Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
113KB
-
MD5
ec55844b4ec1892c07e43deb904e7990
-
SHA1
199297267f0b5fd7e8ea637bdba50b2a2caec156
-
SHA256
540eaeca14dd8ecf39f64e144be0fc3118bdea7ca854d9e1a425df9ee4a42085
-
SHA512
16239b46ffa555e3650e431df81144553191b08118c71262f02e7d76f731b64ac14819ffac9e76bacc7153f1b5cb1a69f0faea43494e421ab9c7b321023aed0f
-
SSDEEP
3072:ik3KKZ+0QWI/NhFUCDwOHbYOuGkZFfFSebHWrH8wTW0:6i+0QrUCDr7t7otSeWrP
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdodmlcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjjda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhbdclg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcjgnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmlkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhaooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjmidcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabmmejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqiiaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikocoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkfkopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjckelfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjddaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glnkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknfeege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbkgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapaaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nedifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhcebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkalcdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfddkmch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgfheodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijimli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpehd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgmmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmijajbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peeabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcjgnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hclhjpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljplkonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebakp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2444 Egpena32.exe 2052 Fpgnoo32.exe 2792 Faijggao.exe 2840 Fipbhd32.exe 2864 Fjaoplho.exe 2612 Fbhfajia.exe 2876 Fefcmehe.exe 1032 Flqkjo32.exe 1512 Fjckelfm.exe 1952 Famcbf32.exe 2080 Fdlpnamm.exe 1860 Fhglop32.exe 544 Fmddgg32.exe 2180 Fpbqcb32.exe 2140 Ffmipmjn.exe 1408 Fabmmejd.exe 1612 Fdqiiaih.exe 2528 Gbcien32.exe 1028 Gfoeel32.exe 1784 Gjjafkpe.exe 1488 Gimaah32.exe 604 Gminbfoh.exe 2916 Gpgjnbnl.exe 1484 Gdcfoq32.exe 1576 Gfabkl32.exe 1572 Gipngg32.exe 2736 Glnkcc32.exe 2120 Gbhcpmkm.exe 2712 Gefolhja.exe 2076 Gibkmgcj.exe 2136 Gplcia32.exe 1948 Gbjpem32.exe 2832 Gampaipe.exe 1872 Gidhbgag.exe 2468 Ghghnc32.exe 2696 Goapjnoo.exe 2148 Gbmlkl32.exe 2060 Gekhgh32.exe 2016 Ghidcceo.exe 2512 Gkhaooec.exe 1884 Habili32.exe 2360 Hdpehd32.exe 3028 Hgoadp32.exe 3012 Hkjnenbp.exe 2064 Hmijajbd.exe 2316 Hadfah32.exe 1972 Hdbbnd32.exe 3016 Hipkfkgh.exe 840 Hafbghhj.exe 2548 Hpicbe32.exe 1360 Hchoop32.exe 1920 Hkogpn32.exe 1708 Hibgkjee.exe 1632 Hlpchfdi.exe 2212 Hplphd32.exe 2204 Hcjldp32.exe 2448 Hgfheodo.exe 1452 Hehhqk32.exe 1764 Hjddaj32.exe 2436 Hlbpme32.exe 2272 Hpnlndkp.exe 1036 Hclhjpjc.exe 3020 Hghdjn32.exe 2088 Hekefkig.exe -
Loads dropped DLL 64 IoCs
pid Process 376 TrojanDownloader.Win32.Berbew.exe 376 TrojanDownloader.Win32.Berbew.exe 2444 Egpena32.exe 2444 Egpena32.exe 2052 Fpgnoo32.exe 2052 Fpgnoo32.exe 2792 Faijggao.exe 2792 Faijggao.exe 2840 Fipbhd32.exe 2840 Fipbhd32.exe 2864 Fjaoplho.exe 2864 Fjaoplho.exe 2612 Fbhfajia.exe 2612 Fbhfajia.exe 2876 Fefcmehe.exe 2876 Fefcmehe.exe 1032 Flqkjo32.exe 1032 Flqkjo32.exe 1512 Fjckelfm.exe 1512 Fjckelfm.exe 1952 Famcbf32.exe 1952 Famcbf32.exe 2080 Fdlpnamm.exe 2080 Fdlpnamm.exe 1860 Fhglop32.exe 1860 Fhglop32.exe 544 Fmddgg32.exe 544 Fmddgg32.exe 2180 Fpbqcb32.exe 2180 Fpbqcb32.exe 2140 Ffmipmjn.exe 2140 Ffmipmjn.exe 1408 Fabmmejd.exe 1408 Fabmmejd.exe 1612 Fdqiiaih.exe 1612 Fdqiiaih.exe 2528 Gbcien32.exe 2528 Gbcien32.exe 1028 Gfoeel32.exe 1028 Gfoeel32.exe 1784 Gjjafkpe.exe 1784 Gjjafkpe.exe 1488 Gimaah32.exe 1488 Gimaah32.exe 604 Gminbfoh.exe 604 Gminbfoh.exe 2916 Gpgjnbnl.exe 2916 Gpgjnbnl.exe 1484 Gdcfoq32.exe 1484 Gdcfoq32.exe 1576 Gfabkl32.exe 1576 Gfabkl32.exe 1572 Gipngg32.exe 1572 Gipngg32.exe 2736 Glnkcc32.exe 2736 Glnkcc32.exe 2120 Gbhcpmkm.exe 2120 Gbhcpmkm.exe 2712 Gefolhja.exe 2712 Gefolhja.exe 2076 Gibkmgcj.exe 2076 Gibkmgcj.exe 2136 Gplcia32.exe 2136 Gplcia32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oemmkpog.dll Gbjpem32.exe File created C:\Windows\SysWOW64\Nepokogo.exe Mcacochk.exe File created C:\Windows\SysWOW64\Ilemce32.exe Ihiabfhk.