Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
77KB
-
MD5
83f3054629691b5ae7a3282996cb1f50
-
SHA1
8a3dc8c4c92514e2946d3f48ce44166116eb2374
-
SHA256
2fcc4ee085f6f7629e950c9548917c0fbb58cd89adf60834154df7172b4745df
-
SHA512
036f3f80fbfaa4fe5aea12901ed1b64f686126210de2380c372f02709e6b0f4172f7076b3ab289721f023661b756dedf711bae0aae9bdaa1fffa0a5d8f737071
-
SSDEEP
1536:9XPV0ANuX4IWarUUCS0Ej/DGyP2LtpLwfi+TjRC/:RP6ANuX4FarUtEzDGrTwf1TjY
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhdggb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalcik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddkbbfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofhbgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlifnphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbmmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcedmnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohncdobq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollljmhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apddce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdopjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmoncl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpkcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkafdco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocknbglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmhpfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khabke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khihld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkapelka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnedgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmafcnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abcppq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifbll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdggb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aealll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhfknjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdbekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madbagif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddkbbfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfpghccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkoef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madbagif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidcdfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjhfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhknhabf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpgmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkklbh32.exe -
Executes dropped EXE 64 IoCs
pid Process 1592 Jdopjh32.exe 3476 Jnedgq32.exe 2776 Jdalog32.exe 440 Jhmhpfmi.exe 2440 Jbbmmo32.exe 4540 Jlkafdco.exe 2364 Kbeibo32.exe 2912 Khabke32.exe 2296 Kkpnga32.exe 4396 Kdhbpf32.exe 2500 Kkbkmqed.exe 1644 Kalcik32.exe 3728 Kdkoef32.exe 1520 Kaopoj32.exe 1716 Khihld32.exe 4804 Kocphojh.exe 1836 Kemhei32.exe 4440 Lkiamp32.exe 5052 Lacijjgi.exe 4244 Lhmafcnf.exe 3592 Lbcedmnl.exe 3052 Leabphmp.exe 1400 Lhpnlclc.exe 3468 Lojfin32.exe 3252 Ldfoad32.exe 3772 Llngbabj.exe 3216 Lajokiaa.exe 3040 Lhdggb32.exe 1764 Loopdmpk.exe 3344 Mkepineo.exe 3792 Mdnebc32.exe 2592 Mkgmoncl.exe 3112 Mhknhabf.exe 216 Madbagif.exe 752 Mlifnphl.exe 2016 Mddkbbfg.exe 5060 Mahklf32.exe 3524 Mdghhb32.exe 5076 Nkapelka.exe 3180 Nefdbekh.exe 2052 Nlqloo32.exe 5020 Nhgmcp32.exe 4088 Nkhfek32.exe 3340 Nbbnbemf.exe 2420 Nfpghccm.exe 5036 Ohncdobq.exe 976 Okmpqjad.exe 4844 Odedipge.exe 3488 Ollljmhg.exe 2324 Obidcdfo.exe 2904 Odgqopeb.exe 