Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 16:00
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
182KB
-
MD5
13cca21116f6a2e75da8bbc1503576f0
-
SHA1
6ad10099063ee9554040e72f63a8ce2a7d9005ce
-
SHA256
2200d1899ba67de80ed66c437272323bd9034e688f524f29e99850a6d482ae12
-
SHA512
4e2097664604958c4fbf0b5680f6e8937b391b519e99f38b2c05ceaf6c913de84b16e529265b706e1e3c23fb1fb35395b1c99cdacfc2c82863c342930d4fc146
-
SSDEEP
1536:j7qMgtv+yIZJV/TUCOl2Lk7nguPw9uVgA53+RrKJs2zjFS3ldkBOLLaVqI2409Y/:1A+yibUJWk7nguPnVgA53+GpOc
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieiegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkcdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigohejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emncci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kobfqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caepdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpmbndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmfdgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcqcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiqdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekpmad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifqfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbkabdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnbmikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigpmjqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enqfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifhdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafhmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoonqmqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeiobgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjngej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmnnakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqdcgib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnopmegg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpdkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjghlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndehjnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqddcdbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epjbienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifdmbib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecjco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmljnfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doocln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npngng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcgaill.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpbgbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpigonhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmlcpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpigonhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afffgjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egljjmkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjchmclb.exe -
Executes dropped EXE 64 IoCs
pid Process 1760 Ogddhmdl.exe 2560 Oheppe32.exe 2960 Phhmeehg.exe 2968 Pcmabnhm.exe 3032 Pelnniga.exe 2656 Phmfpddb.exe 2352 Pgacaaij.exe 2748 Pchdfb32.exe 1780 Pjblcl32.exe 280 Qgfmlp32.exe 1932 Qoaaqb32.exe 2148 Aijfihip.exe 276 Afnfcl32.exe 1772 Acbglq32.exe 2032 Akmlacdn.exe 468 Aeepjh32.exe 1960 Agfikc32.exe 1712 Aaondi32.exe 1976 Bkdbab32.exe 1372 Bemfjgdg.exe 856 Bjiobnbn.exe 380 Bacgohjk.exe 3036 Bgmolb32.exe 1748 Bmjhdi32.exe 2800 Bphdpe32.exe 2660 Bmldji32.exe 2768 Blodefdg.exe 3004 Bmoaoikj.exe 2704 Claake32.exe 296 Cejfckie.exe 2172 Cppjadhk.exe 2056 Caqfiloi.exe 1348 Codgbqmc.exe 2976 Ceoooj32.exe 2264 Chmkkf32.exe 808 Ckkhga32.exe 1648 Caepdk32.exe 2156 Cddlpg32.exe 864 Cfbhlb32.exe 2120 Cahmik32.exe 1556 Cpkmehol.exe 3044 Dkpabqoa.exe 2884 Dicann32.exe 2596 Dpmjjhmi.exe 2380 Dbkffc32.exe 1616 Dkbnhq32.exe 2392 Dmajdl32.exe 2228 Ddkbqfcp.exe 2784 Dbnblb32.exe 2816 Dihkimag.exe 2668 Dlfgehqk.exe 2240 Dcpoab32.exe 2424 Dglkba32.exe 1624 Dmecokhm.exe 2864 Dlhdjh32.exe 2300 Dcblgbfe.exe 1596 Deahcneh.exe 588 Dlkqpg32.exe 2832 Dpflqfeo.exe 2176 Eagiho32.exe 304 Eioaillo.exe 2432 Ekpmad32.exe 988 Ecgeba32.exe 1972 Edhbjjhn.exe -
Loads dropped DLL 64 IoCs
