Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe
-
Size
482KB
-
MD5
ba4af1ce52e2fe57ac0e85c52dcae8d0
-
SHA1
f3bf7a32e63f2b13507c46f605df0bbba4b43168
-
SHA256
37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00
-
SHA512
33c829298fb7fc12fc00fb6559b03155ae164b11cc707a4d7cee7b69d256a6c9760148e617d49577291e37fb4fed69239562e271211fb6bb7cf0391475223621
-
SSDEEP
6144:DbkrazpQXvH1Ll+wGXAF2PbgKLVGFM6234lKm3mo8Yvi4KsLTFM6234lKm3:GKmvVLMwGXAF5KLVGFB24lwR45FB24l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjpiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amlgla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miliqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaaplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnmhlhmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjhjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmbmha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcphnclo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeblbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlofac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjeoiaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jopabhna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkioed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpfaknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fekkqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmanfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfihfggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfmlmjed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimlqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpaaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhgoqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oglhhefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlnnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llkjka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbblnqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkkjddg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmdoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbboge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bchece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjpamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbbnpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfjibig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knbhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egiofglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgpneic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeplle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikhdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbjkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqikidhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipkbed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbmli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nifcak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjican32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phggdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfjhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phliiedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dimcnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijldiopl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlaffjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnjamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghcoda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdehkjio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmoipdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfakaile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgoemmkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adohjhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipiepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiadia32.exe -
Executes dropped EXE 64 IoCs
pid Process 3408 Kdgbppbo.exe 2464 Kehohh32.exe 1440 Kmogieho.exe 2432 Kpnceagc.exe 4884 Ldpefojd.exe 4600 Leabng32.exe 4100 Limnoehk.exe 4228 Llkjka32.exe 4568 Lplpfo32.exe 4800 Mdjhlmai.exe 1132 Memajeee.exe 1712 Mlgjfo32.exe 1280 Mdnagm32.exe 1864 Mcfkni32.exe 3208 Medgjd32.exe 4960 Nplhmmmp.exe 5024 Ngfqjg32.exe 1472 Ncmaohja.exe 768 Nnebap32.exe 1824 Oljocm32.exe 2976 Oqjeok32.exe 2344 Ogfjadfj.exe 1608 Ogiffd32.exe 3140 Pmhldk32.exe 696 Pnghnm32.exe 1096 Pcgmld32.exe 1368 Qgdfbb32.exe 1452 Qjeodmgk.exe 3000 Agiomafe.exe 3324 Aempffeo.exe 1632 Aeplle32.exe 4880 Aqfmafip.exe 4540 Anmjpj32.exe 2380 Bnogfj32.exe 3500 Bgglop32.exe 740 Bjfhkk32.exe 4716 Bgjhdo32.exe 2852 Bcqiip32.exe 3484 Bnfmfi32.exe 2924 