Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
79KB
-
MD5
8715cac4df2c9186a3979a96ac9e67d0
-
SHA1
ea600f13d3e0a0413f1b6f9ff28cad49f96a2a86
-
SHA256
638e0c525366acba87768774b392c1268465a6b887decd666e09aa63144ac596
-
SHA512
5226af7318a2f779d7241da1ba1af6113e4ab88d8277debc5fc9ee668343d6acdbf68ec401910b9e74a03ebc62b16a302867ee38b406c8e1e79006a8aedd5114
-
SSDEEP
1536:P6tS3h67tv8v2vJ1+B4Ogw/tUEdiFkSIgiItKq9v6DK:P6tP+BDUEdixtBtKq9vV
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgfod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbinlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmlgcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egknji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcembe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpnqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icciccmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oamgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiodha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flpkcbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcmpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfggbope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmbib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbmih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malnklgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddokabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjcdih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhiinbdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmglk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqdfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckaeioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeogb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbhia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkicjgnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhogamih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifmoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppelkeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjcdih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okceaikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnoacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjnhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehklmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheaqolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkfqgce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfjbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnilfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdlkope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbedaand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmanljfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kggjghkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedmlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imhjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Labkempb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfomda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbkgmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqiak32.exe -
Executes dropped EXE 64 IoCs
pid Process 416 Ollljmhg.exe 2836 Ocfdgg32.exe 1796 Ohcmpn32.exe 3168 Oomelheh.exe 2024 Ofgmib32.exe 1664 Okceaikl.exe 596 Ocknbglo.exe 432 Omcbkl32.exe 536 Obpkcc32.exe 1896 Oflfdbip.exe 1500 Pcpgmf32.exe 3648 Pilpfm32.exe 2052 Pofhbgmn.exe 3480 Pfppoa32.exe 3308 Piolkm32.exe 3464 Poidhg32.exe 3236 Pfbmdabh.exe 2236 Pmmeak32.exe 3960 Pcfmneaa.exe 3124 Piceflpi.exe 4908 Pkabbgol.exe 1400 Qfgfpp32.exe 436 Qmanljfo.exe 1228 Qihoak32.exe 2784 Qcncodki.exe 2416 Aeopfl32.exe 4456 Acppddig.exe 1932 Apgqie32.exe 1920 Almanf32.exe 4716 Apkjddke.exe 2908 Aidomjaf.exe 3092 Bblcfo32.exe 3040 Bclppboi.exe 2440 Bcnleb32.exe 5028 Bbcignbo.exe 400 Bbefln32.exe 904 Cpifeb32.exe 2740 Cefoni32.exe 1208 Cmmgof32.exe 5056 Cplckbmc.exe 2164 Cffkhl32.exe 2916 Cmpcdfll.exe 2516 Cdjlap32.exe 1336 Cekhihig.exe 1312 Cifdjg32.exe 4380 Cpqlfa32.exe 4640 Cemeoh32.exe 4460 Cpcila32.exe 3920 Cepadh32.exe 4232 Clijablo.exe 3700 Dbcbnlcl.exe 4044 Dbfoclai.exe 892 Dipgpf32.exe 820 Dibdeegc.exe 2772 Dpllbp32.exe 3924 Dmplkd32.exe 4052 Dghadidj.exe 832 Digmqe32.exe 4404 Egknji32.exe 876 Eennefib.exe 4832 Ecanojgl.exe 4436 Emgblc32.exe 3116 Ecdkdj32.exe 2496 Eebgqe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lcmmho32.dll Kbedaand.exe File opened for modification C:\Windows\SysWOW64\Pcpgmf32.exe Oflfdbip.exe File created C:\Windows\SysWOW64\Jijomapp.dll Maoakaip.exe File opened for modification C:\Windows\SysWOW64\Cqghcn32.exe Bjmpfdhb.exe File created C:\Windows\SysWOW64\Kjipmoai.exe Kcphpdil.exe File opened for modification C:\Windows\SysWOW64\Apkjddke.exe Almanf32.exe File created C:\Windows\SysWOW64\Dikgnp32.dll Ijonfmbn.exe File created C:\Windows\SysWOW64\Emabga32.dll Knmpbi32.exe File opened for modification C:\Windows\SysWOW64\Jjnqap32.exe Iohlcg32.exe File opened for modification C:\Windows\SysWOW64\Obpkcc32.exe Omcbkl32.exe File opened for modification C:\Windows\SysWOW64\Fckaeioa.exe Fdhail32.exe File created C:\Windows\SysWOW64\Ifpjgg32.dll Jqbbno32.exe File created C:\Windows\SysWOW64\Cbfema32.exe Ckmmpg32.exe File created C:\Windows\SysWOW64\Giahndcf.exe Gajpmg32.exe File created C:\Windows\SysWOW64\Qcncodki.exe Qihoak32.exe File created C:\Windows\SysWOW64\Edcfml32.dll Eoconenj.exe File created C:\Windows\SysWOW64\Ffdcne32.dll Gccmaack.exe File opened for modification C:\Windows\SysWOW64\Ckoifgmb.exe Ciqmjkno.exe File created C:\Windows\SysWOW64\Gegchl32.exe Gpjjpe32.exe File created C:\Windows\SysWOW64\Cifmoa32.exe Cnpibh32.exe File created C:\Windows\SysWOW64\Khabdi32.dll Ijlkfg32.exe File created C:\Windows\SysWOW64\Mmpbkm32.exe Laiafl32.exe File created C:\Windows\SysWOW64\Icjengld.exe Ikcmmjkb.exe File created