pid Process 2484 Backdoor.Win32.Berbew.AA.exe 2484 Backdoor.Win32.Berbew.AA.exe 1760 Ogddhmdl.exe 1760 Ogddhmdl.exe 2560 Oheppe32.exe 2560 Oheppe32.exe 2960 Phhmeehg.exe 2960 Phhmeehg.exe 2968 Pcmabnhm.exe 2968 Pcmabnhm.exe 3032 Pelnniga.exe 3032 Pelnniga.exe 2656 Phmfpddb.exe 2656 Phmfpddb.exe 2352 Pgacaaij.exe 2352 Pgacaaij.exe 2748 Pchdfb32.exe 2748 Pchdfb32.exe 1780 Pjblcl32.exe 1780 Pjblcl32.exe 280 Qgfmlp32.exe 280 Qgfmlp32.exe 1932 Qoaaqb32.exe 1932 Qoaaqb32.exe 2148 Aijfihip.exe 2148 Aijfihip.exe 276 Afnfcl32.exe 276 Afnfcl32.exe 1772 Acbglq32.exe 1772 Acbglq32.exe 2032 Akmlacdn.exe 2032 Akmlacdn.exe 468 Aeepjh32.exe 468 Aeepjh32.exe 1960 Agfikc32.exe 1960 Agfikc32.exe 1712 Aaondi32.exe 1712 Aaondi32.exe 1976 Bkdbab32.exe 1976 Bkdbab32.exe 1372 Bemfjgdg.exe 1372 Bemfjgdg.exe 856 Bjiobnbn.exe 856 Bjiobnbn.exe 380 Bacgohjk.exe 380 Bacgohjk.exe 3036 Bgmolb32.exe 3036 Bgmolb32.exe 1748 Bmjhdi32.exe 1748 Bmjhdi32.exe 2800 Bphdpe32.exe 2800 Bphdpe32.exe 2660 Bmldji32.exe 2660 Bmldji32.exe 2768 Blodefdg.exe 2768 Blodefdg.exe 3004 Bmoaoikj.exe 3004 Bmoaoikj.exe 2704 Claake32.exe 2704 Claake32.exe 296 Cejfckie.exe 296 Cejfckie.exe 2172 Cppjadhk.exe 2172 Cppjadhk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dabicikf.exe Dodlfmlb.exe File created C:\Windows\SysWOW64\Hccllbjf.dll Kegebn32.exe File created C:\Windows\SysWOW64\Mafibkqg.dll Fpfkhbon.exe File created C:\Windows\SysWOW64\Hbepplkh.exe Hogddpld.exe File opened for modification C:\Windows\SysWOW64\Dfjaej32.exe Dckdio32.exe File created C:\Windows\SysWOW64\Ldgnmhhj.exe Lnmfpnqn.exe File created C:\Windows\SysWOW64\Fifjgemj.dll Oikeal32.exe File created C:\Windows\SysWOW64\Gmobin32.exe Gnlbnagl.exe File created C:\Windows\SysWOW64\Deoipl32.dll Fondonbc.exe File created C:\Windows\SysWOW64\Dqnkig32.dll Ifloeo32.exe File opened for modification C:\Windows\SysWOW64\Iimhfj32.exe Iglkoaad.exe File created C:\Windows\SysWOW64\Kdgane32.exe Kmmiaknb.exe File created C:\Windows\SysWOW64\Mgnkfjho.exe Mogcelgm.exe File created C:\Windows\SysWOW64\Hamgfm32.dll Mfhabe32.exe File created C:\Windows\SysWOW64\Gbfklolh.exe Gqendf32.exe File created C:\Windows\SysWOW64\Ofmhcg32.dll Jmkmlk32.exe File created C:\Windows\SysWOW64\Kmpfgklo.exe Kidjfl32.exe File created C:\Windows\SysWOW64\Oifbhdjc.dll Ldndng32.exe File opened for modification C:\Windows\SysWOW64\Ogddhmdl.exe Backdoor.Win32.Berbew.AA.exe File created C:\Windows\SysWOW64\Hlkekilg.exe Hmheol32.exe File opened for modification C:\Windows\SysWOW64\Infjfblm.exe Ipcjje32.exe File created C:\Windows\SysWOW64\Lbecjo32.dll Jhikhefb.exe File created C:\Windows\SysWOW64\Efoodo32.dll Cfbhlb32.exe File created C:\Windows\SysWOW64\Ifqfge32.exe Ipfnjkgk.exe File opened for modification C:\Windows\SysWOW64\Cabldeik.exe Cmgpcg32.exe File created C:\Windows\SysWOW64\Onjakoig.dll Kommediq.exe File created C:\Windows\SysWOW64\Nnpbpemn.dll Opkndldc.exe File opened for modification C:\Windows\SysWOW64\Icbldbgi.exe Iadphghe.exe File opened for modification C:\Windows\SysWOW64\Lbmicc32.exe Ljeabf32.exe File opened for modification C:\Windows\SysWOW64\Mnaiah32.exe Mmpmjpba.exe File created C:\Windows\SysWOW64\Oojooion.dll Akjham32.exe File opened for modification C:\Windows\SysWOW64\Jpajdi32.exe Jmbnhm32.exe File opened for modification C:\Windows\SysWOW64\Fondonbc.exe Flphccbp.exe File created C:\Windows\SysWOW64\Hggeeo32.exe Gcljdpke.exe File opened for modification C:\Windows\SysWOW64\Hcpqfgol.exe Hliieioi.exe File created C:\Windows\SysWOW64\Ojnelefl.exe Obgmjh32.exe File opened for modification C:\Windows\SysWOW64\Qicoleno.exe Phabdmgq.exe File created C:\Windows\SysWOW64\Imkqmh32.exe Iiodliep.exe File created C:\Windows\SysWOW64\Nqdaal32.exe Nkhhie32.exe File opened for modification C:\Windows\SysWOW64\Ldkeoo32.exe Lbmicc32.exe File created C:\Windows\SysWOW64\Pcojjn32.dll Fnkblm32.exe File created C:\Windows\SysWOW64\Dahgqohh.dll Kpeonkig.exe File created C:\Windows\SysWOW64\Bmjjmbgc.exe Bjlnaghp.exe File created C:\Windows\SysWOW64\Ahlghold.dll Bqffna32.exe File created C:\Windows\SysWOW64\Iknkfi32.dll Nccmng32.exe File created C:\Windows\SysWOW64\Cbkingcj.dll Pchdfb32.exe File created C:\Windows\SysWOW64\Blcikifh.dll Mfakbf32.exe File created C:\Windows\SysWOW64\Lijngqak.dll Fqnhcgma.exe File created C:\Windows\SysWOW64\Hjdbckib.dll Jiinmnaa.exe File opened for modification C:\Windows\SysWOW64\Qdhcinme.exe Qpmgho32.exe File created C:\Windows\SysWOW64\Jcjlicgq.dll Imdjlida.exe File opened for modification C:\Windows\SysWOW64\Meidib32.exe Mbjhlg32.exe File opened for modification C:\Windows\SysWOW64\Omdbdb32.exe Ofjjghik.exe File created C:\Windows\SysWOW64\Hjeace32.dll Kgmkef32.exe File opened for modification C:\Windows\SysWOW64\Mdigakic.exe Mbkkepio.exe File created C:\Windows\SysWOW64\Ldnbeokn.exe Ldnbeokn.exe File opened for modification C:\Windows\SysWOW64\Papkcd32.exe Pmdocf32.exe File created C:\Windows\SysWOW64\Ceanmc32.exe Cbcbag32.exe File created C:\Windows\SysWOW64\Bmldji32.exe Bphdpe32.exe File created C:\Windows\SysWOW64\Blndhdgi.dll Emceag32.exe File created C:\Windows\SysWOW64\Ioccpggm.dll Folhio32.exe File opened for modification C:\Windows\SysWOW64\Higiih32.exe Hbnqln32.exe File created C:\Windows\SysWOW64\Fgofgcik.dll Ibmmkaik.exe File created C:\Windows\SysWOW64\Pkgoccel.dll Nfncad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8208 9152 WerFault.exe 958 