Badibd32.exe 4068 Bhnaoodm.exe 4984 Cebbhc32.exe 4616 Chqnen32.exe 1480 Cnkfahig.exe 3320 Cedonb32.exe 4332 Cnmcghgd.exe 2056 Cakpccfh.exe 700 Ceglcb32.exe 2496 Cfhhkj32.exe 3068 Cnopmh32.exe 1548 Canlic32.exe 4372 Cdlheo32.exe 2592 Cdoejn32.exe 3124 Cfmafjqj.exe 3440 Cjhmgh32.exe 4436 Dabfdbpp.exe 4992 Denada32.exe 5052 Dfonliog.exe 3872 Daebibnm.exe 1136 Dfakaile.exe 2444 Dhcdalae.exe 3792 Eobfieel.exe 552 Eogodd32.exe 2760 Eaekpppk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nlpbidlh.dll Kpffjljo.exe File created C:\Windows\SysWOW64\Kbfhapcd.exe Kklpdf32.exe File created C:\Windows\SysWOW64\Kpkmaeen.dll Qonmah32.exe File created C:\Windows\SysWOW64\Ajfndq32.exe Aclehffd.exe File created C:\Windows\SysWOW64\Mjkcog32.dll Pmiigifi.exe File created C:\Windows\SysWOW64\Pacdpn32.dll Aakkighj.exe File created C:\Windows\SysWOW64\Kaajdckb.exe Kocnhhlo.exe File created C:\Windows\SysWOW64\Goghkb32.exe Fgppje32.exe File created C:\Windows\SysWOW64\Jhnanpbo.dll Mifjjnle.exe File opened for modification C:\Windows\SysWOW64\Cpipiknl.exe Cafonn32.exe File created C:\Windows\SysWOW64\Ffdmgllm.dll Gdhcdbik.exe File created C:\Windows\SysWOW64\Cqgmbagl.dll Joahmobm.exe File opened for modification C:\Windows\SysWOW64\Mifjjnle.exe Mfgnnbma.exe File created C:\Windows\SysWOW64\Fainaihj.exe Fmnbpj32.exe File opened for modification C:\Windows\SysWOW64\Ignngjdd.exe Idobkoep.exe File created C:\Windows\SysWOW64\Coepfkel.dll Allpak32.exe File created C:\Windows\SysWOW64\Edjjdi32.dll Ejjeoiaf.exe File created C:\Windows\SysWOW64\Oemejgdk.dll Hopfpc32.exe File created C:\Windows\SysWOW64\Behimmeg.dll Ebjihppe.exe File created C:\Windows\SysWOW64\Kfejgh32.dll Abnnlhhj.exe File created C:\Windows\SysWOW64\Iebfke32.exe Ibdioi32.exe File created C:\Windows\SysWOW64\Lcafpj32.exe Lnengc32.exe File opened for modification C:\Windows\SysWOW64\Kakebmhl.exe Kjameb32.exe File created C:\Windows\SysWOW64\Bfnnkeio.exe Bgknoi32.exe File created C:\Windows\SysWOW64\Bmgpmi32.exe Bjican32.exe File created C:\Windows\SysWOW64\Jeakgi32.dll Mkqllm32.exe File opened for modification C:\Windows\SysWOW64\Efnbcdeb.exe Epcjgj32.exe File opened for modification C:\Windows\SysWOW64\Gebaah32.exe Gnhidnao.exe File created C:\Windows\SysWOW64\Agnbjc32.dll Igoebq32.exe File created C:\Windows\SysWOW64\Jgeqamke.dll Cchnjbnd.exe File created C:\Windows\SysWOW64\Aehndldo.exe Amqfbo32.exe File created C:\Windows\SysWOW64\Bkpfhahi.exe Bahaol32.exe File created C:\Windows\SysWOW64\Headmlpg.exe Heohgm32.exe File opened for modification C:\Windows\SysWOW64\Jqmiao32.exe Jnomec32.exe File opened for modification C:\Windows\SysWOW64\Aehenbhk.exe Qonmah32.exe File created C:\Windows\SysWOW64\Qeijmfbg.dll Dflcam32.exe File opened for modification C:\Windows\SysWOW64\Ejjeoiaf.exe Ebbmmlqd.exe File created C:\Windows\SysWOW64\Gjjneg32.exe Gpejhn32.exe File created C:\Windows\SysWOW64\Aejkilbl.exe Alafqf32.exe File created C:\Windows\SysWOW64\Eoakdldm.dll Pmdplj32.exe File opened for modification C:\Windows\SysWOW64\Nhbmli32.exe Mpghhg32.exe File opened for modification C:\Windows\SysWOW64\Kbfhapcd.exe Kklpdf32.exe File created C:\Windows\SysWOW64\Lgaqoqpk.dll Mbkfap32.exe File created C:\Windows\SysWOW64\Qbhpfh32.dll Mjggnmab.exe File created C:\Windows\SysWOW64\Lcmnhm32.dll Oglppoki.exe File created C:\Windows\SysWOW64\Coeeoo32.exe Cdpaaf32.exe File created C:\Windows\SysWOW64\Jccago32.exe Jpeekc32.exe File created C:\Windows\SysWOW64\Mbihlb32.dll Cdaflo32.exe File created C:\Windows\SysWOW64\Ehdadj32.exe Ebjihppe.exe File created C:\Windows\SysWOW64\Bgknoi32.exe Bqafbokg.exe File created C:\Windows\SysWOW64\Pmdkkk32.dll Kgngnhfa.exe File created C:\Windows\SysWOW64\Elaopc32.exe Dbijgmio.exe File created C:\Windows\SysWOW64\Fqemjmdd.dll Dqhphnje.exe File created C:\Windows\SysWOW64\Efecip32.dll Eiicimpb.exe File created C:\Windows\SysWOW64\Pceflk32.dll Odcohlod.exe File created C:\Windows\SysWOW64\Bgafgmng.exe Bphnkb32.exe File opened for modification C:\Windows\SysWOW64\Hahcieng.exe Hjqkhgme.exe File created C:\Windows\SysWOW64\Cnkfahig.exe Chqnen32.exe File created C:\Windows\SysWOW64\Hgmeqm32.exe Hpcmdbkj.exe File created C:\Windows\SysWOW64\Opdkmebk.dll Eblgmmgl.exe File opened for modification C:\Windows\SysWOW64\Gfphpael.exe Glkdbief.exe File opened for modification C:\Windows\SysWOW64\Mjnkbd32.exe Lohgek32.exe File opened for modification C:\Windows\SysWOW64\Bhnaoodm.exe Badibd32.exe File created C:\Windows\SysWOW64\Gkmnojnl.dll Maeaoi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7532 9724 WerFault.exe 1093 