Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 15:57
Static task
static1
Behavioral task
behavioral1
Sample
3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe
Resource
win10v2004-20241007-en
General
-
Target
3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe
-
Size
128KB
-
MD5
a076e65b46dd6b5e68760252a7d15720
-
SHA1
6d5d8f359af63de7a7942ed74acc6987471d5ffb
-
SHA256
3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23e
-
SHA512
e72f589333636d3697717877dda30da87d74a0260b9c68d980a025a7971362519b5571f30b31618ab4774ce4b4577e6d2bd4ae80899591b6b387cc061a0d0a4f
-
SSDEEP
3072:vMubyHJxeZ4iQw5z3ypC1wu3FQo7fnEBctcp:vMytZ4oCwmu3FF7fPtc
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffgbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhcgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmnfajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbeacbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgmiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obilip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Necandjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbflfomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfookk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhfgokap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plljbkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqneaodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfmoidh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cappnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofiimkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkepdbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhiodnob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifdmbib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofhdidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmadj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgqlkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhonegbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liohhbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablmilgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adppdckh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfeec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqekin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbiamm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcmedmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibqmen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpofh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpmhgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqheei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oheieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejcggee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoqbpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgnie32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1692 Olkjaflh.exe 2968 Odfofhic.exe 2032 Pdkhag32.exe 2808 Pmfmej32.exe 2844 Pogegeoj.exe 2424 Pcenmcea.exe 2868 Polobd32.exe 932 Qidckjae.exe 2304 Qgiplffm.exe 1984 Qqbeel32.exe 2368 Akjfhdka.exe 2024 Aebjaj32.exe 1880 Aidpjm32.exe 2428 Bleilh32.exe 2260 Blgeahoo.exe 2168 Bepjjn32.exe 2692 Bhpclica.exe 1684 Bhbpahan.exe 2460 Bdipfi32.exe 880 Cooddbfh.exe 1284 Cppakj32.exe 2028 Capmemci.exe 1592 Cdqfgh32.exe 1028 Cllkkk32.exe 1756 Cgaoic32.exe 2616 Dakpiajj.exe 2272 Dhgelk32.exe 2988 Ddnfql32.exe 2932 Dnfjiali.exe 2144 Dhlogjko.exe 2940 Dgalhgpg.exe 2892 Epipql32.exe 1836 Effhic32.exe 2324 Elbmkm32.exe 1392 Ejfnda32.exe 3068 Ecobmg32.exe 2112 Eoecbheg.exe 2300 Gllpflng.exe 548 Gfdaid32.exe 2412 Gjffbhnj.exe 1260 Gdnkkmej.exe 2232 Habkeacd.exe 840 Hadhjaaa.exe 2132 Hpjeknfi.exe 1704 Hmneebeb.exe 2600 Hbknmicj.exe 1536 Hpoofm32.exe 1436 Iekgod32.exe 1736 Ipaklm32.exe 1808 Ilhlan32.exe 3048 Ibadnhmb.exe 1824 Ihnmfoli.exe 2876 Iagaod32.exe 3060 Igcjgk32.exe 2364 Iplnpq32.exe 2748 Jkabmi32.exe 1856 Jpnkep32.exe 944 Jghcbjll.exe 3024 Jdlclo32.exe 580 Jjilde32.exe 2372 Jcaqmkpn.exe 2220 Jhniebne.exe 1596 Jafmngde.exe 720 Jojnglco.exe -
Loads dropped DLL 64 IoCs
