Analysis
-
max time kernel
111s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
448KB
-
MD5
834b890f8e1864a9a459e0d4c43b93b0
-
SHA1
50a2a54b613eb11716a1c3d36622d1ab7a5c39d9
-
SHA256
5f877a2f03dec9d286871ca4e6339477a598918e9630bd6e434ad1e5a616ef6e
-
SHA512
9aa669b9108689d5606f0e78f9d266327d8b966d8f49c2a49c6b60ffc2578ce504440e5d3023a9aa6442c92fd2ee7a267b97d8827a27016500693939b19db390
-
SSDEEP
6144:KCU5k/JNvqynxiLUmKyIxLDXXoq9FJZCUmKyIxL:KCU5k/Tvz832XXf9Do3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaogna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkdog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkhfona.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggnhmfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amllok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miebgcac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldpqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomhjamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adfdkehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eecjflmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaofjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oligob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncegnjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doonfomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daobjeak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqohdkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmeoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miaofjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fabfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkpalkmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjkdjded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbdcijpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgplqmim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbmebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agkdog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dclqad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odoedhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmeoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfalohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodaeqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbdlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlelhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdmbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmomf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnlci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aalaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqmgelkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfofhodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicnha32.exe -
Executes dropped EXE 64 IoCs
pid Process 4076 Kpefpd32.exe 2228 Kbcblp32.exe 5132 Kjkjnm32.exe 5504 Kpjpkchn.exe 3172 Kbhlgoga.exe 2212 Kkodilhc.exe 5440 Kpllacfk.exe 5412 Kbjhmoeo.exe 5400 Lmpmjgee.exe 5964 Lpoifc32.exe 2284 Lbmebn32.exe 2156 Lghacmle.exe 6012 Ligmohki.exe 6112 Lmbipg32.exe 5124 Lpaflb32.exe 6084 Lcobhn32.exe 5876 Lkfjik32.exe 5960 Lmefeg32.exe 5144 Lpcbabpc.exe 5908 Lcaonnog.exe 5816 Lkifokpi.exe 3232 Lilgjh32.exe 3552 Lmgckfom.exe 1580 Labole32.exe 3972 Ldakhq32.exe 4512 Lcdkcmmd.exe 3756 Lgpgdl32.exe 1180 Lkkcdjnf.exe 4004 Lincpg32.exe 4028 Lmipqfmj.exe 2664 Lphlmaln.exe 5608 Ldchmpdg.exe 5292 Mcfhim32.exe 2832 Mgbdilck.exe 5720 Mippegbn.exe 3644 Mmllfe32.exe 2380 Mpjhba32.exe 5424 Mdfdcpbd.exe 3460 Mcienm32.exe 640 Mkpmpj32.exe 1316 Mibmkfql.exe 5436 Majeldan.exe 2736 Mpmehq32.exe 5632 Mckadl32.exe 1344 Mgfmdk32.exe 4736 Miejqf32.exe 5756 Malabc32.exe 5468 Mpobmqff.exe 2900 Mcmnilei.exe 5088 Mkdfkiel.exe 5384 Mjgfff32.exe 884 Manngc32.exe 1876 Mdmkco32.exe 2652 Mcpkolcg.exe 2276 Mkgcpi32.exe 3352 Mneold32.exe 4268 Mpckhp32.exe 2456 Ncbgdk32.exe 2948 Nkipfh32.exe 3248 Njlpaeha.exe 3720 Nachbbic.exe 764 Ndadonhg.exe 4120 Ngppkigk.exe 2780 Nkklkhpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fplmcahn.exe Fibegg32.exe File opened for modification C:\Windows\SysWOW64\Jdfgcihb.exe Jjacfqhl.exe File opened for modification C:\Windows\SysWOW64\Joeghled.