148
-
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe80⤵PID:396
-
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe81⤵
- Drops file in System32 directory
PID:4252 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe82⤵
- System Location Discovery: System Language Discovery
PID:5880 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe83⤵PID:3524
-
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe84⤵PID:552
-
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe85⤵
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe86⤵PID:1528
-
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5108 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe88⤵PID:2164
-
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe89⤵PID:1048
-
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe91⤵PID:5260
-
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe92⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe93⤵PID:4520
-
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe94⤵
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe95⤵PID:5492
-
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe96⤵PID:5812
-
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe97⤵PID:736
-
C:\Windows\SysWOW64\Ddnobj32.exeC:\Windows\system32\Ddnobj32.exe98⤵PID:984
-
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe99⤵PID:1600
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe100⤵PID:4160
-
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe101⤵PID:3240
-
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe103⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4336 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe105⤵
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe106⤵PID:4904
-
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe107⤵PID:4816
-
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe108⤵PID:4188
-
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe109⤵PID:2096
-
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe110⤵PID:2236
-
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe111⤵PID:1568
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe113⤵
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe114⤵PID:1268
-
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe115⤵
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe117⤵PID:1860
-
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe118⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe119⤵PID:1936
-
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe120⤵PID:5904
-
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe121⤵PID:4448
-
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe122⤵PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-