3320 Oomelheh.exe 4792 Odjmdocp.exe 3628 Ocknbglo.exe 4636 Ohhfknjf.exe 3192 Ocmjhfjl.exe 1128 Obpkcc32.exe 1944 Pcpgmf32.exe 1676 Pkklbh32.exe 4596 Pofhbgmn.exe 4976 Pmjhlklg.exe 2220 Peempn32.exe 32 Pfeijqqe.exe 3188 Pcijce32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lkiamp32.exe Kemhei32.exe File created C:\Windows\SysWOW64\Obidcdfo.exe Ollljmhg.exe File created C:\Windows\SysWOW64\Apddce32.exe Amfhgj32.exe File opened for modification C:\Windows\SysWOW64\Kbeibo32.exe Jlkafdco.exe File created C:\Windows\SysWOW64\Lhpnlclc.exe Leabphmp.exe File opened for modification C:\Windows\SysWOW64\Madbagif.exe Mhknhabf.exe File created C:\Windows\SysWOW64\Hlkjom32.dll Qifbll32.exe File created C:\Windows\SysWOW64\Kbeibo32.exe Jlkafdco.exe File created C:\Windows\SysWOW64\Nbbnbemf.exe Nkhfek32.exe File created C:\Windows\SysWOW64\Loopdmpk.exe Lhdggb32.exe File created C:\Windows\SysWOW64\Lggfcd32.dll Mkgmoncl.exe File opened for modification C:\Windows\SysWOW64\Abcppq32.exe Apddce32.exe File opened for modification C:\Windows\SysWOW64\Lkiamp32.exe Kemhei32.exe File created C:\Windows\SysWOW64\Qbngeadf.exe Qifbll32.exe File created C:\Windows\SysWOW64\Aomqdipk.dll Kdkoef32.exe File created C:\Windows\SysWOW64\Gipjam32.dll Nfpghccm.exe File created C:\Windows\SysWOW64\Gckjdhni.dll Aijlgkjq.exe File created C:\Windows\SysWOW64\Leabphmp.exe Lbcedmnl.exe File created C:\Windows\SysWOW64\Ollljmhg.exe Odedipge.exe File created C:\Windows\SysWOW64\Aiaeig32.dll Odedipge.exe File created C:\Windows\SysWOW64\Amhdmi32.exe Aealll32.exe File created C:\Windows\SysWOW64\Kdhbpf32.exe Kkpnga32.exe File created C:\Windows\SysWOW64\Pcpgmf32.exe Obpkcc32.exe File created C:\Windows\SysWOW64\Lbcedmnl.exe Lhmafcnf.exe File created C:\Windows\SysWOW64\Kdkoef32.exe Kalcik32.exe File opened for modification C:\Windows\SysWOW64\Qfgfpp32.exe Pcijce32.exe File opened for modification C:\Windows\SysWOW64\Kalcik32.exe Kkbkmqed.exe File created C:\Windows\SysWOW64\Hmfchehg.dll Ldfoad32.exe File opened for modification C:\Windows\SysWOW64\Mddkbbfg.exe Mlifnphl.exe File opened for modification C:\Windows\SysWOW64\Nhgmcp32.exe Nlqloo32.exe File created C:\Windows\SysWOW64\Pofhbgmn.exe Pkklbh32.exe File opened for modification C:\Windows\SysWOW64\Jdalog32.exe Jnedgq32.exe File opened for modification C:\Windows\SysWOW64\Qihoak32.exe Qbngeadf.exe File created C:\Windows\SysWOW64\Hmmppdij.dll Abpcja32.exe File opened for modification C:\Windows\SysWOW64\Amhdmi32.exe Aealll32.exe File opened for modification C:\Windows\SysWOW64\Khabke32.exe Kbeibo32.exe File opened for modification C:\Windows\SysWOW64\Abpcja32.exe Qkfkng32.exe File created C:\Windows\SysWOW64\Joboincl.dll Ohncdobq.exe File created C:\Windows\SysWOW64\Cfioldni.dll Madbagif.exe File created C:\Windows\SysWOW64\Ndnoffic.dll Kkpnga32.exe File created C:\Windows\SysWOW64\Kkbkmqed.exe Kdhbpf32.exe File created C:\Windows\SysWOW64\Lhdggb32.exe Lajokiaa.exe File created C:\Windows\SysWOW64\Ecdleo32.dll Nefdbekh.exe File opened for modification C:\Windows\SysWOW64\Qkfkng32.exe Qihoak32.exe File created C:\Windows\SysWOW64\Jlkafdco.exe Jbbmmo32.exe File created C:\Windows\SysWOW64\Nkapelka.exe Mdghhb32.exe File created C:\Windows\SysWOW64\Pdgfaf32.dll Nlqloo32.exe File created C:\Windows\SysWOW64\Amfhgj32.exe Aijlgkjq.exe File opened for modification C:\Windows\SysWOW64\Kdkoef32.exe Kalcik32.exe File created C:\Windows\SysWOW64\Jkfood32.dll Jnedgq32.exe File created C:\Windows\SysWOW64\Cboleq32.dll Kalcik32.exe File opened for modification C:\Windows\SysWOW64\Pmjhlklg.exe