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hiebiacf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pnmemi32.exe Process not Found File created C:\Windows\SysWOW64\Ienpdbgh.exe Process not Found File created C:\Windows\SysWOW64\Igaebkjb.dll Bdmeoc32.exe File created C:\Windows\SysWOW64\Fgjejehf.dll Cjlfhp32.exe File created C:\Windows\SysWOW64\Gnjgcgog.dll Qaqaoj32.exe File created C:\Windows\SysWOW64\Oihgcqan.exe Okggei32.exe File created C:\Windows\SysWOW64\Lnbell32.dll Gdqephda.exe File created C:\Windows\SysWOW64\Pfogff32.dll Process not Found File created C:\Windows\SysWOW64\Aaamdnhd.dll Aabigiik.exe File opened for modification C:\Windows\SysWOW64\Iiedgg32.exe Ikadnb32.exe File created C:\Windows\SysWOW64\Mlfcaodd.dll Jaaefo32.exe File created C:\Windows\SysWOW64\Qmneagjl.dll Process not Found File created C:\Windows\SysWOW64\Nhnaoedj.dll Gdefdkma.exe File created C:\Windows\SysWOW64\Jnkikf32.exe Jgaaolog.exe File created C:\Windows\SysWOW64\Ppjmkp32.exe Pipdnfoa.exe File opened for modification C:\Windows\SysWOW64\Nkbblg32.exe Nggfkhab.exe File created C:\Windows\SysWOW64\Bgamfdao.dll Nappaokb.exe File created C:\Windows\SysWOW64\Fnaidmnc.exe Process not Found File created C:\Windows\SysWOW64\Efjojgfm.exe Eppfmm32.exe File created C:\Windows\SysWOW64\Mqhbfj32.exe Process not Found File created C:\Windows\SysWOW64\Mmqocl32.dll Process not Found File created C:\Windows\SysWOW64\Phlgpa32.exe Penkdfnn.exe File opened for modification C:\Windows\SysWOW64\Dpenld32.exe Dikfokel.exe File opened for modification C:\Windows\SysWOW64\Mcienm32.exe Mdfdcpbd.exe File opened for modification C:\Windows\SysWOW64\Cageopcg.exe Cgoqfj32.exe File opened for modification C:\Windows\SysWOW64\Jfpdgc32.exe Joflji32.exe File created C:\Windows\SysWOW64\Mippegbn.exe Mgbdilck.exe File created C:\Windows\SysWOW64\Bnjhpidl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fiojlk32.exe Process not Found File created C:\Windows\SysWOW64\Jioedf32.dll Achkcbcc.exe File created C:\Windows\SysWOW64\Lpkolfoc.exe Leejon32.exe File created C:\Windows\SysWOW64\Nimobhog.exe Nfobfmpc.exe File opened for modification C:\Windows\SysWOW64\Kqmhhjmf.exe Kjcpkpfi.exe File created C:\Windows\SysWOW64\Adcgbbki.dll Kdbgohne.exe File created C:\Windows\SysWOW64\Okhbkbpd.dll Nkbblg32.exe File opened for modification C:\Windows\SysWOW64\Gomggcke.exe Glnkkhla.exe File created C:\Windows\SysWOW64\Eaqall32.exe Ehhlcgfi.exe File opened for modification C:\Windows\SysWOW64\Coodpa32.exe Bhelcg32.exe File created C:\Windows\SysWOW64\Kolgod32.exe Process not Found File created C:\Windows\SysWOW64\Mllpke32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mjldnf32.exe Mgnhak32.exe File created C:\Windows\SysWOW64\Njogkeib.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eojfhgoi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhjpbi32.exe Deldfm32.exe File opened for modification C:\Windows\SysWOW64\Dmiepoon.exe Dfomce32.exe File opened for modification C:\Windows\SysWOW64\Lklokbea.exe Kdbgohne.exe File opened for modification C:\Windows\SysWOW64\Njgmon32.exe Process not Found File created C:\Windows\SysWOW64\Nmcmcogg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gfpicoii.exe Goeagd32.exe File created C:\Windows\SysWOW64\Phdbhafc.dll Mpiahk32.exe File opened for modification C:\Windows\SysWOW64\Ppjcef32.exe Ogbomqci.exe File opened for modification C:\Windows\SysWOW64\Mjkgij32.exe Process not Found File created C:\Windows\SysWOW64\Nckabn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Labole32.exe Lmgckfom.exe File created C:\Windows\SysWOW64\Fiiihddf.dll Lbkqckhi.exe File created C:\Windows\SysWOW64\Dddicqmf.exe Process not Found File created C:\Windows\SysWOW64\Oqhdbalq.exe Process not Found File created C:\Windows\SysWOW64\Hnkheg32.dll Anlpphmc.exe File created C:\Windows\SysWOW64\Apeiajhh.dll Nemifjkc.exe File created C:\Windows\SysWOW64\Ibgjhe32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 14664 14588 