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebbhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijldiopl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpekop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopememo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkbjgpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kojdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdodhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgafgmng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgolnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbhkgje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnbjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeimnbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonhci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldffiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfhkbkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdchoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qknqkdho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkihaoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbako32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njqana32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eboccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebndbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajqabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnnbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciefbill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnmbdla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfpkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acafmlfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohphg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjiakei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfifngd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpipiknl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpmmmem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipiepe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibbmjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miecpgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nielge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipofejmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipliajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkaacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegklgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpaaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndiplga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhhppno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfjibig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahcieng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcilnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgoklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhaaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkegomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnhidak.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkjben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hijmmefg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebpgnkb.dll" Bafdjoja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocepom32.dll" Cadpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmimql32.dll" Ghaboacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjejfk32.dll" Idhlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnekac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Badibd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpaffjpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbddga32.dll" Gehbfnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfakaile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlakma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgpkggp.dll" Qfgocimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifigkgia.dll" Kecobbhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoclgn32.dll" Igielk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goelff32.dll" Aohphg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpijlpnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foachkng.dll" Mclppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapkodgo.dll" Bgjhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igoebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdapaoio.dll" Hpolopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgehjlp.dll" Dboafhmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fecodqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiicimpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhpocpl.dll" Fmdhaiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjhjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeaajlk.dll" Edkbikmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpffjljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mehadpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjeabcgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnegnald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdenjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cadpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfgpfj.dll" 