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll Egpena32.exe File created C:\Windows\SysWOW64\Gminbfoh.exe Gimaah32.exe File opened for modification C:\Windows\SysWOW64\Ikapdqoc.exe Ihbdhepp.exe File created C:\Windows\SysWOW64\Nijjfj32.dll Jqpebg32.exe File created C:\Windows\SysWOW64\Colldggd.dll Llebnfpe.exe File created C:\Windows\SysWOW64\Bmjekahk.exe Bkkioeig.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Fjaoplho.exe Fipbhd32.exe File created C:\Windows\SysWOW64\Ffmipmjn.exe Fpbqcb32.exe File opened for modification C:\Windows\SysWOW64\Hlbpme32.exe Hjddaj32.exe File created C:\Windows\SysWOW64\Jfagemej.exe Jbfkeo32.exe File created C:\Windows\SysWOW64\Oapcfo32.exe Noagjc32.exe File opened for modification C:\Windows\SysWOW64\Aljmbknm.exe Amglgn32.exe File created C:\Windows\SysWOW64\Hplphd32.exe Hlpchfdi.exe File opened for modification C:\Windows\SysWOW64\Lljkif32.exe Lepclldc.exe File opened for modification C:\Windows\SysWOW64\Mpnngi32.exe Mmpakm32.exe File created C:\Windows\SysWOW64\Ngjoif32.exe Neibanod.exe File created C:\Windows\SysWOW64\Ihpgce32.exe Idekbgji.exe File created C:\Windows\SysWOW64\Poajppaa.dll Jfmnkn32.exe File created C:\Windows\SysWOW64\Ghldgj32.dll Inmpklpj.exe File created C:\Windows\SysWOW64\Jggdmb32.dll Bmlbaqfh.exe File created C:\Windows\SysWOW64\Chmibmlo.exe Cenmfbml.exe File created C:\Windows\SysWOW64\Cnkbeloa.dll Mlgkbi32.exe File opened for modification C:\Windows\SysWOW64\Pkmmigjo.exe Pecelm32.exe File created C:\Windows\SysWOW64\Jcngcc32.dll Faijggao.exe File opened for modification C:\Windows\SysWOW64\Jmlobg32.exe Jjmcfl32.exe File created C:\Windows\SysWOW64\Ooofcg32.exe Omqjgl32.exe File created C:\Windows\SysWOW64\Dhkqcl32.dll Pnimpcke.exe File opened for modification C:\Windows\SysWOW64\Bmjekahk.exe Bkkioeig.exe File opened for modification C:\Windows\SysWOW64\Fefcmehe.exe Fbhfajia.exe File created C:\Windows\SysWOW64\Edoblfhf.dll Gibkmgcj.exe File opened for modification C:\Windows\SysWOW64\Idekbgji.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Kigibh32.exe Kelmbifm.exe File created C:\Windows\SysWOW64\Jmnpoagb.dll Lkmldbcj.exe File created C:\Windows\SysWOW64\Llaqkn32.dll Aicfgn32.exe File created C:\Windows\SysWOW64\Lkmldbcj.exe Lljkif32.exe File opened for modification C:\Windows\SysWOW64\Chofhm32.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Apnjbhgo.dll Gdcfoq32.exe File opened for modification C:\Windows\SysWOW64\Hkogpn32.exe Hchoop32.exe File created C:\Windows\SysWOW64\Nhcebj32.exe Nedifo32.exe File opened for modification C:\Windows\SysWOW64\Pkfghh32.exe Ojdjqp32.exe File created C:\Windows\SysWOW64\Jcandb32.exe Joebccpp.exe File created C:\Windows\SysWOW64\Nanfqo32.exe Noojdc32.exe File opened for modification C:\Windows\SysWOW64\Hghdjn32.exe Hclhjpjc.exe File opened for modification C:\Windows\SysWOW64\Jnbifl32.exe Jjfmem32.exe File created C:\Windows\SysWOW64\Jnbifl32.exe Jjfmem32.exe File opened for modification C:\Windows\SysWOW64\Kbpnkm32.exe Kndbko32.exe File opened for modification C:\Windows\SysWOW64\Aebakp32.exe Abdeoe32.exe File created C:\Windows\SysWOW64\Blaobmkq.exe Biccfalm.exe File created C:\Windows\SysWOW64\Gibkmgcj.exe Gefolhja.exe File opened for modification C:\Windows\SysWOW64\Lchqcd32.exe Lmnhgjmp.exe File created C:\Windows\SysWOW64\Odcimipf.exe Oqgmmk32.exe File created C:\Windows\SysWOW64\Ejkohlcb.dll Hehhqk32.exe File created C:\Windows\SysWOW64\Inkcem32.exe Iohbjpkb.exe File opened for modification C:\Windows\SysWOW64\Jjmcfl32.exe Jfagemej.exe File created C:\Windows\SysWOW64\Hmecge32.dll Abinjdad.exe File created C:\Windows\SysWOW64\Clmkgm32.dll Capdpcge.exe File created C:\Windows\SysWOW64\Jpdihq32.dll Goapjnoo.exe File created C:\Windows\SysWOW64\Inmpklpj.exe Iojopp32.exe File created C:\Windows\SysWOW64\Hmmobd32.dll Lfkfkopk.exe File created C:\Windows\SysWOW64\Gfoeel32.exe Gbcien32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeenapck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icoepohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlldmimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplphd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdidmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfopnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqhapdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibillk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjijkmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcfoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llebnfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehhqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmgfgham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkfkopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhebhipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbkgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgkbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapaaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcajceke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manjaldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkojoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheeif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmoeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekhgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcij32.dll" TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geindqkj.dll" Inkcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngonaccp.dll" Nohddd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhnbelc.dll" Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfmnkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll" Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbjpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghidcceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglfcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqhifni.dll" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afndjdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhaooec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmibmhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiihig32.dll" Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopnanlf.dll" Hibgkjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnjdf32.dll" Iojopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknpan32.dll" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hennhl32.dll" Nlldmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfabkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gplcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdihq32.dll" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgqnf32.dll" Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikjjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonmbkfe.dll" Jmlobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimlibmn.dll" Ooofcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okkddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmaao32.dll" Nphpng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gidhbgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilgjhena.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjgcecja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlffnae.dll" Jcandb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kolhdbjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll" Aankkqfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gidhbgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abinjdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciepkajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgnoo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 376 wrote to memory of 2444 376 TrojanDownloader.Win32.Berbew.exe 30 PID 376 wrote to memory of 2444 376 TrojanDownloader.Win32.Berbew.exe 30 PID 376 wrote to memory of 2444 376 TrojanDownloader.Win32.Berbew.exe 30 PID 376 wrote to memory of 2444 376 TrojanDownloader.Win32.Berbew.exe 30 PID 2444 wrote to memory of 2052 2444 Egpena32.exe 31 PID 2444 wrote to memory of 2052 2444 Egpena32.exe 31 PID 2444 wrote to memory of 2052 2444 Egpena32.exe 31 PID 2444 wrote to memory of 2052 2444 Egpena32.exe 31 PID 2052 wrote to memory of 2792 2052 Fpgnoo32.exe 32 PID 2052 wrote to memory of 2792 2052 Fpgnoo32.exe 32 PID 2052 wrote to memory of 2792 2052 Fpgnoo32.exe 32 PID 2052 wrote to memory of 2792 2052 Fpgnoo32.exe 32 PID 2792 wrote to memory of 2840 2792 Faijggao.exe 33 PID 2792 wrote to memory of 2840 2792 Faijggao.exe 33 PID 2792 wrote to memory of 2840 2792 Faijggao.exe 33 PID 2792 wrote to memory of 2840 2792 Faijggao.exe 33 PID 2840 wrote to memory of 2864 2840 Fipbhd32.exe 34 PID 2840 wrote to memory of 2864 2840 Fipbhd32.exe 34 PID 2840 wrote to memory of 2864 2840 Fipbhd32.exe 34 PID 2840 wrote to memory of 2864 2840 Fipbhd32.exe 34 PID 2864 wrote to memory of 2612 2864 Fjaoplho.exe 35 PID 2864 wrote to memory of 2612 2864 Fjaoplho.exe 35 PID 2864 wrote to memory of 2612 2864 Fjaoplho.exe 35 PID 2864 wrote to memory of 2612 2864 Fjaoplho.exe 35 PID 2612 wrote to memory of 2876 2612 Fbhfajia.exe 36 PID 2612 wrote to memory of 2876 2612 Fbhfajia.exe 36 PID 2612 wrote to memory of 2876 2612 Fbhfajia.exe 36 PID 2612 wrote to memory of 2876 2612 Fbhfajia.exe 36 PID 2876 wrote to memory of 1032 2876 Fefcmehe.exe 37 PID 2876 wrote to memory of 1032 2876 Fefcmehe.exe 37 PID 2876 wrote to memory of 1032 2876 Fefcmehe.exe 37 PID 2876 wrote to memory of 1032 2876 Fefcmehe.exe 37 PID 1032 wrote to memory of 1512 1032 Flqkjo32.exe 38 PID 1032 wrote to memory of 1512 