Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
67KB
-
MD5
5153018b1d81648dd2473327933ecce0
-
SHA1
cbc29d923c213c07a4a362b007eb6bee0801e2a1
-
SHA256
2338c2e7a4f06b8abe99db150b02499483b0034e7f4ea2516d6fa47eea534443
-
SHA512
794667e104973468b697746ade63d815e10427905ea9f86ba208e3acb15649a31fec36a045ebb8bf0a1f5213085c2c2f557f561f3bc93b6f86173b812fa8108c
-
SSDEEP
1536:NhcX1zmK0fPPnbxqO7Yg2sJifTduD4oTxw:NhcR+vbxq9NsJibdMTxw
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnmhhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgchjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eenckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidchjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigpmjqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhgaan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjiibm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalmdcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbkabdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhonn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helmiiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjjcogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabicikf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbaafocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmanjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nakeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpaidpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plneoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijjgkmqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjpglfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllmdcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmalmdcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfkhbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdqpdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgboogb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngdadoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidoamch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gemfghek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moloidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeolkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmiaknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahllda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqekhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjqifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgcbmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgllj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2248 Lfaocc32.exe 2584 Lkngkj32.exe 788 Lojclibo.exe 3000 Ldfldpqf.exe 2632 Lgehpk32.exe 2656 Lnopmegg.exe 2688 Lggdfk32.exe 2616 Lnambeed.exe 2012 Lqpiopdh.exe 832 Lqbfdp32.exe 1208 Lfonlg32.exe 588 Mmifiahi.exe 2768 Mogcelgm.exe 1516 Mmkcoq32.exe 2200 Mcekkkmc.exe 2128 Mjodhe32.exe 2160 Mibdcakk.exe 1980 Mcghajkq.exe 2288 Mbjhlg32.exe 1348 Mpnifkae.exe 1684 Mnaiah32.exe 924 Mekanbol.exe 1396 Mlejkl32.exe 376 Mncfgh32.exe 876 Mbobgfnf.exe 2880 Nnfbmgcj.exe 2784 Nadoiccn.exe 2612 Nljcflbd.exe 2704 Nnhobgag.exe 2336 Nmkpnd32.exe 2860 Ndehjnpo.exe 3008 Ndgdpn32.exe 2500 Nfeqli32.exe 1328 Nakeib32.exe 2848 Nfhmai32.exe 1800 Njcibgcf.exe 1872 Nmbenc32.exe 964 Odlnkmjg.exe 900 Obonfj32.exe 648 Ofjjghik.exe 1592 Omdbdb32.exe 2908 Olgboogb.exe 2020 Opbopn32.exe 2484 Ooeolkff.exe 1676 Oepghe32.exe 1596 Ohncdp32.exe 1756 Opekenmh.exe 2292 Oohlaj32.exe 1740 Obcgaill.exe 2416 Oimpnc32.exe 2444 Ollljo32.exe 444 Okolfkjg.exe 2608 Oojhfj32.exe 2760 Oedqcdim.exe 1700 Ohbmppia.exe 2508 Okailkhd.exe 2968 Oolelj32.exe 2816 Omoehf32.exe 2004 Oakaheoa.exe 2028 Pkcfak32.exe 2800 Pamnnemo.exe 1032 Pdljjplb.exe 960 Phgfko32.exe 1692 Pkebgj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1824 TrojanDownloader.Win32.Berbew.exe 1824 TrojanDownloader.Win32.Berbew.exe 2248 Lfaocc32.exe 2248 Lfaocc32.exe 2584 Lkngkj32.exe 2584 Lkngkj32.exe 788 Lojclibo.exe 788 Lojclibo.exe 3000 Ldfldpqf.exe 3000 Ldfldpqf.exe 2632 Lgehpk32.exe 2632 Lgehpk32.exe 2656 Lnopmegg.exe 2656 Lnopmegg.exe 2688 Lggdfk32.exe 2688 Lggdfk32.exe 2616 Lnambeed.exe 2616 Lnambeed.exe 2012 Lqpiopdh.exe 2012 Lqpiopdh.exe 832 Lqbfdp32.exe 832 Lqbfdp32.exe 1208 Lfonlg32.exe 1208 Lfonlg32.exe 588 Mmifiahi.exe 588 Mmifiahi.exe 2768 Mogcelgm.exe 2768 Mogcelgm.exe 1516 Mmkcoq32.exe 1516 Mmkcoq32.exe 2200 Mcekkkmc.exe 2200 Mcekkkmc.exe 2128 Mjodhe32.exe 2128 Mjodhe32.exe 2160 Mibdcakk.exe 2160 Mibdcakk.exe 1980 Mcghajkq.exe 1980 