Analysis
-
max time kernel
63s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 22:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe
-
Size
64KB
-
MD5
99e29e0e64960cd2910be5171d9a09f1
-
SHA1
0fb9df4dd28db03dc9fe7342575419c90ef1b115
-
SHA256
2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c
-
SHA512
5d279f5e96174953baa39bb228f07bc3fe266519464865158bc698310ce4ca95be0583c39822f61e48e46f8829cf9ea6446fff5c364147bc86a29482f648ae80
-
SSDEEP
1536:5D99PEpuL+5oIXMRt64fUXruCHcpzt/Idn:5p9PGmKMmUpFwn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjklo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhpaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kioiffcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmaad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmnkglp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfmbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgdnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbeqjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckflc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmogpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmilpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqjla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpbck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiockd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keappgmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobhdhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeclabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjcieg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbmco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndiomdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feobac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokgij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamifcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaljjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcncbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfhgogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Engjkeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnenk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaljjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqjla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmqieh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhoegqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkgcmbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladpagin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgeogmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmnga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgdfgbhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhnqbjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgjdlme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljgkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noepdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajgfboj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2096 Bjiljf32.exe 2964 Bacefpbg.exe 2224 Binikb32.exe 2216 Baealp32.exe 2760 Bdcnhk32.exe 2092 Bknfeege.exe 2528 Bdfjnkne.exe 1996 Beggec32.exe 2120 Bopknhjd.exe 2916 Cggcofkf.exe 2272 Chhpgn32.exe 2888 Cobhdhha.exe 2196 Clfhml32.exe 2088 Codeih32.exe 2336 Cdamao32.exe 2448 Ckkenikc.exe 800 Ceqjla32.exe 1616 Chofhm32.exe 1708 Cnlnpd32.exe 1868 Cpjklo32.exe 2680 Ckpoih32.exe 764 Dajgfboj.exe 1972 Dckcnj32.exe 2576 Dkblohek.exe 2976 Ddjphm32.exe 3000 Dgildi32.exe 2876 Dleelp32.exe 2724 Dcpmijqc.exe 1904 Dlhaaogd.exe 2276 Dofnnkfg.exe 2688 Dbejjfek.exe 2924 Dkmncl32.exe 2932 Dcdfdi32.exe 1948 Dbggpfci.exe 2564 Edeclabl.exe 1932 Elmkmo32.exe 2400 Eokgij32.exe 2416 Enngdgim.exe 2056 Efeoedjo.exe 2444 Edhpaa32.exe 768 Ekbhnkhf.exe 1068 Eomdoj32.exe 556 Enpdjfgj.exe 1864 Eqopfbfn.exe 1896 Ehfhgogp.exe 1748 Egihcl32.exe 548 Ejgeogmn.exe 2944 Ebnmpemq.exe 2832 Eqamla32.exe 2880 Edmilpld.exe 2720 Ekfaij32.exe 2172 Ejiadgkl.exe 1168 Emhnqbjo.exe 2132 Eqcjaa32.exe 1980 Ecbfmm32.exe 3040 Efpbih32.exe 1960 Ejlnjg32.exe 1144 Engjkeab.exe 2556 Fqffgapf.exe 1880 Fcdbcloi.exe 2644 Ffboohnm.exe 1512 Fjnkpf32.exe 1080 Fmlglb32.exe 1516 Fqhclqnc.exe -
Loads dropped DLL 64 IoCs