pid Process 2528 3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe 2528 3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe 1692 Olkjaflh.exe 1692 Olkjaflh.exe 2968 Odfofhic.exe 2968 Odfofhic.exe 2032 Pdkhag32.exe 2032 Pdkhag32.exe 2808 Pmfmej32.exe 2808 Pmfmej32.exe 2844 Pogegeoj.exe 2844 Pogegeoj.exe 2424 Pcenmcea.exe 2424 Pcenmcea.exe 2868 Polobd32.exe 2868 Polobd32.exe 932 Qidckjae.exe 932 Qidckjae.exe 2304 Qgiplffm.exe 2304 Qgiplffm.exe 1984 Qqbeel32.exe 1984 Qqbeel32.exe 2368 Akjfhdka.exe 2368 Akjfhdka.exe 2024 Aebjaj32.exe 2024 Aebjaj32.exe 1880 Aidpjm32.exe 1880 Aidpjm32.exe 2428 Bleilh32.exe 2428 Bleilh32.exe 2260 Blgeahoo.exe 2260 Blgeahoo.exe 2168 Bepjjn32.exe 2168 Bepjjn32.exe 2692 Bhpclica.exe 2692 Bhpclica.exe 1684 Bhbpahan.exe 1684 Bhbpahan.exe 2460 Bdipfi32.exe 2460 Bdipfi32.exe 880 Cooddbfh.exe 880 Cooddbfh.exe 1284 Cppakj32.exe 1284 Cppakj32.exe 2028 Capmemci.exe 2028 Capmemci.exe 1592 Cdqfgh32.exe 1592 Cdqfgh32.exe 1028 Cllkkk32.exe 1028 Cllkkk32.exe 1756 Cgaoic32.exe 1756 Cgaoic32.exe 2916 Dooqceid.exe 2916 Dooqceid.exe 2272 Dhgelk32.exe 2272 Dhgelk32.exe 2988 Ddnfql32.exe 2988 Ddnfql32.exe 2932 Dnfjiali.exe 2932 Dnfjiali.exe 2144 Dhlogjko.exe 2144 Dhlogjko.exe 2940 Dgalhgpg.exe 2940 Dgalhgpg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chfkjibh.dll Jfiekc32.exe File created C:\Windows\SysWOW64\Pbacpl32.dll Cfpgee32.exe File opened for modification C:\Windows\SysWOW64\Imenpfap.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bfkakbpp.exe Boainhic.exe File created C:\Windows\SysWOW64\Ldedlfhl.exe Process not Found File created C:\Windows\SysWOW64\Jojnglco.exe Jafmngde.exe File opened for modification C:\Windows\SysWOW64\Nlfmoidh.exe Noalfe32.exe File opened for modification C:\Windows\SysWOW64\Ogfagmck.exe Nnnmoh32.exe File opened for modification C:\Windows\SysWOW64\Mknaahhn.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Qpgfhg32.dll Opoocb32.exe File opened for modification C:\Windows\SysWOW64\Lbffga32.exe Llmnjg32.exe File created C:\Windows\SysWOW64\Obonid32.dll Process not Found File created C:\Windows\SysWOW64\Hpjeknfi.exe Hadhjaaa.exe File opened for modification C:\Windows\SysWOW64\Fpdqlkhe.exe Fncddc32.exe File opened for modification C:\Windows\SysWOW64\Gbolce32.exe Feklja32.exe File created C:\Windows\SysWOW64\Aoedch32.exe Process not Found File created C:\Windows\SysWOW64\Jlaqba32.exe Process not Found File created C:\Windows\SysWOW64\Opghmjfg.exe Process not Found File created C:\Windows\SysWOW64\Mpbgcj32.dll Dpdpkfga.exe File created C:\Windows\SysWOW64\Mmdigbbj.dll Fijolbfh.exe File created C:\Windows\SysWOW64\Kkpekjie.exe Knldaf32.exe File opened for modification C:\Windows\SysWOW64\Hcdkagga.exe Hobfgcdb.exe File created C:\Windows\SysWOW64\Eoalpaaa.exe Egfglocf.exe File created C:\Windows\SysWOW64\Qlbphm32.dll Alknnodh.exe File created C:\Windows\SysWOW64\Dicmlpje.exe Dkolblkk.exe File created C:\Windows\SysWOW64\Janjolde.dll Process not Found File created C:\Windows\SysWOW64\Kkfjpemb.exe Kopikdgn.exe File created C:\Windows\SysWOW64\Mjeholco.exe Majdkifd.exe File opened for modification C:\Windows\SysWOW64\Khgnff32.exe Process not Found File created C:\Windows\SysWOW64\Ioochn32.exe Iiekkdjo.exe File created C:\Windows\SysWOW64\Fibjphfe.dll Process not Found File created C:\Windows\SysWOW64\Nkmkgc32.exe Njlopkmg.exe File opened for modification C:\Windows\SysWOW64\Jqonjmbn.exe Jggiah32.exe File created C:\Windows\SysWOW64\Fkkmoo32.exe Ffndghdj.exe File opened for modification C:\Windows\SysWOW64\Hqmmja32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe Nqgngk32.exe File opened for modification C:\Windows\SysWOW64\Cmjoaofc.exe Cfpgee32.exe File created C:\Windows\SysWOW64\Hjpnjheg.exe Hdcebagp.exe File created C:\Windows\SysWOW64\Gfadeaho.exe Gmipmlan.exe File opened for modification C:\Windows\SysWOW64\Ajddik32.exe Process not Found File created C:\Windows\SysWOW64\Abdpfmcb.dll Ohhcokmp.exe File created C:\Windows\SysWOW64\Mchjjo32.dll Pikaqppk.exe File created C:\Windows\SysWOW64\Edimlq32.dll Elpnmhgh.exe File opened for modification C:\Windows\SysWOW64\Mcfpmlll.exe Mgoohk32.exe File created C:\Windows\SysWOW64\Acgeldef.dll Mdfejn32.exe File created C:\Windows\SysWOW64\Ibmbdkmk.dll Process not Found File created C:\Windows\SysWOW64\Cpicpa32.dll Jhndcd32.exe File created C:\Windows\SysWOW64\Majdkifd.exe Mgdpnqfn.exe File created C:\Windows\SysWOW64\Dnbdblmp.dll Ccgahe32.exe File opened for modification C:\Windows\SysWOW64\Bkfqbgni.exe Process not Found File created C:\Windows\SysWOW64\Odnmkb32.exe Process not Found File created C:\Windows\SysWOW64\Moedaakj.dll Mqoocmcg.exe File created C:\Windows\SysWOW64\Calonbcf.dll Babbpc32.exe File created C:\Windows\SysWOW64\Aomghchl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kkmakd32.exe Kqgmnk32.exe File opened for modification C:\Windows\SysWOW64\Ibqmen32.exe Iihhmhng.exe File created C:\Windows\SysWOW64\Cjbccb32.exe Process not Found File created C:\Windows\SysWOW64\Jhacjq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Peolmb32.exe Plfhdlfb.exe File created C:\Windows\SysWOW64\Gkiiie32.dll Gdbeqmag.exe File created C:\Windows\SysWOW64\Njqlopmg.dll Cgmiba32.exe File created C:\Windows\SysWOW64\Cbacjdbg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Diljpn32.exe Process not Found File created C:\Windows\SysWOW64\Hidnidah.dll Ogbgbn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capmemci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolelj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpjfoji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlopkmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichbckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkjbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfonlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aellfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calgoken.