Mcghajkq.exe 2288 Mbjhlg32.exe 2288 Mbjhlg32.exe 1348 Mpnifkae.exe 1348 Mpnifkae.exe 1684 Mnaiah32.exe 1684 Mnaiah32.exe 924 Mekanbol.exe 924 Mekanbol.exe 1396 Mlejkl32.exe 1396 Mlejkl32.exe 376 Mncfgh32.exe 376 Mncfgh32.exe 876 Mbobgfnf.exe 876 Mbobgfnf.exe 2880 Nnfbmgcj.exe 2880 Nnfbmgcj.exe 2784 Nadoiccn.exe 2784 Nadoiccn.exe 2612 Nljcflbd.exe 2612 Nljcflbd.exe 2704 Nnhobgag.exe 2704 Nnhobgag.exe 2336 Nmkpnd32.exe 2336 Nmkpnd32.exe 2860 Ndehjnpo.exe 2860 Ndehjnpo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mnfhfmhc.exe Mjkmfn32.exe File created C:\Windows\SysWOW64\Gqcaoghl.exe Gndebkii.exe File created C:\Windows\SysWOW64\Njnmiaib.dll Jjbdfbnl.exe File opened for modification C:\Windows\SysWOW64\Omhhma32.exe Ojilqf32.exe File created C:\Windows\SysWOW64\Qdkpomkb.exe Qpocno32.exe File created C:\Windows\SysWOW64\Benhai32.dll Hbhmfk32.exe File opened for modification C:\Windows\SysWOW64\Dlcceboa.exe Didgig32.exe File opened for modification C:\Windows\SysWOW64\Nhdjdk32.exe Neemgp32.exe File opened for modification C:\Windows\SysWOW64\Qomcdf32.exe Qpjchicb.exe File created C:\Windows\SysWOW64\Plfhdlfb.exe Pihlhagn.exe File created C:\Windows\SysWOW64\Dnffmh32.dll Gopnca32.exe File created C:\Windows\SysWOW64\Gfoogjlk.dll Dbkolmia.exe File opened for modification C:\Windows\SysWOW64\Pmlngdhk.exe Pknakhig.exe File opened for modification C:\Windows\SysWOW64\Mmpobi32.exe Mdigakic.exe File created C:\Windows\SysWOW64\Jfpnifnh.dll Dabkla32.exe File created C:\Windows\SysWOW64\Ndhemaec.dll Fcaaloed.exe File created C:\Windows\SysWOW64\Mdahnmck.exe Mbbkabdh.exe File created C:\Windows\SysWOW64\Ijinin32.dll Hpmdjf32.exe File created C:\Windows\SysWOW64\Baojfoqh.dll Cmmcae32.exe File created C:\Windows\SysWOW64\Gbigao32.exe Gcfgfack.exe File created C:\Windows\SysWOW64\Onjakoig.dll Kkaaee32.exe File created C:\Windows\SysWOW64\Ljfckodo.exe Lghgocek.exe File created C:\Windows\SysWOW64\Mdeaim32.exe Mqjehngm.exe File created C:\Windows\SysWOW64\Iadphghe.exe Iimhfj32.exe File created C:\Windows\SysWOW64\Mmcbbo32.exe Mjeffc32.exe File opened for modification C:\Windows\SysWOW64\Ofmiea32.exe Onfadc32.exe File created C:\Windows\SysWOW64\Mbnjnnie.dll Apjpglfn.exe File created C:\Windows\SysWOW64\Gakqdpmg.dll Fgnfpm32.exe File opened for modification C:\Windows\SysWOW64\Cjfjjd32.exe Cghmni32.exe File opened for modification C:\Windows\SysWOW64\Kghkppbp.exe Kblooa32.exe File created C:\Windows\SysWOW64\Fkdoii32.exe Fgibijkb.exe File created C:\Windows\SysWOW64\Ciomamim.dll Lojeda32.exe File created C:\Windows\SysWOW64\Eghifl32.dll Pbcfie32.exe File opened for modification C:\Windows\SysWOW64\Alqplmlb.exe Annpaq32.exe File created C:\Windows\SysWOW64\Jbdlphnb.dll Dpmeij32.exe File opened for modification C:\Windows\SysWOW64\Fagqed32.exe Fbdpjgjf.exe File created C:\Windows\SysWOW64\Hgimkf32.dll Pdljjplb.exe File created C:\Windows\SysWOW64\Bihpmkee.dll Adeiobgc.exe File created C:\Windows\SysWOW64\Bnhqll32.exe Boeppomj.exe File opened for modification C:\Windows\SysWOW64\Mdeaim32.exe Mqjehngm.exe File created C:\Windows\SysWOW64\Nmnoll32.exe Nnknqpgi.exe File opened for modification C:\Windows\SysWOW64\Lgehpk32.exe Ldfldpqf.exe File created C:\Windows\SysWOW64\Oegflcbj.exe Obijpgcf.exe File created C:\Windows\SysWOW64\Bkbjlk32.dll Gcocnk32.exe File created C:\Windows\SysWOW64\Bclcfnih.exe Bqngjcje.exe File created C:\Windows\SysWOW64\Lnmkpadn.dll Hjkbfpah.exe File created C:\Windows\SysWOW64\Nbpalg32.dll Ljndga32.exe File created C:\Windows\SysWOW64\Pfhlie32.exe Phelnhnb.exe File opened for modification C:\Windows\SysWOW64\Hkfeec32.exe Helmiiec.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Lbpolb32.exe File created C:\Windows\SysWOW64\Ccakij32.exe Cqcomn32.exe File created C:\Windows\SysWOW64\Gcifdj32.exe Process not Found File created C:\Windows\SysWOW64\Jpdkel32.dll Iljkofkg.exe File opened for modification C:\Windows\SysWOW64\Kkaaee32.exe Khcdijac.exe File created C:\Windows\SysWOW64\Lhjfmb32.dll Bhfhnofg.exe File created C:\Windows\SysWOW64\Eiajmgka.dll Edhmhl32.exe File opened for modification C:\Windows\SysWOW64\Nmkpnd32.exe Nnhobgag.exe File created C:\Windows\SysWOW64\Pfmeddag.exe Pbaide32.exe File created C:\Windows\SysWOW64\Gcapckod.exe Gpccgppq.exe File created C:\Windows\SysWOW64\Mkpieggc.exe Mdeaim32.exe File created C:\Windows\SysWOW64\Hbhmfk32.exe Hojqjp32.exe File created C:\Windows\SysWOW64\Qpjchicb.exe Phckglbq.exe File created C:\Windows\SysWOW64\Eelfedpa.exe Ebmjihqn.exe File created C:\Windows\SysWOW64\Nfdmqoad.dll Fomndhng.