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpicfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmeojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpmjpba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoidcaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Claake32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcekkkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaomf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabicikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpalcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjomhonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbocak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoocq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgfko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfldpqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andkbien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmeohnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlbnagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofjjghik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbdjhnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mliibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklnggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpdkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnikmnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofajcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqciha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgpkinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memncbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doocln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccaodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppjadhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoalpaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpmhgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obakli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmgbbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehconob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqljdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnbmikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljfdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmghcf32.dll" Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaondi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmobin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkebgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpnci32.dll" Npdkdjhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcoaebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhjijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbidbf32.dll" Ehdpcahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimjjh32.dll" Ggpmkgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllmdcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emncci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaaoakmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pobgjhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flphccbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnlnmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkaf32.dll" Jhfljm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccloea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmofbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcqcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll" Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkoidcaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jehpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhbqqlfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haohel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjincg32.dll" Jbooen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbehgabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcekkkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nafknbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcojjn32.dll" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplhooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjagnhnk.dll" Mjpmkdpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godhgedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflmlfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgekldkg.dll" Qicoleno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpmjpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgcjqmc.dll" Nicfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbnhfhoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Falakjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpdbfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cabldeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkfmioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhednad.dll" Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocdmccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcbgbdo.dll" Cnjbfhqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmoaoikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kceeek32.dll" Dkpabqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpkihl32.dll" Bbfibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbecjo32.dll" Jhikhefb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 