37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnkfahig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njfadgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfmgjgc.dll" Cajqabnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipmhpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhdegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkqmhigd.dll" Gkmkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hipdmaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihagdail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnaalnce.dll" Nqjbqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obaigm32.dll" Omcpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noiaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhokc32.dll" Lnnhgdpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kddnceol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljlfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahmic32.dll" Fbnfodck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgnojhfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kimlqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhfkf32.dll" Jpcidllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lekknkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlpbc32.dll" Fkdfjdqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neqnhcda.dll" Dnhnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegbefaf.dll" Gdcjic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkcnnie.dll" Albmkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doakecbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiinmbpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cogadnfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdenjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggkkpl32.dll" Kejecabo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 3408 2980 37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe 89 PID 2980 wrote to memory of 3408 2980 37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe 89 PID 2980 wrote to memory of 3408 2980 37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe 89 PID 3408 wrote to memory of 2464 3408 Kdgbppbo.exe 90 PID 3408 wrote to memory of 2464 3408 Kdgbppbo.exe 90 PID 3408 wrote to memory of 2464 3408 Kdgbppbo.exe 90 PID 2464 wrote to memory of 1440 2464 Kehohh32.exe 91 PID 2464 wrote to memory of 1440 2464 Kehohh32.exe 91 PID 2464 wrote to memory of 1440 2464 Kehohh32.exe 91 PID 1440 wrote to memory of 2432 1440 Kmogieho.exe 92 PID 1440 wrote to memory of 2432 1440 Kmogieho.exe 92 PID 1440 wrote to memory of 2432 1440 Kmogieho.exe 92 PID 2432 wrote to memory of 4884 2432 Kpnceagc.exe 93 PID 2432 wrote to memory of 4884 2432 Kpnceagc.exe 93 PID 2432 wrote to memory of 4884 2432 Kpnceagc.exe 93 PID 4884 wrote to memory of 4600 4884 Ldpefojd.exe 94 PID 4884 wrote to memory of 4600 4884 Ldpefojd.exe 94 PID 4884 wrote to memory of 4600 4884 Ldpefojd.exe 94 PID 4600 wrote to memory of 4100 4600 Leabng32.exe 95 PID 4600 wrote to memory of 4100 4600 Leabng32.exe 95 PID 4600 wrote to memory of 4100 4600 Leabng32.exe 95 PID 4100 wrote to memory of 4228 4100 Limnoehk.exe 96 PID 4100 wrote to memory of 4228 4100 Limnoehk.exe 96 PID 4100 wrote to memory of 4228 4100 Limnoehk.exe 96 PID 4228 wrote to memory of 4568 4228 Llkjka32.exe 97 PID 4228 wrote to memory of 4568 4228 Llkjka32.exe 97 PID 4228 wrote to memory of 4568 4228 Llkjka32.exe 97 PID 4568 wrote to memory of 4800 4568 Lplpfo32.exe 98 PID 4568 wrote to memory of 4800 4568 Lplpfo32.exe 98 PID 4568 wrote to memory of 4800 4568 Lplpfo32.exe 98 PID 4800 wrote to memory of 1132 4800 Mdjhlmai.exe 99 PID 4800 wrote to memory of 1132 4800 Mdjhlmai.exe 99 PID 4800 wrote to memory of 1132 4800 Mdjhlmai.exe 99 PID 1132 wrote to memory of 1712 1132 Memajeee.exe 100 PID 1132 wrote to memory of 1712 1132 Memajeee.exe 100 PID 1132 wrote to memory of 1712 1132 Memajeee.exe 100 PID 1712 wrote to memory of 1280 1712 Mlgjfo32.exe 101 PID 1712 wrote to memory of 1280 1712 Mlgjfo32.exe 101 PID 1712 wrote to memory of 1280 1712 Mlgjfo32.exe 101 PID 