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdohq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbanfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agebam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifdmbib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpdficc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqniihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hamgno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndgfqlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhopfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jollgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpeop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmobin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjjjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdjbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbiamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbhphie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcmedmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpcabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjbpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpgmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmfgdch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgodgnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpjkgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahaqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehgbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobiclmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlmjcejp.dll" Gllpflng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbgcj32.dll" Dpdpkfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmbclj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajbdpblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnncii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeace32.dll" Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgpgjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigh32.dll" Egbffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdibpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmnqae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oobiclmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcclni32.dll" Odpeop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgoief32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbggh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omldapkm.dll" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkegca32.dll" Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaihjbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbckhmc.dll" Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchfgkcp.dll" Caomgjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdhdcnng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpojcpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acgkjoea.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blocad32.dll" Amglij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoccdhpn.dll" Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clcjjimp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gacgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlppf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkafib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paclje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiopaj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alhaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjcekj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdbeqmag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahoageo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neelhckg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhaie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abeghmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcfflb.dll" Egfglocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkemcm32.dll" Jffddfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlleofb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cclkcdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adppdckh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1692 2528 3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe 30 PID 2528 wrote to memory of 1692 2528 3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe 30 PID 2528 wrote to memory of 1692 2528 3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe 30 PID 2528 wrote to memory of 1692 2528 3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe 30 PID 1692 wrote to memory of 2968 1692 Olkjaflh.exe 31 PID 1692 wrote to memory of 2968 1692 Olkjaflh.exe 31 PID 1692 wrote to memory of 2968 1692 Olkjaflh.exe 31 PID 1692 wrote to memory of 2968 1692 Olkjaflh.exe 31 PID 2968 wrote to memory of 2032 2968 Odfofhic.exe 32 PID 2968 wrote to memory of 2032 2968 Odfofhic.exe 32 PID 2968 wrote to memory of 2032 2968 Odfofhic.exe 32 PID 2968 wrote to memory of 2032 2968 Odfofhic.exe 32 PID 2032 wrote to memory of 2808 2032 Pdkhag32.exe 33 PID 2032 wrote to memory of 2808 2032 Pdkhag32.exe 33 PID 2032 wrote to memory of 2808 2032 Pdkhag32.exe 33 PID 2032 wrote to memory of 2808 2032 Pdkhag32.exe 33 PID 2808 wrote to memory of 2844 2808 Pmfmej32.exe 34 PID 2808 wrote to memory of 2844 2808 Pmfmej32.exe 34 PID 2808 wrote to memory of 2844 2808 Pmfmej32.exe 34 PID 2808 wrote to memory of 2844 2808 Pmfmej32.exe 34 PID 2844 wrote to memory of 2424 2844 Pogegeoj.exe 35 PID 2844 wrote to memory of 2424 2844 Pogegeoj.exe 35 PID 2844 wrote to memory of 2424 2844 Pogegeoj.exe 35 PID 2844 wrote to memory of 2424 2844 Pogegeoj.exe 35 PID 2424 wrote to memory of 2868 2424 Pcenmcea.exe 36 PID 2424 wrote to memory of 2868 2424 Pcenmcea.exe 36 PID 2424 wrote to memory of 2868 2424 Pcenmcea.exe 36 PID 2424 wrote to memory of 2868 2424 Pcenmcea.exe 36 PID 2868 wrote to memory of 932 2868 Polobd32.exe 37 PID 2868 wrote to memory of 932 2868 Polobd32.exe 37 PID 2868 wrote to memory of 932 2868 Polobd32.exe 37 PID 2868 wrote to memory of 932 2868 Polobd32.exe 37 PID 932 wrote to memory of 2304 932 Qidckjae.exe 38 PID 932 wrote to memory of 2304 932 Qidckjae.exe 38 PID 932 wrote to memory of 2304 932 Qidckjae.exe 38 PID 932 wrote to memory of 2304 932 Qidckjae.exe 38 PID 2304 wrote to memory of 1984 2304 Qgiplffm.exe 39 PID 2304 wrote to memory of 1984 2304 Qgiplffm.exe 39 PID 2304 wrote to memory of 1984 2304 Qgiplffm.exe 39 PID 2304 wrote to memory of 1984 2304 Qgiplffm.exe 39 PID 1984 wrote to memory of 2368 1984 Qqbeel32.exe 40 PID 1984 wrote to memory of 2368 1984 Qqbeel32.exe 40 PID 1984 wrote to memory of 2368 1984 Qqbeel32.exe 40 PID 1984 wrote to memory of 2368 1984 Qqbeel32.exe 40 PID 2368 wrote to memory of 2024 2368 Akjfhdka.exe 41 PID 2368 wrote to memory of 2024 2368 Akjfhdka.exe 41 PID 2368 wrote to memory of 2024 2368 Akjfhdka.exe 41 PID 2368 wrote to memory of 2024 2368 Akjfhdka.exe 41 PID 2024 wrote to memory of 1880 2024 Aebjaj32.exe 42 PID 2024 wrote to memory of 1880 2024 Aebjaj32.exe 42 PID 2024 wrote to memory of 1880 2024 Aebjaj32.exe 42 PID 2024 wrote to memory of 1880 2024 Aebjaj32.exe 42 PID 1880 wrote to memory of 2428 1880 Aidpjm32.exe 43 PID 1880 wrote to memory of 2428 1880 Aidpjm32.exe 43 PID 1880 wrote to memory of 2428 1880 Aidpjm32.exe 43 PID 1880 wrote to memory of 2428 1880 Aidpjm32.exe 43 PID 2428 wrote to memory of 2260 2428 Bleilh32.exe 44 PID 2428 wrote to memory of 2260 2428 Bleilh32.exe 44 PID 2428 wrote to memory of 2260 2428 Bleilh32.exe 44 PID 2428 wrote to memory of 2260 2428 Bleilh32.exe 44 PID 2260 wrote to memory of 2168 2260 Blgeahoo.exe 45 PID 2260 wrote to memory of 2168 2260 Blgeahoo.exe 45 PID 2260 wrote to memory of 2168 2260 Blgeahoo.exe 45 PID 2260 wrote to memory of 2168 2260 Blgeahoo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe"C:\Users\Admin\AppData\Local\Temp\3659e42f2cd27f7339a5a51acb110a5ad9eb62625916573c54620c75068ff23eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Pmfmej32.exeC:\Windows\system32\Pmfmej32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Qidckjae.exeC:\Windows\system32\Qidckjae.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Bhbpahan.exeC:\Windows\system32\Bhbpahan.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Capmemci.exeC:\Windows\system32\Capmemci.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe27⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe28⤵
