Analysis
-
max time kernel
150s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 19:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe
-
Size
161KB
-
MD5
9b8d216d4912875c95ee6d4afa90db8a
-
SHA1
fcd91bda493d27a817658e164c28d699f7b06720
-
SHA256
270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f
-
SHA512
0d520f79886fff44a508f881e26bb0d39da9b9b35ab710887b177c6a2cde182100dac57d46e069140720122f898bebc3b5a4244480eb7ed7ddc3dd94e6f26b37
-
SSDEEP
3072:h1OI36ztplr0+DxkQVwtCJXeex7rrIRZK8K8/kvN:z6ztjjDxkQVwtmeetrIyRN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgmch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilianckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpbeaak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikeldenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hibpli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gobnljhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkggn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oieencik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piipibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abkqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilianckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfbknkbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injlmcib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaghcjhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aemmanjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mncijanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbgggf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkdlagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eepccldb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblcaohd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgadbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpkbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeldiolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpifln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkldli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgppana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbodk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djkcgpaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpekmnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pneiaidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclmlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qegpbaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mllcodig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aikkgnnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mocogc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglakcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2096 Qnpbbn32.exe 2380 Aiegpg32.exe 2776 Aapkdi32.exe 2264 Ajmihn32.exe 2796 Biecoj32.exe 2620 Bbpdmp32.exe 3044 Boiagp32.exe 2920 Cjdonndl.exe 1040 Ddgcdjip.exe 1756 Dqqqokla.exe 2328 Egobfdpi.exe 1532 Ebkpma32.exe 2060 Ebnlba32.exe 1828 Flkjffkm.exe 1288 Fmnccn32.exe 2452 Gaoiol32.exe 2032 Gpfbfh32.exe 832 Gphokhco.exe 2316 Hdjedk32.exe 1108 Hhhmki32.exe 2320 Icidlf32.exe 1500 Ilaieljl.exe 2296 Ihmcelkk.exe 2116 Injlmcib.exe 2836 Jjcigcmd.exe 2684 Jjefmc32.exe 1824 Jijbnppi.exe 2940 Jbbgge32.exe 2648 Kbgqbdbd.exe 3052 Kkpekjie.exe 2236 Kamncagl.exe 2416 Kjeblf32.exe 588 Knckbe32.exe 2056 Ljjkgfig.exe 1140 Lpfdpmho.exe 1752 Ljlhme32.exe 2144 Liaenblm.exe 2232 Lfeegfkf.exe 1548 Lopjlh32.exe 3036 Lppgfkpd.exe 1908 Mhkkjnmo.exe 1544 Moecghdl.exe 2404 Mkldli32.exe 2024 Meaiia32.exe 1724 Mahinb32.exe 2424 Mgebfi32.exe 2500 Mmojcceo.exe 1924 Nppceo32.exe 2724 Nlfdjphd.exe 1844 Nijdcdgn.exe 2760 Nogmkk32.exe 2576 Noiiaj32.exe 2632 Nlmjjo32.exe 948 Ndhooaog.exe 944 Onacgf32.exe 2560 Ogigpllh.exe 2932 Oncpmf32.exe 2892 Okgpfjbo.exe 1980 Odpeop32.exe 2168 Oqfeda32.exe 2176 Ohajic32.exe 844 Pbjoaibo.exe 2112 Pkbcjn32.exe 1856 Pmbpda32.exe -
Loads dropped DLL 64 IoCs
pid Process 2252 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe 2252 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe 2096 Qnpbbn32.exe 2096 Qnpbbn32.exe 2380 Aiegpg32.exe 2380 Aiegpg32.exe 2776 Aapkdi32.exe 2776 Aapkdi32.exe 2264 Ajmihn32.exe 2264 Ajmihn32.exe 2796 Biecoj32.exe 2796 Biecoj32.exe 2620 Bbpdmp32.exe 2620 Bbpdmp32.exe 3044 Boiagp32.exe 3044 Boiagp32.exe 2920 Cjdonndl.exe 2920 Cjdonndl.exe 1040 Ddgcdjip.exe 1040 Ddgcdjip.exe 1756 Dqqqokla.exe 1756 Dqqqokla.exe 2328 Egobfdpi.exe 2328 Egobfdpi.exe 1532 Ebkpma32.exe 1532 Ebkpma32.exe 2060 Ebnlba32.exe 2060 Ebnlba32.exe 1828 Flkjffkm.exe 1828 Flkjffkm.exe 1288 Fmnccn32.exe 1288 Fmnccn32.exe 2452 Gaoiol32.exe 2452 Gaoiol32.exe 2032 Gpfbfh32.exe 2032 Gpfbfh32.exe 832 Gphokhco.exe 832 Gphokhco.exe 2316 Hdjedk32.exe 2316 Hdjedk32.exe 1108 Hhhmki32.exe 