pid Process 1156 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe 1156 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe 2096 Bjiljf32.exe 2096 Bjiljf32.exe 2964 Bacefpbg.exe 2964 Bacefpbg.exe 2224 Binikb32.exe 2224 Binikb32.exe 2216 Baealp32.exe 2216 Baealp32.exe 2760 Bdcnhk32.exe 2760 Bdcnhk32.exe 2092 Bknfeege.exe 2092 Bknfeege.exe 2528 Bdfjnkne.exe 2528 Bdfjnkne.exe 1996 Beggec32.exe 1996 Beggec32.exe 2120 Bopknhjd.exe 2120 Bopknhjd.exe 2916 Cggcofkf.exe 2916 Cggcofkf.exe 2272 Chhpgn32.exe 2272 Chhpgn32.exe 2888 Cobhdhha.exe 2888 Cobhdhha.exe 2196 Clfhml32.exe 2196 Clfhml32.exe 2088 Codeih32.exe 2088 Codeih32.exe 2336 Cdamao32.exe 2336 Cdamao32.exe 2448 Ckkenikc.exe 2448 Ckkenikc.exe 800 Ceqjla32.exe 800 Ceqjla32.exe 1616 Chofhm32.exe 1616 Chofhm32.exe 1708 Cnlnpd32.exe 1708 Cnlnpd32.exe 1868 Cpjklo32.exe 1868 Cpjklo32.exe 2680 Ckpoih32.exe 2680 Ckpoih32.exe 764 Dajgfboj.exe 764 Dajgfboj.exe 1972 Dckcnj32.exe 1972 Dckcnj32.exe 2576 Dkblohek.exe 2576 Dkblohek.exe 2976 Ddjphm32.exe 2976 Ddjphm32.exe 3000 Dgildi32.exe 3000 Dgildi32.exe 2876 Dleelp32.exe 2876 Dleelp32.exe 2724 Dcpmijqc.exe 2724 Dcpmijqc.exe 1904 Dlhaaogd.exe 1904 Dlhaaogd.exe 2276 Dofnnkfg.exe 2276 Dofnnkfg.exe 2688 Dbejjfek.exe 2688 Dbejjfek.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ckpoih32.exe Cpjklo32.exe File opened for modification C:\Windows\SysWOW64\Hhfmbq32.exe Hdkaabnh.exe File created C:\Windows\SysWOW64\Pdglfeli.dll Idbgbahq.exe File created C:\Windows\SysWOW64\Gjlbhe32.dll Kjhopjqi.exe File created C:\Windows\SysWOW64\Kpgdnp32.exe Kkkhmadd.exe File created C:\Windows\SysWOW64\Cobcakeo.dll Ljgkom32.exe File created C:\Windows\SysWOW64\Ljjhdm32.exe Lhklha32.exe File opened for modification C:\Windows\SysWOW64\Mpkjgckc.exe Mmmnkglp.exe File opened for modification C:\Windows\SysWOW64\Dleelp32.exe Dgildi32.exe File opened for modification C:\Windows\SysWOW64\Edmilpld.exe Eqamla32.exe File created C:\Windows\SysWOW64\Fbokdb32.dll Eqcjaa32.exe File created C:\Windows\SysWOW64\Fbpfeh32.exe Fpbihl32.exe File created C:\Windows\SysWOW64\Qmcelb32.dll Ijopjhfh.exe File opened for modification C:\Windows\SysWOW64\Kdfmlc32.exe Kqkalenn.exe File opened for modification C:\Windows\SysWOW64\Mlbkmdah.exe Mhfoleio.exe File opened for modification C:\Windows\SysWOW64\Memlki32.exe Maapjjml.exe File created C:\Windows\SysWOW64\Fmaqgaae.exe Fejifdab.exe File created C:\Windows\SysWOW64\Aegqok32.dll Gjbqjiem.exe File created C:\Windows\SysWOW64\Hjgdaoen.dll Gpoibp32.exe File opened for modification C:\Windows\SysWOW64\Icbkhnan.exe Ipdolbbj.exe File opened for modification C:\Windows\SysWOW64\Ihdmld32.exe Ieeqpi32.exe File created C:\Windows\SysWOW64\Kcngcp32.exe Kobkbaac.exe File opened for modification C:\Windows\SysWOW64\Laackgka.exe Lmfgkh32.exe File created C:\Windows\SysWOW64\Niienepq.dll Codeih32.exe File created C:\Windows\SysWOW64\Ekfaij32.exe Edmilpld.exe File opened for modification C:\Windows\SysWOW64\Jbakpi32.exe Jobocn32.exe File created C:\Windows\SysWOW64\Hleqai32.dll Fichqckn.exe File created C:\Windows\SysWOW64\Bdldhfli.dll Hoipnl32.exe File created C:\Windows\SysWOW64\Fpdopknp.dll Igbqdlea.exe File opened for modification C:\Windows\SysWOW64\Kioiffcn.exe Kfaljjdj.exe File created C:\Windows\SysWOW64\Mmmnkglp.exe Meffjjln.exe File opened for modification C:\Windows\SysWOW64\Mhfoleio.exe Mehbpjjk.exe File created C:\Windows\SysWOW64\Hplmnbjm.dll Nhnemdbf.exe File created C:\Windows\SysWOW64\Bdfjnkne.exe Bknfeege.exe File created C:\Windows\SysWOW64\Edhpaa32.exe Efeoedjo.exe File created C:\Windows\SysWOW64\Lncicbma.dll Ejgeogmn.exe File created C:\Windows\SysWOW64\Chehgk32.dll Fqffgapf.exe File created C:\Windows\SysWOW64\Inebpgbf.exe Ikgfdlcb.exe File created C:\Windows\SysWOW64\Ljecbkfm.dll Iecdji32.exe File opened for modification C:\Windows\SysWOW64\Mbemho32.exe Mcbmmbhb.exe File created C:\Windows\SysWOW64\Mbginomj.exe Mddibb32.exe File opened for modification C:\Windows\SysWOW64\Bdfjnkne.exe Bknfeege.exe File created C:\Windows\SysWOW64\Eqopfbfn.exe Enpdjfgj.exe File opened for modification C:\Windows\SysWOW64\Holldk32.exe Hlmphp32.exe File created C:\Windows\SysWOW64\Cpgidb32.dll Mbemho32.exe File opened for modification C:\Windows\SysWOW64\Meffjjln.exe Mbginomj.exe File created C:\Windows\SysWOW64\Moqgiopk.exe Mlbkmdah.exe File created C:\Windows\SysWOW64\Ngencpel.exe Ncjbba32.exe File opened for modification C:\Windows\SysWOW64\Dkmncl32.exe Dbejjfek.exe File opened for modification C:\Windows\SysWOW64\Fblljhbo.exe Fcilnl32.exe File created C:\Windows\SysWOW64\Fpbihl32.exe Flfnhnfm.exe File opened for modification C:\Windows\SysWOW64\Fpbihl32.exe Flfnhnfm.exe File created C:\Windows\SysWOW64\Abeoed32.dll Hlhfmqge.exe File opened for modification C:\Windows\SysWOW64\Ilmlfcel.exe Ijopjhfh.exe File opened for modification C:\Windows\SysWOW64\Kmfklepl.exe Kjhopjqi.exe