C:\Windows\SysWOW64\Mhjpceko.exe Mpchbhjl.exe File created C:\Windows\SysWOW64\Ajepci32.dll Gbecljnl.exe File created C:\Windows\SysWOW64\Fhiinbdo.exe Fblpflfg.exe File opened for modification C:\Windows\SysWOW64\Lcndab32.exe Lkflpe32.exe File opened for modification C:\Windows\SysWOW64\Cpcila32.exe Cemeoh32.exe File opened for modification C:\Windows\SysWOW64\Cfjnhe32.exe Cppelkeb.exe File created C:\Windows\SysWOW64\Eflceb32.exe Eoekde32.exe File opened for modification C:\Windows\SysWOW64\Bjmpfdhb.exe Bgodjiio.exe File created C:\Windows\SysWOW64\Gkomkdlk.dll Keekjc32.exe File opened for modification C:\Windows\SysWOW64\Lpbokjho.exe Kfjjbd32.exe File created C:\Windows\SysWOW64\Ohkijc32.exe Npcaie32.exe File created C:\Windows\SysWOW64\Ajaqjfbp.exe Agcdnjcl.exe File opened for modification C:\Windows\SysWOW64\Piolkm32.exe Pfppoa32.exe File created C:\Windows\SysWOW64\Jelhcd32.exe Jnapgjdo.exe File opened for modification C:\Windows\SysWOW64\Dpnbmi32.exe Dhgjll32.exe File created C:\Windows\SysWOW64\Obpkcc32.exe Omcbkl32.exe File created C:\Windows\SysWOW64\Lcbmlbig.exe Lmheph32.exe File opened for modification C:\Windows\SysWOW64\Mopeofjl.exe Mhfmbl32.exe File opened for modification C:\Windows\SysWOW64\Bnbmqjjo.exe Biedhclh.exe File created C:\Windows\SysWOW64\Ickihp32.dll Igkadlcd.exe File opened for modification C:\Windows\SysWOW64\Ljjicl32.exe Lcpqgbkj.exe File created C:\Windows\SysWOW64\Pofhbgmn.exe Pilpfm32.exe File created C:\Windows\SysWOW64\Jjdgal32.exe Jcjodbgl.exe File created C:\Windows\SysWOW64\Bkgokhco.dll Oafacn32.exe File created C:\Windows\SysWOW64\Cfjpai32.dll Qjcdih32.exe File created C:\Windows\SysWOW64\Iedanb32.dll Eldbbjof.exe File opened for modification C:\Windows\SysWOW64\Hqjcgbbo.exe Hhckeeam.exe File created C:\Windows\SysWOW64\Imjgbb32.exe Ijlkfg32.exe File created C:\Windows\SysWOW64\Bnoiqd32.exe Bjcmpepm.exe File opened for modification C:\Windows\SysWOW64\Ohcmpn32.exe Ocfdgg32.exe File created C:\Windows\SysWOW64\Ifofkacc.dll Mdmngm32.exe File opened for modification C:\Windows\SysWOW64\Nejgbn32.exe Nncoaq32.exe File created C:\Windows\SysWOW64\Olanmmjm.dll Mhjpceko.exe File created C:\Windows\SysWOW64\Gmeadk32.dll Ecdkdj32.exe File created C:\Windows\SysWOW64\Qnhkpgaj.dll Ndpcdjho.exe File created C:\Windows\SysWOW64\Qiobpljq.dll Jcfejfag.exe File created C:\Windows\SysWOW64\Blgmmd32.dll Ljephmgl.exe File created C:\Windows\SysWOW64\Mbiiah32.dll Hhlnjpdi.exe File created C:\Windows\SysWOW64\Hccomh32.exe Hhnkppbf.exe File opened for modification C:\Windows\SysWOW64\Biljib32.exe Bfnnmg32.exe File opened for modification C:\Windows\SysWOW64\Mfomda32.exe Mpedgghj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13632 13492 WerFault.exe 703 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgjll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlkfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkakak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkigp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimoce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glngep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklifdmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqgjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adqeaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpedgghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefphem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joobdfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqinamq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldbbjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmmfbfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifdjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcembe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdfgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfedmfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhghge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abipfifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclppboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepmgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcackeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkodak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elolco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkjpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipffmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iheaqolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnapgjdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcqlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafacn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfdlnab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poidhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijonfmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoconenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpknplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gammbfqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcojo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpnqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gheodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflnafno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkabefqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljappg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kallod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefmgogl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffoejkg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piolkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnenchoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bampkqcn.dll" Decdeama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbcimhh.dll" Foakpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleojm32.dll" Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikkqb32.dll" Jffokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foeeml32.dll" Gfgjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lelajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeloaik.dll" Dlkplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efopjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjeeion.dll" Enpknplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cemeoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnapgjdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bndjfjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhhfbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbqkjgq.dll" Ehpmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgemahmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckfofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdadpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiiej32.dll" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkelh32.dll" Dbdano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljedg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhiinbdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnnimbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppphk32.dll" Dojlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foakpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eacaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkadoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anffje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkodak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icciccmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmknd32.dll" Kgcqlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombkojfh.dll" Hjcojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbapom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqbiacj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkaqh32.dll" Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll" Cekhihig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adqeaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhoimi32.dll" Ciogobcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diopep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oileakbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaihqipl.dll" Oeopnmoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjipc32.dll" Kkabefqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkadoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhgefed.dll" Dhfcae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hleneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apgqie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oileakbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjpeelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eahjqicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhhgmlli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogefqeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhcjldl.dll" Qpkppbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nejgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafacn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 232 wrote to memory of 416 232 Backdoor.Win32.Berbew.AA.exe 89 PID 232 wrote to memory of 416 232 Backdoor.Win32.Berbew.AA.exe 89 PID 232 wrote to memory of 416 232 Backdoor.Win32.Berbew.AA.exe 89 PID 416 wrote to memory of 2836 416 Ollljmhg.exe 90 PID 416 wrote to memory of 2836 416 Ollljmhg.exe 90 PID 416 wrote to memory of 2836 416 Ollljmhg.exe 90 PID 2836 wrote to memory of 1796 2836 Ocfdgg32.exe 91 PID 2836 wrote to memory of 1796 2836 Ocfdgg32.exe 91 PID 2836 wrote to memory of 1796 2836 Ocfdgg32.exe 91 PID 1796 wrote to memory of 3168 1796 Ohcmpn32.exe 92 PID 1796 wrote to memory of 3168 1796 Ohcmpn32.exe 92 PID 1796 wrote to memory of 3168 1796 Ohcmpn32.exe 92 PID 3168 wrote to memory of 2024 3168 Oomelheh.exe 93 PID 3168 wrote to memory of 2024 3168 Oomelheh.exe 93 PID 3168 wrote to memory of 2024 3168 Oomelheh.exe 93 PID 2024 wrote to memory of 1664 2024 Ofgmib32.exe 94 PID 2024 wrote to memory of 1664 2024 Ofgmib32.exe 94 PID 2024 wrote to memory of 1664 2024 Ofgmib32.exe 94 PID 1664 wrote to memory of 596 1664 Okceaikl.exe 95 PID 1664 wrote to memory of 596 1664 Okceaikl.exe 95 PID 1664 wrote to memory of 596 1664 Okceaikl.exe 95 PID 596 wrote to memory of 432 596 Ocknbglo.exe 96 PID 596 wrote to memory of 432 596 Ocknbglo.exe 96 PID 596 wrote to memory of 432 596 Ocknbglo.exe 96 PID 432 wrote to memory of 536 432 Omcbkl32.exe 97 PID 432 wrote to memory of 536 432 Omcbkl32.exe 97 PID 432 wrote to memory of 536 432 Omcbkl32.exe 97 PID 536 wrote to memory of 1896 536 Obpkcc32.exe 98 PID 536 wrote to memory of 1896 536 Obpkcc32.exe 98 PID 536 wrote to memory of 1896 536 Obpkcc32.exe 98 PID 1896 wrote to memory of 1500 1896 Oflfdbip.exe 99 PID 1896 wrote to memory of 1500 1896 Oflfdbip.exe 99 PID 1896 wrote to memory of 1500 1896 Oflfdbip.exe 99 PID 1500 wrote to memory of 3648 1500 Pcpgmf32.exe 100 PID 1500 wrote to memory of 3648 1500 Pcpgmf32.exe 100 PID 1500 wrote to memory of 3648 1500 Pcpgmf32.exe 100 PID 3648 wrote to memory of 2052 3648 Pilpfm32.exe 101 PID 3648 wrote to memory of 2052 3648 Pilpfm32.exe 101 PID 3648 wrote to memory of 2052 3648 Pilpfm32.exe 101 PID 2052 wrote to memory of 3480 2052 Pofhbgmn.exe 102 PID 2052 wrote to memory of 3480 2052 Pofhbgmn.exe 102 PID 2052 wrote to memory of 3480 2052 Pofhbgmn.exe 102 PID 3480 wrote to memory of 3308 3480 Pfppoa32.exe 103 PID 3480 wrote to memory of 3308 3480 Pfppoa32.exe 103 PID 3480 wrote to memory of 3308 3480 Pfppoa32.exe 103 PID 3308 wrote to memory of 3464 3308 Piolkm32.exe 104 PID 3308 wrote to memory of 3464 3308 Piolkm32.exe 104 PID 3308 wrote to memory of 3464 3308 Piolkm32.exe 104 PID 3464 wrote to memory of 3236 3464 Poidhg32.exe 105 PID 3464 wrote to memory of 3236 3464 Poidhg32.exe 105 PID 3464 wrote to memory of 3236 3464 Poidhg32.exe 105 PID 3236 wrote to memory of 2236 3236 Pfbmdabh.exe 106 PID 3236 wrote to memory of 2236 3236 Pfbmdabh.exe 106 PID 3236 wrote to memory of 2236 3236 Pfbmdabh.exe 106 PID 2236 wrote to memory of 3960 2236 Pmmeak32.exe 107 PID 2236 wrote to memory of 3960 2236 Pmmeak32.exe 107 PID 2236 wrote to memory of 3960 2236 Pmmeak32.exe 107 PID 3960 wrote to memory of 3124 3960 Pcfmneaa.exe 108 PID 3960 wrote to memory of 3124 3960 Pcfmneaa.exe 108 PID 3960 wrote to memory of 3124 3960 Pcfmneaa.exe 108 PID 3124 wrote to memory of 4908 3124 Piceflpi.exe 109 PID 3124 wrote to memory of 4908 3124 Piceflpi.exe 109 PID 3124 wrote to memory of 4908 3124 Piceflpi.exe 109 PID 4908 wrote to memory of 1400 4908 Pkabbgol.