1108 Hhhmki32.exe 2320 Icidlf32.exe 2320 Icidlf32.exe 1500 Ilaieljl.exe 1500 Ilaieljl.exe 2296 Ihmcelkk.exe 2296 Ihmcelkk.exe 2116 Injlmcib.exe 2116 Injlmcib.exe 2836 Jjcigcmd.exe 2836 Jjcigcmd.exe 2684 Jjefmc32.exe 2684 Jjefmc32.exe 1824 Jijbnppi.exe 1824 Jijbnppi.exe 2940 Jbbgge32.exe 2940 Jbbgge32.exe 2648 Kbgqbdbd.exe 2648 Kbgqbdbd.exe 3052 Kkpekjie.exe 3052 Kkpekjie.exe 2236 Kamncagl.exe 2236 Kamncagl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ggccaemi.exe Process not Found File created C:\Windows\SysWOW64\Lgpjmidb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Behpcefk.exe Aipbidbj.exe File created C:\Windows\SysWOW64\Khonbhch.exe Kcbfjaeq.exe File created C:\Windows\SysWOW64\Ehkclk32.dll Gdlemd32.exe File created C:\Windows\SysWOW64\Cfcpphbp.dll Process not Found File created C:\Windows\SysWOW64\Noiiaj32.exe Nogmkk32.exe File created C:\Windows\SysWOW64\Llobhcnd.dll Onojfd32.exe File created C:\Windows\SysWOW64\Aggddk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aoocpoqk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpeddi32.exe Process not Found File created C:\Windows\SysWOW64\Iopgjp32.exe Iicoai32.exe File opened for modification C:\Windows\SysWOW64\Hllkhoaj.exe Hbdfoiki.exe File created C:\Windows\SysWOW64\Bkmjhi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iekecpmd.exe Process not Found File created C:\Windows\SysWOW64\Dngbih32.dll Process not Found File created C:\Windows\SysWOW64\Bdehhc32.dll Process not Found File created C:\Windows\SysWOW64\Ponbjgho.dll Fcnkemgi.exe File created C:\Windows\SysWOW64\Bpkebm32.dll Oiebej32.exe File opened for modification C:\Windows\SysWOW64\Cephoibi.exe Process not Found File created C:\Windows\SysWOW64\Epbhdi32.exe Process not Found File created C:\Windows\SysWOW64\Bjphff32.exe Ajnlqgfo.exe File opened for modification C:\Windows\SysWOW64\Bgbemjqh.exe Anjqdd32.exe File opened for modification C:\Windows\SysWOW64\Jakhckdb.exe Jjapfamf.exe File created C:\Windows\SysWOW64\Ojhaie32.dll Godcgcca.exe File opened for modification C:\Windows\SysWOW64\Oomlcp32.exe Oaikjl32.exe File opened for modification C:\Windows\SysWOW64\Ipjcpi32.exe Process not Found File created C:\Windows\SysWOW64\Lojfehcp.dll Process not Found File created C:\Windows\SysWOW64\Ldomnfok.exe Process not Found File created C:\Windows\SysWOW64\Fdjdjkhn.dll Cjdonndl.exe File opened for modification C:\Windows\SysWOW64\Cgdggg32.exe Cjpgnbol.exe File opened for modification C:\Windows\SysWOW64\Afhgkg32.exe Aidfacjf.exe File opened for modification C:\Windows\SysWOW64\Piqcpicd.exe Pfbgdndp.exe File opened for modification C:\Windows\SysWOW64\Bijobb32.exe Bpajjmon.exe File created C:\Windows\SysWOW64\Opqkkb32.dll Jlgcqp32.exe File created C:\Windows\SysWOW64\Okakbm32.dll Nfhcmkkg.exe File created C:\Windows\SysWOW64\Nflgojaf.dll Process not Found File created C:\Windows\SysWOW64\Lealkh32.dll Process not Found File created C:\Windows\SysWOW64\Okhboc32.exe Oaonfncb.exe File opened for modification C:\Windows\SysWOW64\Okhboc32.exe Oaonfncb.exe File created C:\Windows\SysWOW64\Dhnlfhhj.dll Digfil32.exe File opened for modification C:\Windows\SysWOW64\Hpknlm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdjnje32.exe Hidjml32.exe File opened for modification C:\Windows\SysWOW64\Ldhfcgea.exe Lolmjpfj.exe File created C:\Windows\SysWOW64\Jljfdo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bmhncg32.exe Bfoffmhd.exe File created C:\Windows\SysWOW64\Debcjiod.exe Djmpmppn.exe File created C:\Windows\SysWOW64\Afhgkg32.exe Aidfacjf.exe File created C:\Windows\SysWOW64\Egdepppi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dkojlc32.exe Process not Found File created C:\Windows\SysWOW64\Cknkhbgd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nnboonmb.exe Mnnecoah.exe File created C:\Windows\SysWOW64\Epfnkk32.exe Epdafl32.exe File opened for modification C:\Windows\SysWOW64\Ndhpiapi.exe Mbgggf32.exe File opened for modification C:\Windows\SysWOW64\Oeaoncjj.exe Obpflhmi.exe File created C:\Windows\SysWOW64\Aeifogee.exe Process not Found File opened for modification C:\Windows\SysWOW64\Moecghdl.exe Mhkkjnmo.exe File created C:\Windows\SysWOW64\Dkfqcd32.dll Ajnlqgfo.exe File created C:\Windows\SysWOW64\Opkkah32.dll Apflic32.exe File created C:\Windows\SysWOW64\Igilbi32.exe Process not Found File created C:\Windows\SysWOW64\Dldndf32.exe Dfhial32.exe File created C:\Windows\SysWOW64\Fpepif32.dll Oodhca32.exe File created C:\Windows\SysWOW64\Lbeonhhj.exe Process not Found File created C:\Windows\SysWOW64\Debmplbf.dll Gaghcjhd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3756 3796 Process not Found 1478 