Process not Found 1554 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jildmojo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifnqbgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaidag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeeog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albega32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghellhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifokpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldpqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpckhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neeebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnlnfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchldcbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbedeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfedliho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipcdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndnnllk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acennc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acllhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chadfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daobjeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empdfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkhfona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhjdpgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfpabng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecjflmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labole32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfilgqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmhbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeckmgco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppfkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbomqci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfkcljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agelcdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfalohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekecdikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajcjog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lipoefdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjflna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opejjgno.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepkbdlk.dll" Qjkdjded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkaijn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igikkq32.dll" Fogeefmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgfhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljeogdb.dll" Eecjflmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnklegpk.dll" Qaceoqqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkeogc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aegogihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdbnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaphhmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlfdo32.dll" Ojlihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knfaln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakbmqap.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopaok32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngaekh32.dll" Dpgkadjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boodaich.dll" Ijnmicha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmhid32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmehokbj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpohjha.dll" Niilao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfppliag.dll" Ngfpabng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnkkgmde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdbm32.dll" Igaghaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coaggh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfamoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dikfokel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npheconk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkokoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkipfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmcjj32.dll" Gfkpho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlmhbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajpmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefkok32.dll" Eppfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdaok32.dll" Hbhofdgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohmnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oalomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pglimeok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iichag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onddfjob.dll" Fnqdgljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oihgcqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpifegko.dll" Jngoqjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knieldjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfpjfmjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knhggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimelf32.dll" Jfedliho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plcapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjpmngf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aopacm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oobdhmjl.dll" Mcfhim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccggfdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gghbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjofpa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 4076 4992 TrojanDownloader.Win32.Berbew.exe 84 PID 4992 wrote to memory of 4076 4992 TrojanDownloader.Win32.Berbew.exe 84 PID 4992 wrote to memory of 4076 4992 TrojanDownloader.Win32.Berbew.exe 84 PID 4076 wrote to memory of 2228 4076 Kpefpd32.exe 85 PID 4076 wrote to memory of 2228 4076 Kpefpd32.exe 85 PID 4076 wrote to memory of 2228 4076 Kpefpd32.exe 85 PID 2228 wrote to memory of 5132 2228 Kbcblp32.exe 86 PID 2228 wrote to memory of 5132 2228 Kbcblp32.exe 86 PID 2228 wrote to memory of 5132 2228 Kbcblp32.exe 86 PID 5132 wrote to memory of 5504 5132 Kjkjnm32.exe 87 PID 5132 wrote to memory of 5504 5132 Kjkjnm32.exe 87 PID 5132 wrote to memory of 5504 5132 Kjkjnm32.exe 87 PID 5504 wrote to memory of 3172 5504 Kpjpkchn.exe 88 PID 5504 wrote to memory of 3172 5504 Kpjpkchn.exe 88 PID 5504 wrote to memory of 3172 5504 Kpjpkchn.exe 88 PID 3172 wrote to memory of 2212 3172 Kbhlgoga.exe 89 PID 3172 wrote to memory of 2212 3172 Kbhlgoga.exe 89 PID 3172 wrote to memory of 2212 3172 Kbhlgoga.exe 89 PID 2212 wrote to memory of 5440 2212 Kkodilhc.exe 90 PID 2212 wrote to memory of 5440 2212 Kkodilhc.exe 90 PID 2212 wrote to memory of 5440 2212 Kkodilhc.exe 90 PID 5440 wrote to memory of 5412 5440 Kpllacfk.exe 91 PID 5440 wrote to memory of 5412 5440 Kpllacfk.exe 91 PID 5440 wrote to memory of 5412 5440 Kpllacfk.exe 91 PID 5412 wrote to memory of 5400 5412 Kbjhmoeo.exe 92 PID 5412 wrote to memory of 5400 5412 Kbjhmoeo.exe 92 PID 5412 wrote to memory of 5400 5412 Kbjhmoeo.exe 92 PID 5400 wrote to memory of 5964 5400 Lmpmjgee.exe 93 PID 5400 wrote to memory of 5964 5400 Lmpmjgee.exe 93 PID 5400 wrote to memory of 5964 5400 Lmpmjgee.exe 93 PID 5964 wrote to memory of 2284 5964 Lpoifc32.exe 94 PID 5964 wrote to memory of 2284 5964 Lpoifc32.exe 94 PID 5964 wrote to memory of 2284 5964 Lpoifc32.exe 94 PID 2284 wrote to memory of 2156 2284 Lbmebn32.exe 95 PID 2284 wrote to memory of 2156 2284 Lbmebn32.exe 95 PID 2284 wrote to memory of 2156 2284 Lbmebn32.exe 95 PID 2156 wrote to memory of 6012 2156 Lghacmle.exe 96 PID 2156 wrote to memory of 6012 2156 Lghacmle.exe 96 PID 2156 wrote to memory of 6012 2156 Lghacmle.exe 96 PID 6012 wrote to memory of 6112 6012 Ligmohki.exe 97 PID 6012 wrote to memory of 6112 6012 Ligmohki.exe 97 PID 6012 wrote to memory of 6112 6012 Ligmohki.exe 97 PID 6112 wrote to memory of 5124 6112 Lmbipg32.exe 98 PID 6112 wrote to memory of 5124 6112 Lmbipg32.exe 98 PID 6112 wrote to memory of 5124 6112 Lmbipg32.exe 98 PID 5124 wrote to memory of 6084 5124 Lpaflb32.exe 99 