Pofhbgmn.exe File created C:\Windows\SysWOW64\Edkamckh.dll Pmjhlklg.exe File created C:\Windows\SysWOW64\Abpcja32.exe Qkfkng32.exe File opened for modification C:\Windows\SysWOW64\Aijlgkjq.exe Abpcja32.exe File opened for modification C:\Windows\SysWOW64\Apddce32.exe Amfhgj32.exe File created C:\Windows\SysWOW64\Dbnefjjd.dll Backdoor.Win32.Berbew.AA.exe File created C:\Windows\SysWOW64\Aijlgkjq.exe Abpcja32.exe File opened for modification C:\Windows\SysWOW64\Lacijjgi.exe Lkiamp32.exe File created C:\Windows\SysWOW64\Ldfoad32.exe Lojfin32.exe File created C:\Windows\SysWOW64\Nhgmcp32.exe Nlqloo32.exe File created C:\Windows\SysWOW64\Lojfin32.exe Lhpnlclc.exe File opened for modification C:\Windows\SysWOW64\Lhdggb32.exe Lajokiaa.exe File opened for modification C:\Windows\SysWOW64\Obidcdfo.exe Ollljmhg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgqopeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbmmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocphojh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkiamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdghhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmpqjad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obidcdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifbll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leabphmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfoad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkapelka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhfknjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhknhabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedipge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcppq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomelheh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofhbgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qihoak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmafcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddkbbfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollljmhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkklbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apddce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aealll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkafdco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Berbew.AA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemhei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjhlklg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peempn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbngeadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpnlclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdbekh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmhpfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khihld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacijjgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcedmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjmdocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdopjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdnebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncdobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijlgkjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdalog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llngbabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loopdmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madbagif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmjhfjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcijce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfgfpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocknbglo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaopoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajokiaa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lacijjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll" Pmjhlklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loopdmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll" Obidcdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepineo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll" Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfoceoni.dll" Mdghhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaopoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhknhabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll" Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll" Jlkafdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mddkbbfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfpghccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmqbkkce.dll" Ollljmhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll" Mkepineo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncdobq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll" Pofhbgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakpfm32.dll" Oomelheh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll" Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khabke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llngbabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocknbglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbngeadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkepineo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll" Mhknhabf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomelheh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Madbagif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefdbekh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcpgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aealll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdhbpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lacijjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obidcdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfgfpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Backdoor.Win32.Berbew.AA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmpceo.dll" Mddkbbfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll" Ohhfknjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll" Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioldni.dll" Madbagif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll" Abcppq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdhbpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaopoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llngbabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loopdmpk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1592 2124 Backdoor.Win32.Berbew.AA.exe 89 PID 2124 wrote to memory of 1592 2124 Backdoor.Win32.Berbew.AA.exe 89 PID 2124 wrote to memory of 1592 2124 Backdoor.Win32.Berbew.AA.exe 89 PID 1592 wrote to memory of 3476 1592 Jdopjh32.exe 90 PID 1592 wrote to memory of 3476 1592 Jdopjh32.exe 90 PID 1592 wrote to memory of 3476 1592 Jdopjh32.exe 90 PID 3476 wrote to memory of 2776 3476 Jnedgq32.exe 91 PID 3476 wrote to memory of 2776 3476 Jnedgq32.exe 91 PID 3476 wrote to memory of 2776 3476 Jnedgq32.exe 91 PID 2776 wrote to memory of 440 2776 Jdalog32.exe 92 PID 2776 wrote to