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Ofgmib32.exeC:\Windows\system32\Ofgmib32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe23⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe26⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe27⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe28⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe31⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe32⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe33⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe35⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe36⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe37⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe38⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe39⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe40⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe41⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe42⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe43⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe47⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe49⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe50⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe51⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe52⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe53⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe54⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe55⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe56⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe57⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe58⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe59⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe61⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe62⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe63⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3116 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe65⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe66⤵PID:2656
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe67⤵PID:1008
-
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe68⤵PID:1084
-
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe69⤵PID:4468
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3372 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe71⤵PID:4368
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe72⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe73⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4816 -
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe75⤵PID:5156
-
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe76⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe77⤵PID:5272
-
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe78⤵PID:5316
-
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe79⤵PID:5356
-
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe81⤵PID:5452
-
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe82⤵PID:5504
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe83⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe84⤵PID:5592
-
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe85⤵
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe86⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe88⤵PID:5808
-
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe89⤵PID:5852
-
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe90⤵PID:5892
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe91⤵PID:5940
-
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe92⤵PID:5984
-
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6032 -
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe94⤵PID:6076
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe96⤵PID:4472
-
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe98⤵PID:5348
-
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe100⤵PID:5516
-
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe101⤵PID:5576
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe102⤵PID:5644
-
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe103⤵PID:5744
-
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe104⤵PID:5816
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe105⤵PID:5876
-
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe107⤵PID:6024
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe109⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe111⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe113⤵PID:1184
-
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe114⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe117⤵PID:5184
-
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe118⤵PID:5412
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe119⤵PID:5608
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe121⤵PID:5968
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe122⤵PID:5148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-