PID 5124 wrote to memory of 6084 5124 Lpaflb32.exe 99 PID 5124 wrote to memory of 6084 5124 Lpaflb32.exe 99 PID 6084 wrote to memory of 5876 6084 Lcobhn32.exe 100 PID 6084 wrote to memory of 5876 6084 Lcobhn32.exe 100 PID 6084 wrote to memory of 5876 6084 Lcobhn32.exe 100 PID 5876 wrote to memory of 5960 5876 Lkfjik32.exe 101 PID 5876 wrote to memory of 5960 5876 Lkfjik32.exe 101 PID 5876 wrote to memory of 5960 5876 Lkfjik32.exe 101 PID 5960 wrote to memory of 5144 5960 Lmefeg32.exe 102 PID 5960 wrote to memory of 5144 5960 Lmefeg32.exe 102 PID 5960 wrote to memory of 5144 5960 Lmefeg32.exe 102 PID 5144 wrote to memory of 5908 5144 Lpcbabpc.exe 103 PID 5144 wrote to memory of 5908 5144 Lpcbabpc.exe 103 PID 5144 wrote to memory of 5908 5144 Lpcbabpc.exe 103 PID 5908 wrote to memory of 5816 5908 Lcaonnog.exe 104 PID 5908 wrote to memory of 5816 5908 Lcaonnog.exe 104 PID 5908 wrote to memory of 5816 5908 Lcaonnog.exe 104 PID 5816 wrote to memory of 3232 5816 Lkifokpi.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Kpefpd32.exeC:\Windows\system32\Kpefpd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Kbcblp32.exeC:\Windows\system32\Kbcblp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Kjkjnm32.exeC:\Windows\system32\Kjkjnm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\SysWOW64\Kpjpkchn.exeC:\Windows\system32\Kpjpkchn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5504 -
C:\Windows\SysWOW64\Kbhlgoga.exeC:\Windows\system32\Kbhlgoga.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Kkodilhc.exeC:\Windows\system32\Kkodilhc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Kpllacfk.exeC:\Windows\system32\Kpllacfk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\SysWOW64\Kbjhmoeo.exeC:\Windows\system32\Kbjhmoeo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5412 -
C:\Windows\SysWOW64\Lmpmjgee.exeC:\Windows\system32\Lmpmjgee.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Windows\SysWOW64\Lpoifc32.exeC:\Windows\system32\Lpoifc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5964 -
C:\Windows\SysWOW64\Lbmebn32.exeC:\Windows\system32\Lbmebn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Lghacmle.exeC:\Windows\system32\Lghacmle.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ligmohki.exeC:\Windows\system32\Ligmohki.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6012 -
C:\Windows\SysWOW64\Lmbipg32.exeC:\Windows\system32\Lmbipg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Windows\SysWOW64\Lpaflb32.exeC:\Windows\system32\Lpaflb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5124 -
C:\Windows\SysWOW64\Lcobhn32.exeC:\Windows\system32\Lcobhn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Windows\SysWOW64\Lkfjik32.exeC:\Windows\system32\Lkfjik32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Windows\SysWOW64\Lmefeg32.exeC:\Windows\system32\Lmefeg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5960 -
C:\Windows\SysWOW64\Lpcbabpc.exeC:\Windows\system32\Lpcbabpc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5144 -
C:\Windows\SysWOW64\Lcaonnog.exeC:\Windows\system32\Lcaonnog.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5908 -
C:\Windows\SysWOW64\Lkifokpi.exeC:\Windows\system32\Lkifokpi.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5816 -
C:\Windows\SysWOW64\Lilgjh32.exeC:\Windows\system32\Lilgjh32.exe23⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Lmgckfom.exeC:\Windows\system32\Lmgckfom.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3552 -
C:\Windows\SysWOW64\Labole32.exeC:\Windows\system32\Labole32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Ldakhq32.exeC:\Windows\system32\Ldakhq32.exe26⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Lcdkcmmd.exeC:\Windows\system32\Lcdkcmmd.exe27⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Lgpgdl32.exeC:\Windows\system32\Lgpgdl32.exe28⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Lkkcdjnf.exeC:\Windows\system32\Lkkcdjnf.exe29⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Lincpg32.exeC:\Windows\system32\Lincpg32.exe30⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Lmipqfmj.exeC:\Windows\system32\Lmipqfmj.exe31⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Lphlmaln.exeC:\Windows\system32\Lphlmaln.exe32⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ldchmpdg.exeC:\Windows\system32\Ldchmpdg.exe33⤵