memory of 440 2776 Jdalog32.exe 92 PID 2776 wrote to memory of 440 2776 Jdalog32.exe 92 PID 440 wrote to memory of 2440 440 Jhmhpfmi.exe 93 PID 440 wrote to memory of 2440 440 Jhmhpfmi.exe 93 PID 440 wrote to memory of 2440 440 Jhmhpfmi.exe 93 PID 2440 wrote to memory of 4540 2440 Jbbmmo32.exe 94 PID 2440 wrote to memory of 4540 2440 Jbbmmo32.exe 94 PID 2440 wrote to memory of 4540 2440 Jbbmmo32.exe 94 PID 4540 wrote to memory of 2364 4540 Jlkafdco.exe 95 PID 4540 wrote to memory of 2364 4540 Jlkafdco.exe 95 PID 4540 wrote to memory of 2364 4540 Jlkafdco.exe 95 PID 2364 wrote to memory of 2912 2364 Kbeibo32.exe 96 PID 2364 wrote to memory of 2912 2364 Kbeibo32.exe 96 PID 2364 wrote to memory of 2912 2364 Kbeibo32.exe 96 PID 2912 wrote to memory of 2296 2912 Khabke32.exe 97 PID 2912 wrote to memory of 2296 2912 Khabke32.exe 97 PID 2912 wrote to memory of 2296 2912 Khabke32.exe 97 PID 2296 wrote to memory of 4396 2296 Kkpnga32.exe 98 PID 2296 wrote to memory of 4396 2296 Kkpnga32.exe 98 PID 2296 wrote to memory of 4396 2296 Kkpnga32.exe 98 PID 4396 wrote to memory of 2500 4396 Kdhbpf32.exe 99 PID 4396 wrote to memory of 2500 4396 Kdhbpf32.exe 99 PID 4396 wrote to memory of 2500 4396 Kdhbpf32.exe 99 PID 2500 wrote to memory of 1644 2500 Kkbkmqed.exe 100 PID 2500 wrote to memory of 1644 2500 Kkbkmqed.exe 100 PID 2500 wrote to memory of 1644 2500 Kkbkmqed.exe 100 PID 1644 wrote to memory of 3728 1644 Kalcik32.exe 101 PID 1644 wrote to memory of 3728 1644 Kalcik32.exe 101 PID 1644 wrote to memory of 3728 1644 Kalcik32.exe 101 PID 3728 wrote to memory of 1520 3728 Kdkoef32.exe 102 PID 3728 wrote to memory of 1520 3728 Kdkoef32.exe 102 PID 3728 wrote to memory of 1520 3728 Kdkoef32.exe 102 PID 1520 wrote to memory of 1716 1520 Kaopoj32.exe 103 PID 1520 wrote to memory of 1716 1520 Kaopoj32.exe 103 PID 1520 wrote to memory of 1716 1520 Kaopoj32.exe 103 PID 1716 wrote to memory of 4804 1716 Khihld32.exe 104 PID 1716 wrote to memory of 4804 1716 Khihld32.exe 104 PID 1716 wrote to memory of 4804 1716 Khihld32.exe 104 PID 4804 wrote to memory of 1836 4804 Kocphojh.exe 105 PID 4804 wrote to memory of 1836 4804 Kocphojh.exe 105 PID 4804 wrote to memory of 1836 4804 Kocphojh.exe 105 PID 1836 wrote to memory of 4440 1836 Kemhei32.exe 106 PID 1836 wrote to memory of 4440 1836 Kemhei32.exe 106 PID 1836 wrote to memory of 4440 1836 Kemhei32.exe 106 PID 4440 wrote to memory of 5052 4440 Lkiamp32.exe 107 PID 4440 wrote to memory of 5052 4440 Lkiamp32.exe 107 PID 4440 wrote to memory of 5052 4440 Lkiamp32.exe 107 PID 5052 wrote to memory of 4244 5052 Lacijjgi.exe 108 PID 5052 wrote to memory of 4244 5052 Lacijjgi.exe 108 PID 5052 wrote to memory of 4244 5052 Lacijjgi.exe 108 PID 4244 wrote to memory of 3592 4244 Lhmafcnf.exe 109 PID 4244 wrote to memory of 3592 4244 Lhmafcnf.exe 109 PID 4244 wrote to memory of 3592 4244 Lhmafcnf.exe 109 PID 3592 wrote to memory of 3052 3592 Lbcedmnl.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Kemhei32.exeC:\Windows\system32\Kemhei32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:32 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe73⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3404 -
C:\Windows\SysWOW64\Amhdmi32.exeC:\Windows\system32\Amhdmi32.exe77⤵
- System Location Discovery: System Language Discovery
PID:5176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD54b1b1289dd0b32a94cb763ddaaf458ff
SHA14e56060e5a30a744858dbeff3c3dc0ae5bc7aa7e
SHA2565acfc1a7d3e39fa2c2ff52f4a248b2345cf4c97d62007a066222d499aef2f96e
