Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
05/03/2025, 12:35
General
-
Target
efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
-
Size
79KB
-
MD5
12ab15bf427159ac3810d19b43bf1df5
-
SHA1
48e85f2983df20b5a67307945b234a08afc32922
-
SHA256
efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf
-
SHA512
366481e10ba7c5d668f41cacbfd660057ac145245f4829e38c699d9b668a1eaaa63a0f272705fd7db419019cf235bc736b1e0200df4bfcf24319b04f83b06a77
-
SSDEEP
1536:bvKLrq8V6vHAn84X+0GpHenAUEaiFkSIgiItKq9v6D6:bvKLrq8V6vHAZX+XHeAUEaixtBtKq9v9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe"C:\Users\Admin\AppData\Local\Temp\efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ganldgib.exeC:\Windows\system32\Ganldgib.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe41⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hbenoi32.exeC:\Windows\system32\Hbenoi32.exe43⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe46⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe51⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iijfhbhl.exeC:\Windows\system32\Iijfhbhl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe58⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe66⤵
-
C:\Windows\SysWOW64\Iialhaad.exeC:\Windows\system32\Iialhaad.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe69⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Iamamcop.exeC:\Windows\system32\Iamamcop.exe70⤵
-
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe71⤵
-
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe72⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe73⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe74⤵
-
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe75⤵
-
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe77⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe79⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kemooo32.exeC:\Windows\system32\Kemooo32.exe81⤵
-
C:\Windows\SysWOW64\Kofdhd32.exeC:\Windows\system32\Kofdhd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe83⤵
-
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe84⤵
-
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe87⤵
-
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe88⤵
-
C:\Windows\SysWOW64\Lchfib32.exeC:\Windows\system32\Lchfib32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe90⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe91⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe94⤵
-
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe95⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe96⤵
-
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe98⤵
-
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe103⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe104⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe105⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe106⤵
-
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe107⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe108⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe112⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe113⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe114⤵
-
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe115⤵
-
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe116⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe118⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe119⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe120⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe121⤵
- Modifies registry class
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-