- Executes dropped EXE
PID:5608 -
C:\Windows\SysWOW64\Mcfhim32.exeC:\Windows\system32\Mcfhim32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Mgbdilck.exeC:\Windows\system32\Mgbdilck.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Mippegbn.exeC:\Windows\system32\Mippegbn.exe36⤵
- Executes dropped EXE
PID:5720 -
C:\Windows\SysWOW64\Mmllfe32.exeC:\Windows\system32\Mmllfe32.exe37⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Mpjhba32.exeC:\Windows\system32\Mpjhba32.exe38⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Mdfdcpbd.exeC:\Windows\system32\Mdfdcpbd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Mcienm32.exeC:\Windows\system32\Mcienm32.exe40⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Mkpmpj32.exeC:\Windows\system32\Mkpmpj32.exe41⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Mibmkfql.exeC:\Windows\system32\Mibmkfql.exe42⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Majeldan.exeC:\Windows\system32\Majeldan.exe43⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Mpmehq32.exeC:\Windows\system32\Mpmehq32.exe44⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Mckadl32.exeC:\Windows\system32\Mckadl32.exe45⤵
- Executes dropped EXE
PID:5632 -
C:\Windows\SysWOW64\Mgfmdk32.exeC:\Windows\system32\Mgfmdk32.exe46⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Miejqf32.exeC:\Windows\system32\Miejqf32.exe47⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Malabc32.exeC:\Windows\system32\Malabc32.exe48⤵
- Executes dropped EXE
PID:5756 -
C:\Windows\SysWOW64\Mpobmqff.exeC:\Windows\system32\Mpobmqff.exe49⤵
- Executes dropped EXE
PID:5468 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe50⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mkdfkiel.exeC:\Windows\system32\Mkdfkiel.exe51⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Mjgfff32.exeC:\Windows\system32\Mjgfff32.exe52⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Manngc32.exeC:\Windows\system32\Manngc32.exe53⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Mdmkco32.exeC:\Windows\system32\Mdmkco32.exe54⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Mcpkolcg.exeC:\Windows\system32\Mcpkolcg.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Mkgcpi32.exeC:\Windows\system32\Mkgcpi32.exe56⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Mneold32.exeC:\Windows\system32\Mneold32.exe57⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Mpckhp32.exeC:\Windows\system32\Mpckhp32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\Ncbgdk32.exeC:\Windows\system32\Ncbgdk32.exe59⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Nkipfh32.exeC:\Windows\system32\Nkipfh32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Njlpaeha.exeC:\Windows\system32\Njlpaeha.exe61⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Nachbbic.exeC:\Windows\system32\Nachbbic.exe62⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Ndadonhg.exeC:\Windows\system32\Ndadonhg.exe63⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Ngppkigk.exeC:\Windows\system32\Ngppkigk.exe64⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Nkklkhpc.exeC:\Windows\system32\Nkklkhpc.exe65⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nnjhgcog.exeC:\Windows\system32\Nnjhgcog.exe66⤵PID:2224
-
C:\Windows\SysWOW64\Npheconk.exeC:\Windows\system32\Npheconk.exe67⤵
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Nddqdn32.exeC:\Windows\system32\Nddqdn32.exe68⤵PID:2056
-
C:\Windows\SysWOW64\Ngbmpi32.exeC:\Windows\system32\Ngbmpi32.exe69⤵PID:4732
-
C:\Windows\SysWOW64\Njqild32.exeC:\Windows\system32\Njqild32.exe70⤵PID:4148
-
C:\Windows\SysWOW64\Nahanb32.exeC:\Windows\system32\Nahanb32.exe71⤵PID:4128
-
C:\Windows\SysWOW64\Npkaiolh.exeC:\Windows\system32\Npkaiolh.exe72⤵PID:5156