SHA512e5c4533d0ad987ce62c2e6e75cf2cb8f033f7447ce986ad3c352cfa1c741d4211f19233e4e6d0aa879ce793c15868ad3a4794e02a8a376685e5bcbe6d13aa01b
-
Filesize
77KB
MD5434cb52b562aa826fd90b5152483e9ed
SHA13521c29e9c222b3ef16eabd95ee97ec0a63c0ad7
SHA256fd52d9db91dc5fd9db8082f185fac15ff2d4c67df98b52d6f3c7db21461e5dae
SHA5121dedb44ad01658b9f79e1a22efda90e7e6b108c9ab818f8915398fda820effbca9b406406964ceff4bc97afb2b6733b4f8de7a0da5df84a29e414b04ee49b929
-
Filesize
77KB
MD5d1b45ad560a5a7dbe691eb284ca8409c
SHA1d4c2185552994f2282f38f8f5f8e78902f5101cd
SHA2564147f1ef87b0a672a2ae39de0fb703344f0df73f76001748e5589cb7924a3218
SHA512db829726151fcff4106d8019efc77d911b5e698df48e5cbad5cb9b9edb560fb1d621477f113f4add55adee953a7da2caf9a45cfbb7a9ec5474d2643fae40e4b2
-
Filesize
77KB
MD53d0dd2cf8985e6312a6fd90a6c6347f4
SHA10cd184d149f12d648e322794ea4df7393be7dc4b
SHA256be57f8beeeb2001f5ffd149a99120337cd2cf4b168d23747c299f1002d31e079
SHA512e56f99f76713db2a917bd9011652c8275d59e0e40107b185ab7e28ff248879653be138f90d3613135ce8a646ee7864a428cee078f57f246af8310aa5a29e2b9d
-
Filesize
77KB
MD572aaf034dfddae1a1648db2c28c497ea
SHA110643780b6446b111a68843d1ea7c95b4617aced
SHA256e02619cdf02ba17f913f95fc1c2dfe0048af52515ca819d610f32a53640146e1
SHA512c33050823c1aef5cd3e353865b366cb3d39a909b25033afe3ec74bf4999ec2cbc8863c1648afed3940c7deffcaae3ab429a7fa88047f02be9dada071bbc12d6c
-
Filesize
77KB
MD5f39f99503d78696f89b4e575464f8c8e
SHA18c91df56a71bd7f6ef0ec17dc71d72c300c3cb9d
SHA256f33a553883bb844685c306497bc514139ba77946c647a7e9ba698173cf10ebe9
SHA5122672de63dccb6dfbfb7825826df6f7ff2b4ea02053def9ae5f523520aad3feb465de372201942e71594e9918c90e9a9778ff1f167483610305eeb235936ac11c
-
Filesize
77KB
MD5d6378eff5ad9be4ea84d04c204ec7a31
SHA1e3077eabdac7ed3eae70ec5b9d635a4f626dece1
SHA256d6027240d44d88f4c2fd25b9abbfd387ef6d4f2dc552a76e29e5670af2a60f2a
SHA5127dd9bc27de2a2325e592d09da4c86dfc4cb1a45e99fdf5a1df36ceb273e3649b81627a77090e1613a71b68d0c697bd25e370039aaa4da67c02826e355b0799a7
-
Filesize
77KB
MD578cac752684b6fb01e0775fbd9dd6eb2
SHA1aafe6f51aa465b20a238384cd586f4cd76d45d93
SHA2566e90bc94ca837e1fa508584bbd5e8393559cf4f111d9ea5d277157bc577425de
SHA5125211028e2fef929b071742805dc518719cfe7ed0c10d7800610ed5551f3474151a77ee095c96bfb8b6f1ddfd3f792ee963052ce5d1318d150854a661b1137e7f
-
Filesize
77KB
MD5f23e33b1cb7bff1d4ae24372a67c53a5
SHA1a8284d798eef2e1f323981c4d39bae307ffb4164
SHA256232c496912a3894a09a8b0bbbf577c275b93bb3969712414273aa6cc41ce1b93
SHA512f74cfd02747e4881f6da95b18ca2e2ee596f65f465d4eb948f3daf04269da514ed57db59ac3b9bbd6a3a87785ad21e38dd6a867a9bfdde05a9d949a3bce4430c
-
Filesize
77KB
MD5cee54423b3ce31110362a7a7864e00f7
SHA10011335828ac256970d3a3fb98fee78aad2bb01f
SHA2566f5722aa940e99e2a1c042a9eed30d62575be9c71ec54da39b8329587633b557
SHA512002cdad523b95749b29969227c5a16be767a7633b6f517bfc01ed6b279aed0f345a53a5a034697b4732e5796fc96d7d7b68232c3e29f58cfe8d5648efea744c8
-
Filesize
77KB
MD57959c5c6b080ea88b012cca818e03fbd
SHA1ab6b3663e611f2d5b7f5c2bebbdd001ded8b04cf
SHA256baa7016b9ce79ccdf89f53a53e3c031c2b58f4c1a9a123880a4199c5ef22f67c
SHA512eeaf9f4d88ad25d76a4731386aff3e6590325e790edfec47685f567402d2a19c44a1ed89a52ce5c6d9ebebadb016c0379e0a136d0c6bd9ccb6598d69eb0542f8
-
Filesize
77KB
MD5bbec303e7d02f00e92250292c85229db
SHA10bff2290a155e3dcc9034486d397e2f8c6013a36
SHA256e78d158a3c193e968529a911ef3fa33b97cb813754e00fa05dba9c5b9727474b
SHA5127fbb2445c6290f570edd52c5701e701ee30328fc691fc4ac77f7dcb7644afa761d2ef08d52d9de10fcf998fb6cdb9eeaaca5257fb2975114cecd643419f25680
-
Filesize
77KB
MD5bd753e4f1551704b90a7071b69710d5b
SHA196229f7672fe363fb3ca6b60dcedc9b211f12783
SHA25675646a9bb7911bc42a1902961b5a07dbee5ddcd55e266a098ab9e10a8448079d