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9484 9700 Process not Found 1094 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeiqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apllml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadoiccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmapna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfdbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plheil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoqeekme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcljdpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhgbibgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcahjqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipecndab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgblphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmhqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjejojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohoogbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamleagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqplmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifcqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agcekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkapkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkchpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhobgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helmiiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loofjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhchjgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdklnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agilkijf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoijjjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Ggppdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghofhlpo.dll" Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nakeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihlbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaillp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkclin32.dll" Fdemap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccdqloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihpmkee.dll" Adeiobgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgfckbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkaihkih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbjgneh.dll" Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chidkl32.dll" Bhjngnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecjaf32.dll" Cgpjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmfml32.dll" Eipjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcplblgo.dll" Mcknjidn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfhog32.dll" Eojoelcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfbkjnn.dll" Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjkkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldknmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqidme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnifkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anggfg32.dll" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleggpll.dll" Ipecndab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblkpcdh.dll" Lggdfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fejjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgloq32.dll" Boeppomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclhpp32.dll" Apllml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhfacfn.dll" Ndpmbjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggncop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnomkloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adeiobgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfmdp32.dll" Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdfqh32.dll" Lqpiopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkblm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbcnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfchcq32.dll" Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cipnng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcgaill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhahcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopikdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqgahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfonhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqlbnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqcaoghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djemfibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfqfd32.dll" Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plodbd32.dll" Dlifcqfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoeadlm.dll" Gnjhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acemeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnacbj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 