-
C:\Windows\SysWOW64\Ncinejkl.exeC:\Windows\system32\Ncinejkl.exe73⤵PID:3944
-
C:\Windows\SysWOW64\Nkpffgkn.exeC:\Windows\system32\Nkpffgkn.exe74⤵PID:668
-
C:\Windows\SysWOW64\Njcfbd32.exeC:\Windows\system32\Njcfbd32.exe75⤵PID:964
-
C:\Windows\SysWOW64\Najncack.exeC:\Windows\system32\Najncack.exe76⤵PID:5536
-
C:\Windows\SysWOW64\Ndhjombo.exeC:\Windows\system32\Ndhjombo.exe77⤵PID:1324
-
C:\Windows\SysWOW64\Nggfkhab.exeC:\Windows\system32\Nggfkhab.exe78⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Nkbblg32.exeC:\Windows\system32\Nkbblg32.exe79⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Nnaohb32.exeC:\Windows\system32\Nnaohb32.exe80⤵PID:6032
-
C:\Windows\SysWOW64\Oqokdn32.exeC:\Windows\system32\Oqokdn32.exe81⤵PID:6076
-
C:\Windows\SysWOW64\Ocngpi32.exeC:\Windows\system32\Ocngpi32.exe82⤵PID:5892
-
C:\Windows\SysWOW64\Ogicahop.exeC:\Windows\system32\Ogicahop.exe83⤵PID:2712
-
C:\Windows\SysWOW64\Ojhomcnc.exeC:\Windows\system32\Ojhomcnc.exe84⤵PID:5836
-
C:\Windows\SysWOW64\Oaogna32.exeC:\Windows\system32\Oaogna32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Odmcjl32.exeC:\Windows\system32\Odmcjl32.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Ocpdfied.exeC:\Windows\system32\Ocpdfied.exe87⤵PID:4400
-
C:\Windows\SysWOW64\Okglgfef.exeC:\Windows\system32\Okglgfef.exe88⤵PID:1220
-
C:\Windows\SysWOW64\Onehcbdj.exeC:\Windows\system32\Onehcbdj.exe89⤵PID:2680
-
C:\Windows\SysWOW64\Oqddomcn.exeC:\Windows\system32\Oqddomcn.exe90⤵PID:5612
-
C:\Windows\SysWOW64\Odpppl32.exeC:\Windows\system32\Odpppl32.exe91⤵PID:5268
-
C:\Windows\SysWOW64\Ognmlg32.exeC:\Windows\system32\Ognmlg32.exe92⤵PID:4920
-
C:\Windows\SysWOW64\Ojlihc32.exeC:\Windows\system32\Ojlihc32.exe93⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Onheiabg.exeC:\Windows\system32\Onheiabg.exe94⤵PID:5320
-
C:\Windows\SysWOW64\Odbmeljd.exeC:\Windows\system32\Odbmeljd.exe95⤵PID:1800
-
C:\Windows\SysWOW64\Ojoenbhl.exeC:\Windows\system32\Ojoenbhl.exe96⤵PID:3292
-
C:\Windows\SysWOW64\Onjana32.exeC:\Windows\system32\Onjana32.exe97⤵PID:5880
-
C:\Windows\SysWOW64\Oqinjm32.exeC:\Windows\system32\Oqinjm32.exe98⤵PID:4480
-
C:\Windows\SysWOW64\Ocgjfh32.exeC:\Windows\system32\Ocgjfh32.exe99⤵PID:4972
-
C:\Windows\SysWOW64\Oknbhe32.exeC:\Windows\system32\Oknbhe32.exe100⤵PID:5952
-
C:\Windows\SysWOW64\Onmnda32.exeC:\Windows\system32\Onmnda32.exe101⤵PID:1256
-
C:\Windows\SysWOW64\Pbhjdpgk.exeC:\Windows\system32\Pbhjdpgk.exe102⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Pdffqk32.exeC:\Windows\system32\Pdffqk32.exe103⤵PID:1724
-
C:\Windows\SysWOW64\Pgebmf32.exeC:\Windows\system32\Pgebmf32.exe104⤵PID:5472
-
C:\Windows\SysWOW64\Pjcoib32.exeC:\Windows\system32\Pjcoib32.exe105⤵PID:2528
-
C:\Windows\SysWOW64\Pnokiqlo.exeC:\Windows\system32\Pnokiqlo.exe106⤵PID:3592
-
C:\Windows\SysWOW64\Pqmgelkc.exeC:\Windows\system32\Pqmgelkc.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Pclcagkg.exeC:\Windows\system32\Pclcagkg.exe108⤵PID:4756
-
C:\Windows\SysWOW64\Pkckceki.exeC:\Windows\system32\Pkckceki.exe109⤵PID:3772
-
C:\Windows\SysWOW64\Pjflna32.exeC:\Windows\system32\Pjflna32.exe110⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Pbmcpo32.exeC:\Windows\system32\Pbmcpo32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Pdkplj32.exeC:\Windows\system32\Pdkplj32.exe112⤵PID:5152
-
C:\Windows\SysWOW64\Pcnpgghd.exeC:\Windows\system32\Pcnpgghd.exe113⤵PID:5508
-
C:\Windows\SysWOW64\Pkehhd32.exeC:\Windows\system32\Pkehhd32.exe114⤵PID:3392
-
C:\Windows\SysWOW64\Pncddp32.exeC:\Windows\system32\Pncddp32.exe115⤵PID:2304
-
C:\Windows\SysWOW64\Pbopeoqc.exeC:\Windows\system32\Pbopeoqc.exe116⤵PID:5184
-
C:\Windows\SysWOW64\Pdnmajpg.exeC:\Windows\system32\Pdnmajpg.exe117⤵PID:4544
-
C:\Windows\SysWOW64\Pglimeok.exeC:\Windows\system32\Pglimeok.exe118⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe119⤵PID:6088
-
C:\Windows\SysWOW64\Pnfajp32.exeC:\Windows\system32\Pnfajp32.exe120⤵PID:3496
-
C:\Windows\SysWOW64\Pqdmfk32.exeC:\Windows\system32\Pqdmfk32.exe121⤵PID:3116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-