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe34⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe35⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe37⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Ecobmg32.exeC:\Windows\system32\Ecobmg32.exe38⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Eoecbheg.exeC:\Windows\system32\Eoecbheg.exe39⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe41⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe42⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe43⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Habkeacd.exeC:\Windows\system32\Habkeacd.exe44⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe46⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe47⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe48⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe49⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe50⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe51⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe52⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe53⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe54⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe55⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Igcjgk32.exeC:\Windows\system32\Igcjgk32.exe56⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe57⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe58⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe59⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe60⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe62⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe63⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe64⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe66⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe67⤵PID:1280
-
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe68⤵PID:1648
-
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe69⤵PID:1668
-
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe70⤵PID:1036
-
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe71⤵PID:2620
-
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe72⤵PID:804
-
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe73⤵PID:1500
-
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe74⤵PID:2792
-
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe75⤵PID:2816
-
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe76⤵PID:1652
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe77⤵PID:1468
-
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe78⤵PID:2280
-
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe79⤵PID:1564
-
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe80⤵PID:2860
-
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe81⤵PID:2000
-
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe82⤵PID:2164
-
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe84⤵PID:2128
-
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe85⤵PID:1804
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe87⤵PID:1328
-
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe88⤵PID:2596
-
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe89⤵PID:2980
-
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe90⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe91⤵PID:2936
-
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe92⤵PID:644
-
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe93⤵PID:2416
-
C:\Windows\SysWOW64\Ndoelpid.exeC:\Windows\system32\Ndoelpid.exe94⤵PID:2960
-
C:\Windows\SysWOW64\Nepach32.exeC:\Windows\system32\Nepach32.exe95⤵PID:284
-
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe96⤵PID:1524
-
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe97⤵PID:2356
-
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe98⤵PID:892
-
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe100⤵PID:456
-
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe101⤵PID:1300
-
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe102⤵PID:1764
-
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe103⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe104⤵PID:3000
-
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe105⤵PID:3040
-
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe106⤵PID:2476
-
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe107⤵PID:2352
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe108⤵PID:2136
-
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe109⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe110⤵PID:2152
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe111⤵PID:2004
-
C:\Windows\SysWOW64\Oophlpag.exeC:\Windows\system32\Oophlpag.exe112⤵PID:1788
-
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe113⤵PID:108
-
C:\Windows\SysWOW64\Pofomolo.exeC:\Windows\system32\Pofomolo.exe114⤵PID:772
-
C:\Windows\SysWOW64\Pqhkdg32.exeC:\Windows\system32\Pqhkdg32.exe115⤵PID:2244
-
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe117⤵PID:1720
-
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe118⤵PID:2948
-
C:\Windows\SysWOW64\Qfljmmjl.exeC:\Windows\system32\Qfljmmjl.exe119⤵PID:3004
-
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe120⤵PID:2196
-
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe121⤵PID:2200
-
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe122⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-