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfniekh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflpecpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogigpllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkhfkco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibdkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnebgcqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqjghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnmda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhhiiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biobkamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdifda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipmlan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefnmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqcnjnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmffegm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilkjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijbnppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idabbpgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiebej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbnfmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keadoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchpeebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlifie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feaeni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdoeibg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmflh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Namebk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llefld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjcgccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgbkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciqdenjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphokhco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olqkapoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjlfjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcnmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmgjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmehlibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipaqqli.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3936 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajmihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpkbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gphokhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aipbidbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joijpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aplppela.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bglhcihn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okakbm32.dll" Nfhcmkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eafmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagfag32.dll" Nhnjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenemh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plpgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Algjpenp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmjknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emmnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdklje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplcca32.dll" Geoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njeikpij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odcmagip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hblidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhjfn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnckabmd.dll" Idgmch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nocima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgfigda.dll" Bkapla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfadeaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aopcnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onmkhlph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjjknmn.dll" Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpfdpmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agijhcjc.dll" Jgeoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkalbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldajoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioibde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogkali32.dll" Klgeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpjjcohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnaoa32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Effdef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbpnjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hddjcbfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihhmhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgade32.dll" Bbhikcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojlfckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgellb32.dll" Pmkjog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2096 2252 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe 29 PID 2252 wrote to memory of 2096 2252 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe 29 PID 2252 wrote to memory of 2096 2252 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe 29 PID 2252 wrote to memory of 2096 2252 270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe 29 PID 2096 wrote to memory of 2380 2096 Qnpbbn32.exe 30 PID 2096 wrote to memory of 2380 2096 Qnpbbn32.exe 30 PID 2096 wrote to memory of 2380 2096 Qnpbbn32.exe 30 PID 2096 wrote to memory of 2380 2096 Qnpbbn32.exe 30 PID 2380 wrote to memory of 2776 2380 Aiegpg32.exe 31 PID 2380 wrote to memory of 2776 2380 Aiegpg32.exe 31 PID 2380 wrote to memory of 2776 2380 Aiegpg32.exe 31 PID 2380 wrote to memory of 2776 2380 Aiegpg32.exe 31 PID 2776 wrote to memory of 2264 2776 Aapkdi32.exe 32 PID 2776 wrote to memory of 2264 2776 Aapkdi32.exe 32 PID 2776 wrote to memory of 2264 2776 Aapkdi32.exe 32 PID 2776 wrote to memory of 2264 2776 Aapkdi32.exe 32 PID 2264 wrote to memory of 2796 2264 Ajmihn32.exe 33 PID 2264 wrote to memory of 2796 2264 Ajmihn32.exe 33 PID 2264 wrote to memory of 2796 2264 Ajmihn32.exe 33 PID 2264 wrote to memory of 2796 2264 Ajmihn32.exe 33 PID 2796 wrote to memory of 2620 2796 Biecoj32.exe 34 PID 2796 wrote to memory of 2620 2796 Biecoj32.exe 34 PID 2796 wrote to memory of 2620 2796 Biecoj32.exe 34 PID 2796 wrote to memory of 2620 2796 Biecoj32.exe 34 PID 2620 wrote to memory of 3044 2620 Bbpdmp32.exe 35 PID 2620 wrote to memory of 3044 2620 Bbpdmp32.exe 35 PID 2620 wrote to memory of 3044 2620 Bbpdmp32.exe 35 PID 2620 wrote to memory of 3044 2620 Bbpdmp32.exe 35 PID 3044 wrote to memory of 2920 3044 Boiagp32.exe 36 PID 3044 wrote to memory of 2920 3044 Boiagp32.exe 36 PID 3044 wrote to memory of 2920 3044 Boiagp32.exe 36 PID 3044 wrote to memory of 2920 3044 Boiagp32.exe 36 PID 2920 wrote to memory of 1040 2920 Cjdonndl.exe 37 PID 2920 wrote to memory of 1040 2920 Cjdonndl.exe 37 PID 2920 wrote to memory of 1040 2920 Cjdonndl.exe 37 PID 2920 wrote to memory of 1040 2920 Cjdonndl.exe 37 PID 1040 wrote to memory of 1756 1040 Ddgcdjip.exe 38 PID 1040 wrote to memory of 1756 1040 Ddgcdjip.exe 38 PID 1040 wrote to memory of 1756 1040 Ddgcdjip.exe 38 PID 1040 wrote to memory of 1756 1040 Ddgcdjip.exe 38 PID 1756 wrote to memory of 2328 1756 Dqqqokla.exe 39 PID 1756 wrote to memory of 2328 1756 Dqqqokla.exe 39 PID 1756 wrote to memory of 2328 1756 Dqqqokla.exe 39 PID 1756 wrote to memory of 2328 1756 Dqqqokla.exe 39 PID 2328 wrote to memory of 1532 2328 Egobfdpi.exe 40 PID 2328 wrote to memory of 1532 2328 Egobfdpi.exe 40 PID 2328 wrote to memory of 1532 2328 Egobfdpi.exe 40 PID 2328 wrote to memory of 1532 2328 Egobfdpi.exe 40 PID 1532 wrote to memory of 2060 1532 Ebkpma32.exe 41 PID 1532 wrote to memory of 2060 1532 Ebkpma32.exe 41 PID 1532 wrote to memory of 2060 1532 Ebkpma32.exe 41 PID 1532 wrote to memory of 2060 1532 Ebkpma32.exe 41 PID 2060 wrote to memory of 1828 2060 Ebnlba32.exe 42 PID 2060 wrote to memory of 1828 2060 Ebnlba32.exe 42 PID 2060 wrote to memory of 1828 2060 Ebnlba32.exe 42 PID 2060 wrote to memory of 1828 2060 Ebnlba32.exe 42 PID 1828 wrote to memory of 1288 1828 Flkjffkm.exe 43 PID 1828 wrote to memory of 1288 1828 Flkjffkm.exe 43 PID 1828 wrote to memory of 1288 1828 Flkjffkm.exe 43 PID 1828 wrote to memory of 1288 1828 Flkjffkm.exe 43 PID 1288 wrote to memory of 2452 1288 Fmnccn32.exe 44 PID 1288 wrote to memory of 2452 1288 Fmnccn32.exe 44 PID 1288 wrote to memory of 2452 1288 Fmnccn32.exe 44 PID 1288 wrote to memory of 2452 1288 Fmnccn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe"C:\Users\Admin\AppData\Local\Temp\270050a3611dc5d374603f7e488a62e2f2be7aeef63a36a57e8839a3c9583b6f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Gphokhco.exeC:\Windows\system32\Gphokhco.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Jjefmc32.exeC:\Windows\system32\Jjefmc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe34⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe35⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe37⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe38⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe39⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe40⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe41⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Mhkkjnmo.exeC:\Windows\system32\Mhkkjnmo.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe43⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe45⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe46⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe47⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe48⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe49⤵PID:2080