1760 2484 Backdoor.Win32.Berbew.AA.exe 30 PID 2484 wrote to memory of 1760 2484 Backdoor.Win32.Berbew.AA.exe 30 PID 2484 wrote to memory of 1760 2484 Backdoor.Win32.Berbew.AA.exe 30 PID 2484 wrote to memory of 1760 2484 Backdoor.Win32.Berbew.AA.exe 30 PID 1760 wrote to memory of 2560 1760 Ogddhmdl.exe 31 PID 1760 wrote to memory of 2560 1760 Ogddhmdl.exe 31 PID 1760 wrote to memory of 2560 1760 Ogddhmdl.exe 31 PID 1760 wrote to memory of 2560 1760 Ogddhmdl.exe 31 PID 2560 wrote to memory of 2960 2560 Oheppe32.exe 32 PID 2560 wrote to memory of 2960 2560 Oheppe32.exe 32 PID 2560 wrote to memory of 2960 2560 Oheppe32.exe 32 PID 2560 wrote to memory of 2960 2560 Oheppe32.exe 32 PID 2960 wrote to memory of 2968 2960 Phhmeehg.exe 33 PID 2960 wrote to memory of 2968 2960 Phhmeehg.exe 33 PID 2960 wrote to memory of 2968 2960 Phhmeehg.exe 33 PID 2960 wrote to memory of 2968 2960 Phhmeehg.exe 33 PID 2968 wrote to memory of 3032 2968 Pcmabnhm.exe 34 PID 2968 wrote to memory of 3032 2968 Pcmabnhm.exe 34 PID 2968 wrote to memory of 3032 2968 Pcmabnhm.exe 34 PID 2968 wrote to memory of 3032 2968 Pcmabnhm.exe 34 PID 3032 wrote to memory of 2656 3032 Pelnniga.exe 35 PID 3032 wrote to memory of 2656 3032 Pelnniga.exe 35 PID 3032 wrote to memory of 2656 3032 Pelnniga.exe 35 PID 3032 wrote to memory of 2656 3032 Pelnniga.exe 35 PID 2656 wrote to memory of 2352 2656 Phmfpddb.exe 36 PID 2656 wrote to memory of 2352 2656 Phmfpddb.exe 36 PID 2656 wrote to memory of 2352 2656 Phmfpddb.exe 36 PID 2656 wrote to memory of 2352 2656 Phmfpddb.exe 36 PID 2352 wrote to memory of 2748 2352 Pgacaaij.exe 37 PID 2352 wrote to memory of 2748 2352 Pgacaaij.exe 37 PID 2352 wrote to memory of 2748 2352 Pgacaaij.exe 37 PID 2352 wrote to memory of 2748 2352 Pgacaaij.exe 37 PID 2748 wrote to memory of 1780 2748 Pchdfb32.exe 38 PID 2748 wrote to memory of 1780 2748 Pchdfb32.exe 38 PID 2748 wrote to memory of 1780 2748 Pchdfb32.exe 38 PID 2748 wrote to memory of 1780 2748 Pchdfb32.exe 38 PID 1780 wrote to memory of 280 1780 Pjblcl32.exe 39 PID 1780 wrote to memory of 280 1780 Pjblcl32.exe 39 PID 1780 wrote to memory of 280 1780 Pjblcl32.exe 39 PID 1780 wrote to memory of 280 1780 Pjblcl32.exe 39 PID 280 wrote to memory of 1932 280 Qgfmlp32.exe 40 PID 280 wrote to memory of 1932 280 Qgfmlp32.exe 40 PID 280 wrote to memory of 1932 280 Qgfmlp32.exe 40 PID 280 wrote to memory of 1932 280 Qgfmlp32.exe 40 PID 1932 wrote to memory of 2148 1932 Qoaaqb32.exe 41 PID 1932 wrote to memory of 2148 1932 Qoaaqb32.exe 41 PID 1932 wrote to memory of 2148 1932 Qoaaqb32.exe 41 PID 1932 wrote to memory of 2148 1932 Qoaaqb32.exe 41 PID 2148 wrote to memory of 276 2148 Aijfihip.exe 42 PID 2148 wrote to memory of 276 2148 Aijfihip.exe 42 PID 2148 wrote to memory of 276 2148 Aijfihip.exe 42 PID 2148 wrote to memory of 276 2148 Aijfihip.exe 42 PID 276 wrote to memory of 1772 276 Afnfcl32.exe 43 PID 276 wrote to memory of 1772 276 Afnfcl32.exe 43 PID 276 wrote to memory of 1772 276 Afnfcl32.exe 43 PID 276 wrote to memory of 1772 276 Afnfcl32.exe 43 PID 1772 wrote to memory of 2032 1772 Acbglq32.exe 44 PID 1772 wrote to memory of 2032 1772 Acbglq32.exe 44 PID 1772 wrote to memory of 2032 1772 Acbglq32.exe 44 PID 1772 wrote to memory of 2032 1772 Acbglq32.exe 44 PID 2032 wrote to memory of 468 2032 Akmlacdn.exe 45 PID 2032 wrote to memory of 468 2032 Akmlacdn.exe 45 PID 2032 wrote to memory of 468 2032 Akmlacdn.exe 45 PID 2032 wrote to memory of 468 2032 Akmlacdn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Phhmeehg.exeC:\Windows\system32\Phhmeehg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Pcmabnhm.exeC:\Windows\system32\Pcmabnhm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Pelnniga.exeC:\Windows\system32\Pelnniga.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Aijfihip.exeC:\Windows\system32\Aijfihip.