SHA5120fb1d45a98f7166676d04c3f704a7e9df805de59a2b0ef729ea0999ddedce9518317f1fbaf7ec680b099bac0eddeb23511562b2035b508726f0de83501d1d2d2
-
Filesize
77KB
MD53565118d635919261aa279c3c5463ef6
SHA1d9821dc612e2f81592eb84d05e4710dadd90567e
SHA256f20b8c57958754f732b7ab82d01f23e4e07eec82e42a2d4dfb2865282a9e054b
SHA512dec75ee80c69f9ae8fb522caddceb8e62001a7d5b6df7890d4fe3df243b77ea0634d5214dd1316fe9ee351a5109eb516bbcce99102671e501437e1a2daa961a2
-
Filesize
77KB
MD5aac9641bd3473bba23d52aed2320c152
SHA14286150802982892286eb4fd58f134ce548731a1
SHA2568be0ad9a969df8a2d33958f9c2b62ec3953263f73c445635f20a9ae5e336bab0
SHA512e2a7b3a4de40693526cd1819413bed133b213cc085a2d8438c7b26ca602f0cd822fe049d34aca6a599c37d0757a990baa932251623986682477deccc3ec9a46b
-
Filesize
77KB
MD5c747ce80715d10b11d452d5dc6e90537
SHA1600a93c2ab9f90570b1cecab30bdc3f2a0fdab61
SHA256ace6ddfcad370caa057b5ad4be18e64d746681e89677487b8f518496d69a3e93
SHA51226683a4b245868fdf937512268fb5443358c1a64ba252693bfd5ba112ca056ee87805104ee612bb09f84011b0880af122fb4521934cce795bc076d03120e1ac9
-
Filesize
77KB
MD54badd4ff65bb855a96b9b03dcc3c0d14
SHA15b498184fa2eabc0d28783de1b676e8428f9a5f0
SHA256a67ed592c39fe6f6dc59b7a0fcd3245fa9cb14a7531dc496988dc5596994f7d0
SHA5122cb01bc90730e02a6c7faaf7711a0e1c367eeb632f775dc4622db05c98842704a72c607fd5bedc24fed34c4712a44462eea9504497901d0a93c4f02921d53283
-
Filesize
77KB
MD530b64045d503ecfde3dcaf89d021791f
SHA13c21616b72ce77d5d4421f1a1f3e5cc8df618f30
SHA256c6220994935cc7974cef136ba40d09230d9376f8e7c6f9a70dfebec598e7b806
SHA512e2ed93db8ef2724a32eb9a6f01d02a0ac871a741929dffdc1280ffee71b5ea2b97208ca452c88fa50e7ebaaaf241e2fe94ed1e3079603b67e56706c11c48a512
-
Filesize
77KB
MD5be8e873fa7356398d13f0ec13674e4bf
SHA19592ddba21575fac6ab9c5ad2b2c677e549cc7ac
SHA25659a04ed871c6059ac9c89bd9ca935d03edcb88b6a6a9708cc210e73de60b22c9
SHA512e2996c58d7b20c8fc4a9e380bfa9d8d73552c28ca4baf39abe0381c5a6ef6a2276299d117291326af8dc968ea5759f36ffe743cb304b56353a736a1478eafc80
-
Filesize
77KB
MD51a65015ec18d0f32a05e8f046eb03b72
SHA1e78019f2838ee07493aa10f0109fa8d7219ca29b
SHA256cf4d947b4640535205179a86215ed371c9839838f971902d26c732c95d4396af
SHA512bc14fe532d4219282abc8a45122ab65568cabfb6fbd053bbce62f3f6ee5b66a4bf4fb5d21f8fd6923af5e9a29629bee61a649a049d33e1a5c2bc5a15c7f3a09e
-
Filesize
77KB
MD5e0e45451d290148cba5c279c4e863879
SHA1c66e0b379410d7a43dc87dc125b8b242451d27a9
SHA25693e08cf0fe5bc9a317a8e93a3a4dd3b82ca07a17554f85d673da7bc61034e1b1
SHA512a59b6a46daf2d85ad2c8db0f48c87359c374771e4b972d4162206b6f4b211c7e108aec7d1e9942c22715d32176c25dd7868037acfd656277c3d2e58d60d52ebf
-
Filesize
77KB
MD5e172e800eb8688155ae16e726e6977ee
SHA197e488549e7d07b185db09c35d0166887f0a4d66
SHA2561209ea10dca045ff791f516d7a89f7b16aef9a1f5d03b06196fea2c7e7734cd1
SHA512b03d84c658746c35e73d6646321f8c17f1e1fdd2410664db3d8d3f1ac991a42cd22d5f0c9e7caaac037860fc0d95c03a77ad717471cbd28841b750d7ffeb240b
-
Filesize
77KB
MD5d969a1ebe2749f72f86eb4b259595db8
SHA17685bbeaee3cee841461d4f78e89a0cabec31247
SHA25610b8900ce73cc01766f1fde14f446ffac29262581027fbcd73383ce5e46b0646
SHA512257bdc617d42f0c5b98a4c6805ba40d873379c982699cdcfa18318343bb8a5bb4ad03c56444436a940feab204ecf121006b801e8288f93519b94dc85ceede0f9
-
Filesize
77KB
MD57c73e0d3670eb0f7471ef707b19d9be6
SHA1f4d3c296f85c19e8051d0d2c150c8b4fede786fa
SHA256cfb4ddae48358908ff3ef2e1440cc2dee18b197fa1227b301fff10d14f9f80a1
SHA51282bda9feb3dbd92325d11572e796d3feda902ae9b21005f9058fb411e8039cb87fc7bfc271b67182e0b8fa4bce44a43be20976fc009462464d6a4f72f7dfa3e9
-
Filesize
77KB
MD55929cd82604229b18dfe430d495347dd