-
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe50⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe51⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe52⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe54⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe56⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe57⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe59⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe60⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe62⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe63⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe64⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe65⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe66⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe67⤵PID:872
-
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe70⤵PID:2212
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe71⤵PID:112
-
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe72⤵PID:2268
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe74⤵PID:2740
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe75⤵PID:764
-
C:\Windows\SysWOW64\Aimfcedl.exeC:\Windows\system32\Aimfcedl.exe76⤵PID:2584
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Behpcefk.exeC:\Windows\system32\Behpcefk.exe78⤵PID:1080
-
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe81⤵PID:1692
-
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe82⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe83⤵PID:1392
-
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe84⤵PID:1120
-
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe85⤵PID:1268
-
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe86⤵PID:1332
-
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe87⤵PID:2016
-
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe89⤵PID:1652
-
C:\Windows\SysWOW64\Caajmilh.exeC:\Windows\system32\Caajmilh.exe90⤵PID:2220
-
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe91⤵PID:2976
-
C:\Windows\SysWOW64\Cadfbi32.exeC:\Windows\system32\Cadfbi32.exe92⤵PID:2612
-
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe93⤵PID:2640
-
C:\Windows\SysWOW64\Dcgppana.exeC:\Windows\system32\Dcgppana.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe95⤵
- System Location Discovery: System Language Discovery
PID:616 -
C:\Windows\SysWOW64\Dfhial32.exeC:\Windows\system32\Dfhial32.exe96⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Dldndf32.exeC:\Windows\system32\Dldndf32.exe97⤵PID:1060
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe98⤵PID:1604
-
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe99⤵PID:2180
-
C:\Windows\SysWOW64\Eklgjbca.exeC:\Windows\system32\Eklgjbca.exe100⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Eddlcgjb.exeC:\Windows\system32\Eddlcgjb.exe101⤵PID:1476
-
C:\Windows\SysWOW64\Eqklhh32.exeC:\Windows\system32\Eqklhh32.exe102⤵PID:2064
-
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe103⤵PID:1104
-
C:\Windows\SysWOW64\Enajgllm.exeC:\Windows\system32\Enajgllm.exe104⤵PID:2292
-
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe105⤵PID:1708
-
C:\Windows\SysWOW64\Fqdong32.exeC:\Windows\system32\Fqdong32.exe106⤵PID:2816
-
C:\Windows\SysWOW64\Fbflfomj.exeC:\Windows\system32\Fbflfomj.exe107⤵PID:696
-
C:\Windows\SysWOW64\Fibqhibd.exeC:\Windows\system32\Fibqhibd.exe108⤵PID:2700
-
C:\Windows\SysWOW64\Fbjeao32.exeC:\Windows\system32\Fbjeao32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe110⤵PID:2864
-
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe111⤵PID:1716
-
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe112⤵PID:1100
-
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe113⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Gfadeaho.exeC:\Windows\system32\Gfadeaho.exe114⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Gaghcjhd.exeC:\Windows\system32\Gaghcjhd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Gmmihk32.exeC:\Windows\system32\Gmmihk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Hidjml32.exeC:\Windows\system32\Hidjml32.exe117⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe118⤵PID:2720
-
C:\Windows\SysWOW64\Hmbbcjic.exeC:\Windows\system32\Hmbbcjic.exe119⤵PID:2840
-
C:\Windows\SysWOW64\Hoflpbmo.exeC:\Windows\system32\Hoflpbmo.exe120⤵PID:2616
-
C:\Windows\SysWOW64\Hhnpih32.exeC:\Windows\system32\Hhnpih32.exe121⤵PID:940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-