2248 1824 TrojanDownloader.Win32.Berbew.exe 28 PID 1824 wrote to memory of 2248 1824 TrojanDownloader.Win32.Berbew.exe 28 PID 1824 wrote to memory of 2248 1824 TrojanDownloader.Win32.Berbew.exe 28 PID 1824 wrote to memory of 2248 1824 TrojanDownloader.Win32.Berbew.exe 28 PID 2248 wrote to memory of 2584 2248 Lfaocc32.exe 29 PID 2248 wrote to memory of 2584 2248 Lfaocc32.exe 29 PID 2248 wrote to memory of 2584 2248 Lfaocc32.exe 29 PID 2248 wrote to memory of 2584 2248 Lfaocc32.exe 29 PID 2584 wrote to memory of 788 2584 Lkngkj32.exe 30 PID 2584 wrote to memory of 788 2584 Lkngkj32.exe 30 PID 2584 wrote to memory of 788 2584 Lkngkj32.exe 30 PID 2584 wrote to memory of 788 2584 Lkngkj32.exe 30 PID 788 wrote to memory of 3000 788 Lojclibo.exe 31 PID 788 wrote to memory of 3000 788 Lojclibo.exe 31 PID 788 wrote to memory of 3000 788 Lojclibo.exe 31 PID 788 wrote to memory of 3000 788 Lojclibo.exe 31 PID 3000 wrote to memory of 2632 3000 Ldfldpqf.exe 32 PID 3000 wrote to memory of 2632 3000 Ldfldpqf.exe 32 PID 3000 wrote to memory of 2632 3000 Ldfldpqf.exe 32 PID 3000 wrote to memory of 2632 3000 Ldfldpqf.exe 32 PID 2632 wrote to memory of 2656 2632 Lgehpk32.exe 33 PID 2632 wrote to memory of 2656 2632 Lgehpk32.exe 33 PID 2632 wrote to memory of 2656 2632 Lgehpk32.exe 33 PID 2632 wrote to memory of 2656 2632 Lgehpk32.exe 33 PID 2656 wrote to memory of 2688 2656 Lnopmegg.exe 34 PID 2656 wrote to memory of 2688 2656 Lnopmegg.exe 34 PID 2656 wrote to memory of 2688 2656 Lnopmegg.exe 34 PID 2656 wrote to memory of 2688 2656 Lnopmegg.exe 34 PID 2688 wrote to memory of 2616 2688 Lggdfk32.exe 35 PID 2688 wrote to memory of 2616 2688 Lggdfk32.exe 35 PID 2688 wrote to memory of 2616 2688 Lggdfk32.exe 35 PID 2688 wrote to memory of 2616 2688 Lggdfk32.exe 35 PID 2616 wrote to memory of 2012 2616 Lnambeed.exe 36 PID 2616 wrote to memory of 2012 2616 Lnambeed.exe 36 PID 2616 wrote to memory of 2012 2616 Lnambeed.exe 36 PID 2616 wrote to memory of 2012 2616 Lnambeed.exe 36 PID 2012 wrote to memory of 832 2012 Lqpiopdh.exe 37 PID 2012 wrote to memory of 832 2012 Lqpiopdh.exe 37 PID 2012 wrote to memory of 832 2012 Lqpiopdh.exe 37 PID 2012 wrote to memory of 832 2012 Lqpiopdh.exe 37 PID 832 wrote to memory of 1208 832 Lqbfdp32.exe 38 PID 832 wrote to memory of 1208 832 Lqbfdp32.exe 38 PID 832 wrote to memory of 1208 832 Lqbfdp32.exe 38 PID 832 wrote to memory of 1208 832 Lqbfdp32.exe 38 PID 1208 wrote to memory of 588 1208 Lfonlg32.exe 39 PID 1208 wrote to memory of 588 1208 Lfonlg32.exe 39 PID 1208 wrote to memory of 588 1208 Lfonlg32.exe 39 PID 1208 wrote to memory of 588 1208 Lfonlg32.exe 39 PID 588 wrote to memory of 2768 588 Mmifiahi.exe 40 PID 588 wrote to memory of 2768 588 Mmifiahi.exe 40 PID 588 wrote to memory of 2768 588 Mmifiahi.exe 40 PID 588 wrote to memory of 2768 588 Mmifiahi.exe 40 PID 2768 wrote to memory of 1516 2768 Mogcelgm.exe 41 PID 2768 wrote to memory of 1516 2768 Mogcelgm.exe 41 PID 2768 wrote to memory of 1516 2768 Mogcelgm.exe 41 PID 2768 wrote to memory of 1516 2768 Mogcelgm.exe 41 PID 1516 wrote to memory of 2200 1516 Mmkcoq32.exe 42 PID 1516 wrote to memory of 2200 1516 Mmkcoq32.exe 42 PID 1516 wrote to memory of 2200 1516 Mmkcoq32.exe 42 PID 1516 wrote to memory of 2200 1516 Mmkcoq32.exe 42 PID 2200 wrote to memory of 2128 2200 Mcekkkmc.exe 43 PID 2200 wrote to memory of 2128 2200 Mcekkkmc.exe 43 PID 2200 wrote to memory of 2128 2200 Mcekkkmc.exe 43 PID 2200 wrote to memory of 2128 2200 