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Bkdbab32.exeC:\Windows\system32\Bkdbab32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe33⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Codgbqmc.exeC:\Windows\system32\Codgbqmc.exe34⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe35⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe37⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Caepdk32.exeC:\Windows\system32\Caepdk32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Cddlpg32.exeC:\Windows\system32\Cddlpg32.exe39⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe41⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Cpkmehol.exeC:\Windows\system32\Cpkmehol.exe42⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Dicann32.exeC:\Windows\system32\Dicann32.exe44⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe45⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Dkbnhq32.exeC:\Windows\system32\Dkbnhq32.exe47⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe48⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe49⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe50⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe51⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe52⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe53⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe55⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe56⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe57⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe58⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe59⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe61⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe62⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe64⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Edhbjjhn.exeC:\Windows\system32\Edhbjjhn.exe65⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Enqfco32.exeC:\Windows\system32\Enqfco32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe68⤵PID:2948
-
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe69⤵PID:2808
-
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe70⤵PID:2652
-
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe72⤵PID:2388
-
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe73⤵PID:2420
-
C:\Windows\SysWOW64\Ejjdmp32.exeC:\Windows\system32\Ejjdmp32.exe74⤵PID:1072
-
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe75⤵PID:2828
-
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe76⤵PID:2996
-
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe77⤵PID:2160
-
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe78⤵PID:2140
-
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe79⤵PID:2000
-
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe80⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe81⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Flmidkmn.exeC:\Windows\system32\Flmidkmn.exe82⤵PID:1620
-
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe83⤵PID:300
-
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe84⤵PID:2028
-
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe85⤵PID:2964
-
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe86⤵PID:2932
-
C:\Windows\SysWOW64\Fbloba32.exeC:\Windows\system32\Fbloba32.exe87⤵PID:2672
-
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe88⤵PID:2712
-
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe89⤵PID:1588
-
C:\Windows\SysWOW64\Fclkldqe.exeC:\Windows\system32\Fclkldqe.exe90⤵PID:2836
-
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe91⤵PID:1124
-
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe92⤵PID:2204
-
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe93⤵PID:2336
-
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe94⤵PID:1200
-
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe95⤵PID:1708
-
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe96⤵PID:352
-
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe97⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe98⤵PID:2744
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe99⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe100⤵PID:2764
-
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe101⤵PID:2024
-
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Gmobin32.exeC:\Windows\system32\Gmobin32.exe104⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe105⤵PID:2184
-
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe108⤵PID:1036
-
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe109⤵PID:2452
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe110⤵PID:580
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe111⤵PID:2956
-
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe112⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:940 -
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe114⤵PID:2720
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe115⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe116⤵PID:1732
-
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe118⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe119⤵PID:1100
-
C:\Windows\SysWOW64\Hpgakh32.exeC:\Windows\system32\Hpgakh32.exe120⤵PID:2796
-
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe121⤵PID:1908
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-