1032 Flqkjo32.exe 38 PID 1032 wrote to memory of 1512 1032 Flqkjo32.exe 38 PID 1032 wrote to memory of 1512 1032 Flqkjo32.exe 38 PID 1512 wrote to memory of 1952 1512 Fjckelfm.exe 39 PID 1512 wrote to memory of 1952 1512 Fjckelfm.exe 39 PID 1512 wrote to memory of 1952 1512 Fjckelfm.exe 39 PID 1512 wrote to memory of 1952 1512 Fjckelfm.exe 39 PID 1952 wrote to memory of 2080 1952 Famcbf32.exe 40 PID 1952 wrote to memory of 2080 1952 Famcbf32.exe 40 PID 1952 wrote to memory of 2080 1952 Famcbf32.exe 40 PID 1952 wrote to memory of 2080 1952 Famcbf32.exe 40 PID 2080 wrote to memory of 1860 2080 Fdlpnamm.exe 41 PID 2080 wrote to memory of 1860 2080 Fdlpnamm.exe 41 PID 2080 wrote to memory of 1860 2080 Fdlpnamm.exe 41 PID 2080 wrote to memory of 1860 2080 Fdlpnamm.exe 41 PID 1860 wrote to memory of 544 1860 Fhglop32.exe 42 PID 1860 wrote to memory of 544 1860 Fhglop32.exe 42 PID 1860 wrote to memory of 544 1860 Fhglop32.exe 42 PID 1860 wrote to memory of 544 1860 Fhglop32.exe 42 PID 544 wrote to memory of 2180 544 Fmddgg32.exe 43 PID 544 wrote to memory of 2180 544 Fmddgg32.exe 43 PID 544 wrote to memory of 2180 544 Fmddgg32.exe 43 PID 544 wrote to memory of 2180 544 Fmddgg32.exe 43 PID 2180 wrote to memory of 2140 2180 Fpbqcb32.exe 44 PID 2180 wrote to memory of 2140 2180 Fpbqcb32.exe 44 PID 2180 wrote to memory of 2140 2180 Fpbqcb32.exe 44 PID 2180 wrote to memory of 2140 2180 Fpbqcb32.exe 44 PID 2140 wrote to memory of 1408 2140 Ffmipmjn.exe 45 PID 2140 wrote to memory of 1408 2140 Ffmipmjn.exe 45 PID 2140 wrote to memory of 1408 2140 Ffmipmjn.exe 45 PID 2140 wrote to memory of 1408 2140 Ffmipmjn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe36⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe42⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe49⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe50⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe51⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe64⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe65⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe66⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe67⤵PID:980
-
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe68⤵PID:2596
-
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe69⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe70⤵PID:1420
-
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe72⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe74⤵PID:2532
-
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe76⤵PID:2112
-
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe77⤵PID:2604
-
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe78⤵PID:2476
-
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe79⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe82⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe86⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe88⤵PID:1204
-
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe89⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe90⤵PID:988
-
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:756 -
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe92⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe93⤵PID:2592
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe94⤵PID:2632
-
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe96⤵PID:2576
-
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe97⤵PID:2960
-
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe98⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe99⤵PID:2284
-
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe100⤵PID:1944
-
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe101⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe102⤵PID:2192
-
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe103⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe105⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe106⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe107⤵PID:1912
-
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe109⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe110⤵PID:2564
-
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe111⤵PID:2892
-
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe112⤵PID:1936
-
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe113⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe114⤵PID:2708
-
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe115⤵PID:2520
-
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe116⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe117⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe119⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe120⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe121⤵PID:2720
-
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-