File created C:\Windows\SysWOW64\Lajmkhai.exe Lnlaomae.exe File created C:\Windows\SysWOW64\Mjhdbb32.dll Binikb32.exe File created C:\Windows\SysWOW64\Mmqicbma.dll Gddobpbe.exe File opened for modification C:\Windows\SysWOW64\Gamifcmi.exe Gjbqjiem.exe File created C:\Windows\SysWOW64\Hlkcbp32.exe Hhogaamj.exe File opened for modification C:\Windows\SysWOW64\Ihijhpdo.exe Idmnga32.exe File opened for modification C:\Windows\SysWOW64\Iilceh32.exe Igngim32.exe File created C:\Windows\SysWOW64\Jngkdj32.exe Jdogldmo.exe File created C:\Windows\SysWOW64\Nhclfogi.dll Nacmpj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3444 3268 WerFault.exe 310 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpmmpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhikae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnemdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkejnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkilgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgeogmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejiadgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbcddlnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkhmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfhgogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqhclqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpddigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdolbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifgekbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqcjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbginomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fichqckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeqpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfohlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcppgbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhklha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlhaaogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimlqfeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeqjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldgbcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfmlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfgkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihdjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmpnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feobac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpagin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfoleio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhogaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoipnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgfdlcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpabdqd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakjdp32.dll" Fejifdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkgcmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijjpeha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdkaabnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lamjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekcqo32.dll" Lcppgbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcjdq32.dll" Dgildi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgnmlma.dll" Gfgdij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beofli32.dll" Kopnma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maapjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogjhnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffboohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjemoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhiehfo.dll" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ommbioja.dll" Ihijhpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbibb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjngoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjcieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkimdk.dll" Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monjcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbniohpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcnpfgn.dll" Geaofc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlmphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapaph32.dll" Ljjhdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmacbm.dll" Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqkalenn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjebjjck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjocaab.dll" Kbeqjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcppgbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll" Ndgbgefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdonlp32.dll" Fcilnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcmgfgc.dll" Fpbihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iilceh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcbdhqk.dll" Keappgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljcbcngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklaipbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekbhnkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglgpo32.dll" Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmllpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imcfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhopjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocpgbkc.dll" Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll" Nklaipbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkclkc32.dll" Eqopfbfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edmilpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnjhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljeoimeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleqai32.dll" Fichqckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idbgbahq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2096 1156 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe 30 PID 1156 wrote to memory of 2096 1156 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe 30 PID 1156 wrote to memory of 2096 1156 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe 30 PID 1156 wrote to memory of 2096 1156 2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe 30 PID 2096 wrote to memory of 2964 2096 Bjiljf32.exe 31 PID 2096 wrote to memory of 2964 2096 Bjiljf32.exe 31 PID 2096 wrote to memory of 2964 2096 Bjiljf32.exe 31 PID 2096 wrote to memory of 2964 2096 Bjiljf32.exe 31 PID 2964 wrote to memory of 2224 2964 Bacefpbg.exe 32 PID 2964 wrote to memory of 2224 2964 Bacefpbg.exe 32 PID 2964 wrote to memory of 2224 2964 Bacefpbg.exe 32 PID 2964 wrote to memory of 2224 2964 Bacefpbg.exe 32 PID 2224 wrote to memory of 2216 2224 Binikb32.exe 33 PID 2224 wrote to memory of 2216 2224 Binikb32.exe 33 PID 2224 wrote to memory of 2216 2224 Binikb32.exe 33 PID 2224 wrote to memory of 2216 2224 Binikb32.exe 33 PID 2216 wrote to memory of 2760 2216 Baealp32.exe 34 PID 2216 wrote to memory of 2760 2216 Baealp32.exe 34 PID 2216 wrote to memory of 2760 2216 Baealp32.exe 34 PID 2216 wrote to memory of 2760 2216 Baealp32.exe 34 PID 2760 wrote to memory of 2092 2760 Bdcnhk32.exe 35 PID 2760 wrote to memory of 2092 2760 Bdcnhk32.exe 35 PID 2760 wrote to memory of 2092 2760 Bdcnhk32.exe 35 PID 2760 wrote to memory of 2092 2760 Bdcnhk32.exe 35 PID 2092 wrote to memory of 2528 2092 Bknfeege.exe 36 PID 2092 wrote to memory of 2528 2092 Bknfeege.exe 36 PID 2092 wrote to memory of 2528 2092 Bknfeege.exe 36 PID 2092 wrote to memory of 2528 2092 Bknfeege.exe 36 PID 2528 wrote to memory of 1996 2528 Bdfjnkne.exe 37 PID 2528 wrote to memory of 1996 2528 Bdfjnkne.exe 37 PID 2528 wrote to memory of 1996 2528 Bdfjnkne.exe 37 PID 2528 wrote to memory of 1996 2528 Bdfjnkne.exe 37 PID 1996 wrote to memory of 2120 1996 Beggec32.exe 38 PID 1996 wrote to memory of 2120 1996 Beggec32.exe 38 PID 1996 wrote to memory of 2120 1996 Beggec32.exe 38 PID 1996 wrote to memory of 2120 1996 Beggec32.exe 38 PID 2120 wrote to memory of 2916 2120 Bopknhjd.exe 39 PID 2120 wrote to memory of 2916 2120 Bopknhjd.exe 39 PID 2120 wrote to memory of 2916 2120 Bopknhjd.exe 39 PID 2120 wrote to memory of 2916 2120 Bopknhjd.exe 39 PID 2916 wrote to memory of 2272 2916 Cggcofkf.exe 40 PID 2916 wrote to memory of 2272 2916 Cggcofkf.exe 40 PID 2916 wrote to memory of 2272 2916 Cggcofkf.exe 40 PID 2916 wrote to memory of 2272 2916 Cggcofkf.exe 40 PID 2272 wrote to memory of 2888 2272 Chhpgn32.exe 41 PID 2272 wrote to memory of 2888 2272 Chhpgn32.exe 41 PID 2272 wrote to memory of 2888 2272 Chhpgn32.exe 41 PID 2272 wrote to memory of 2888 2272 Chhpgn32.exe 41 PID 2888 wrote to memory of 2196 2888 Cobhdhha.exe 42 PID 2888 wrote to memory of 2196 2888 Cobhdhha.exe 42 PID 2888 wrote to memory of 2196 2888 Cobhdhha.exe 42 PID 2888 wrote to memory of 2196 2888 Cobhdhha.exe 42 PID 2196 wrote to memory of 2088 2196 Clfhml32.exe 43 PID 2196 wrote to memory of 2088 2196 Clfhml32.exe 43 PID 2196 wrote to memory of 2088 2196 Clfhml32.exe 43 PID 2196 wrote to memory of 2088 2196 Clfhml32.exe 