SHA11ab425a24a7fb27aed098d81a26d6c3cd32fbba3
SHA256217c7c5f3806b0ab2124369bf2d9b293f453e68e889c9a11a84c52fce3ed7274
SHA51207dabd8a7cd983efa9d41cbfe628290a629097b44adc1e41f50c8a48ac145f0490a04a8c8d91a6fc4bbec791f4e71207cfd392c4414e21c6c33a24fc70d6c4fd
-
Filesize
77KB
MD565c779a659cbf6c9dcad19f3d3e642f4
SHA1da53e84172c4157344ee74328ae59948c8661d49
SHA2569a1c49f168012c0ff17b7066032fb4bb82250df0714d0ea23c239cc8d1921492
SHA5125f52e223985ce081151e18ea7e847f51b78695f9f5d8be4f3d1fac9d6d8391d6dcc3fcdb20d62b4e7799f61262df4894aaee561d7ee7bac9d40856371aedfc46
-
Filesize
77KB
MD51de575b47f58af35d08ad9b39f0cd1f6
SHA13f58911fbf546f1f35b32f8b197dc31f95383acb
SHA256b55b708db018558be878d5b54a5de3cea3954b15b64dbaf10fa952aeac8b2e09
SHA512361acb4bbeb47ced9df32966d43ab4c09892884dc0dcc825e1fbd3eb12c82a227e79f55e9c4df68bd0ab38b4dc21d32942f763373aa14266607de6ce3fb95b5b
-
Filesize
77KB
MD5d3617a1828a274ac25611ce0748130f2
SHA1379a9a30b0f4c16eedd98a48ea42c35ebf3fa7ab
SHA256dbc2084679b20b56619bddcff447ef756591500e270694eeda5dc238f41c81af
SHA512cd6544c2b77cabda6f983a92f1549e0a4ba652e26753d9c0ee9fb2def6ea01cf519210407eb1c6a363560a293a51dcfcdc3de7346848097a615023a3111b442b
-
Filesize
77KB
MD532d7a07ed509e14ec63bd7db4a5fe719
SHA15b2c485e8c2a38b15a23428704947f7fb73c0d9c
SHA256a89763c1935e2ad48ffc98a11c67bf19a8c9e41d9c4898d96263b083d78ac53d
SHA512876bfffc0d382380cc0b223e3c57dedf848e819872d0242acd7caf25b24c5fe7cc52212930bc08b054f6c3bc92bd413667fad56c09aa9168d1be6a69fef906ec
-
Filesize
77KB
MD5400a043a6ea25a55af2fb05f342b0251
SHA1e4f4057ca10afde05c2afe842f3669cb34b68350
SHA25600a3ada544a012d38cfdf467683b4385801057baf0a519273daf75446819d9f4
SHA512fc4922d95fe9ba1fc507ac443f2ebf4bf15d383e7bf8a78195ef3267be86b81668c94460796c6a1ab6bd826fcac4cf04d9ead52e299639e88db28c90aef58a83
-
Filesize
77KB
MD57a608197217df00c02e14f4f4de834e8
SHA1d4bf17b59ac7887c3ba231a94bf17d7e5bdec98d
SHA2561f16372b6631dbed36463bba66858405ca4de1084445841a91cdb956d6077528
SHA51214222efac726c7a36754a48a1e46fcbdee5eb1cbaae99856e23a4886d7527fdfcd446e6faa7d10b3ad27877e62f84778909a3fbe7e58d104c90e55e097662191
-
Filesize
77KB
MD531efff666bc70ec4f510f7a7545e79fd
SHA1068e281b8801e94a98d2ea49d01ae7531ec81473
SHA25674a4818e8b467564c740450147d3f3052f1c366e586bca30ff52a769022e56ff
SHA512551a7d3f9f96c6ea10a3d998381b8c01ee28f595fa97885e43f869f7c6632d407d95f8fe2bd7cd8a00b52a69345f6d9660a9878c01de61e8cf79abe2e2a3af54
-
Filesize
77KB
MD541af1faa0f7c926ea31f5b57f77c2e83
SHA1448fdc37a4ac31ff9323ee6d147459e3519831db
SHA256090b754c6cc86ad15b49a4e690023984308ab34d254c48f64821af5f4f87e7bc
SHA51226f7132a3a780df199086d5da19f15a40b96e8c3ed507e8a9c5798923342403d94c7cad4afb38331f4d7c046062ca43303562ed089411660ec0c9a2e93f65f34
-
Filesize
77KB
MD5186ebdffb9a24ce3e63f069a7d92a7ec
SHA1e999b73c251ccc70daad9e19207d9a26cb1ca293
SHA256c966f3d51681261ad83c6d881141c90b7ab25a6ddf8c12b6a3dc0fd221de5769
SHA512928f65c47f0844f95485434ac4e48bd5d8390d14f0aefd0431f9e3878fc41a972af8aa2a533e31c975e400fe8668d60af7b2a7ad3dbfc076da5c59663d93e08a
-
Filesize
77KB
MD55ea337a2f7057850dbd4579146f2e196
SHA1d72e3ecc90ddcec1d1f754ab090b08f30243274a
SHA256fa11b7edffdf0976928e7ea6b2c8ecb0e95abf5d951791d63de56c714dfad65f
SHA512cbf8b3a262103c0cfe6b6330911c111f3884391f9c4c7aa9433602d720898971aa950836e5975c0592a0b88b8d1657bd9aa0b2fb920d30f1fb9a17d4aacba7cd
-
Filesize
77KB
MD5b8246ec23abada02a0f681a8e4528635
SHA1ebfab14f46dd58bd80bb1d62578844074836ec4b
SHA2567e167bb6568c74d11a2e9c479c39aacadbfe620428740afa739987202d0dc4ce
SHA51284df7eb97988945866f000c2481ec454e07e4d2134d1bc7746c44501797ff3c1b77993cac306ce97eb7ab908770d7ff2e4477766770acc6230d1ff8a5f4e54ee