Mcekkkmc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Nljcflbd.exeC:\Windows\system32\Nljcflbd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe33⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe36⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe37⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe38⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe39⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe40⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe41⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe42⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe44⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe46⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe48⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe51⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe52⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe53⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe56⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe57⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe58⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe59⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe60⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe61⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe62⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe64⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe65⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe66⤵PID:1976
-
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe67⤵PID:604
-
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe68⤵PID:908
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe69⤵PID:1972
-
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe70⤵PID:1712
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe71⤵PID:880
-
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe72⤵PID:2436
-
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe73⤵PID:2712
-
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe74⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe75⤵PID:2756
-
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe76⤵PID:3040
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe77⤵PID:2412
-
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe78⤵PID:2772
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe79⤵PID:1952
-
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe80⤵PID:2008
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe81⤵PID:2064
-
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe83⤵PID:1840
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe84⤵PID:2684
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe85⤵PID:1948
-
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe86⤵PID:560
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe87⤵PID:3060
-
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe88⤵PID:2320
-
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe89⤵PID:2924
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe90⤵PID:2936
-
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe91⤵PID:2984
-
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe92⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe93⤵PID:2832
-
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe94⤵PID:2980
-
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe95⤵PID:1984
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe97⤵PID:1536
-
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe98⤵PID:2544
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe99⤵PID:2276
-
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe100⤵PID:1656
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996 -
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe102⤵PID:1148
-
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe103⤵PID:2072
-
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe104⤵PID:2588
-
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe105⤵PID:2644
-
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe106⤵PID:2732
-
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe107⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe108⤵PID:2548
-
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe109⤵PID:2560
-
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe112⤵PID:2488
-
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe113⤵PID:1108
-
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe114⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe115⤵PID:1640
-
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe116⤵PID:1628
-
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe117⤵PID:2940
-
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe118⤵PID:1960
-
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe119⤵PID:2780
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe120⤵PID:3012
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe121⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe122⤵PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-