43 PID 2088 wrote to memory of 2336 2088 Codeih32.exe 44 PID 2088 wrote to memory of 2336 2088 Codeih32.exe 44 PID 2088 wrote to memory of 2336 2088 Codeih32.exe 44 PID 2088 wrote to memory of 2336 2088 Codeih32.exe 44 PID 2336 wrote to memory of 2448 2336 Cdamao32.exe 45 PID 2336 wrote to memory of 2448 2336 Cdamao32.exe 45 PID 2336 wrote to memory of 2448 2336 Cdamao32.exe 45 PID 2336 wrote to memory of 2448 2336 Cdamao32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe"C:\Users\Admin\AppData\Local\Temp\2308f7c3bbc2d033be1baf05407cb675657fc7be617346a2b49ff23115ef2b7c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Bopknhjd.exeC:\Windows\system32\Bopknhjd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe34⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe35⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe39⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe49⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe52⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ejiadgkl.exeC:\Windows\system32\Ejiadgkl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe56⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe57⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe61⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe64⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Fqhclqnc.exeC:\Windows\system32\Fqhclqnc.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe66⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Ffeldglk.exeC:\Windows\system32\Ffeldglk.exe67⤵PID:1188
-
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Fmodaadg.exeC:\Windows\system32\Fmodaadg.exe69⤵PID:1964
-
C:\Windows\SysWOW64\Fpmpnmck.exeC:\Windows\system32\Fpmpnmck.exe70⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Fcilnl32.exeC:\Windows\system32\Fcilnl32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe72⤵PID:2568
-
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Fmaqgaae.exeC:\Windows\system32\Fmaqgaae.exe74⤵PID:636
-
C:\Windows\SysWOW64\Fldabn32.exeC:\Windows\system32\Fldabn32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe76⤵PID:1256
-
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe77⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe78⤵PID:1728
-
C:\Windows\SysWOW64\Fihalb32.exeC:\Windows\system32\Fihalb32.exe79⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe80⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe82⤵PID:340
-
C:\Windows\SysWOW64\Feobac32.exeC:\Windows\system32\Feobac32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe84⤵PID:1876
-
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe85⤵PID:2516
-
C:\Windows\SysWOW64\Gngfjicn.exeC:\Windows\system32\Gngfjicn.exe86⤵PID:884
-
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe87⤵PID:1580
-
C:\Windows\SysWOW64\Geaofc32.exeC:\Windows\system32\Geaofc32.exe88⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe89⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe92⤵PID:2288
-
C:\Windows\SysWOW64\Gahpkd32.exeC:\Windows\system32\Gahpkd32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe94⤵PID:2184
-
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe95⤵PID:536
-
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe97⤵PID:1852
-
C:\Windows\SysWOW64\Gpmllpef.exeC:\Windows\system32\Gpmllpef.exe98⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe99⤵PID:1916
-
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe100⤵
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe101⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe103⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Gbnenk32.exeC:\Windows\system32\Gbnenk32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Gjemoi32.exeC:\Windows\system32\Gjemoi32.exe105⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe106⤵PID:1760
-
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe107⤵PID:2232
-
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe108⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe110⤵PID:1500
-
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe111⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe112⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe113⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe114⤵PID:1604
-
C:\Windows\SysWOW64\Heakefnf.exeC:\Windows\system32\Heakefnf.exe115⤵PID:1180
-
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe117⤵PID:1660
-
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe120⤵PID:2380
-
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-