1280 wrote to memory of 1864 1280 Mdnagm32.exe 102 PID 1280 wrote to memory of 1864 1280 Mdnagm32.exe 102 PID 1280 wrote to memory of 1864 1280 Mdnagm32.exe 102 PID 1864 wrote to memory of 3208 1864 Mcfkni32.exe 103 PID 1864 wrote to memory of 3208 1864 Mcfkni32.exe 103 PID 1864 wrote to memory of 3208 1864 Mcfkni32.exe 103 PID 3208 wrote to memory of 4960 3208 Medgjd32.exe 104 PID 3208 wrote to memory of 4960 3208 Medgjd32.exe 104 PID 3208 wrote to memory of 4960 3208 Medgjd32.exe 104 PID 4960 wrote to memory of 5024 4960 Nplhmmmp.exe 105 PID 4960 wrote to memory of 5024 4960 Nplhmmmp.exe 105 PID 4960 wrote to memory of 5024 4960 Nplhmmmp.exe 105 PID 5024 wrote to memory of 1472 5024 Ngfqjg32.exe 106 PID 5024 wrote to memory of 1472 5024 Ngfqjg32.exe 106 PID 5024 wrote to memory of 1472 5024 Ngfqjg32.exe 106 PID 1472 wrote to memory of 768 1472 Ncmaohja.exe 107 PID 1472 wrote to memory of 768 1472 Ncmaohja.exe 107 PID 1472 wrote to memory of 768 1472 Ncmaohja.exe 107 PID 768 wrote to memory of 1824 768 Nnebap32.exe 108 PID 768 wrote to memory of 1824 768 Nnebap32.exe 108 PID 768 wrote to memory of 1824 768 Nnebap32.exe 108 PID 1824 wrote to memory of 2976 1824 Oljocm32.exe 109 PID 1824 wrote to memory of 2976 1824 Oljocm32.exe 109 PID 1824 wrote to memory of 2976 1824 Oljocm32.exe 109 PID 2976 wrote to memory of 2344 2976 Oqjeok32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe"C:\Users\Admin\AppData\Local\Temp\37d2b33cf30674fba0c91bb7f78ebc3069b1f9f12296aaa6bd8c7bb8b630ff00N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kdgbppbo.exeC:\Windows\system32\Kdgbppbo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Kehohh32.exeC:\Windows\system32\Kehohh32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Kmogieho.exeC:\Windows\system32\Kmogieho.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Kpnceagc.exeC:\Windows\system32\Kpnceagc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ldpefojd.exeC:\Windows\system32\Ldpefojd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Leabng32.exeC:\Windows\system32\Leabng32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Limnoehk.exeC:\Windows\system32\Limnoehk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Llkjka32.exeC:\Windows\system32\Llkjka32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Lplpfo32.exeC:\Windows\system32\Lplpfo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Mdjhlmai.exeC:\Windows\system32\Mdjhlmai.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Memajeee.exeC:\Windows\system32\Memajeee.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Mdnagm32.exeC:\Windows\system32\Mdnagm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Mcfkni32.exeC:\Windows\system32\Mcfkni32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Medgjd32.exeC:\Windows\system32\Medgjd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Nplhmmmp.exeC:\Windows\system32\Nplhmmmp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Ngfqjg32.exeC:\Windows\system32\Ngfqjg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ncmaohja.exeC:\Windows\system32\Ncmaohja.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Nnebap32.exeC:\Windows\system32\Nnebap32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Oljocm32.exeC:\Windows\system32\Oljocm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Oqjeok32.exeC:\Windows\system32\Oqjeok32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ogfjadfj.exeC:\Windows\system32\Ogfjadfj.exe23⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ogiffd32.exeC:\Windows\system32\Ogiffd32.exe24⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Pmhldk32.exeC:\Windows\system32\Pmhldk32.exe25⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Pnghnm32.exeC:\Windows\system32\Pnghnm32.exe26⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Pcgmld32.exeC:\Windows\system32\Pcgmld32.exe27⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Qgdfbb32.exeC:\Windows\system32\Qgdfbb32.exe28⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Qqmjkhqk.exeC:\Windows\system32\Qqmjkhqk.exe29⤵PID:4868
-
C:\Windows\SysWOW64\Qjeodmgk.exeC:\Windows\system32\Qjeodmgk.exe30⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Agiomafe.exeC:\Windows\system32\Agiomafe.exe31⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Aempffeo.exeC:\Windows\system32\Aempffeo.exe32⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Aeplle32.exeC:\Windows\system32\Aeplle32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Aqfmafip.exeC:\Windows\system32\Aqfmafip.exe34⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Anmjpj32.exeC:\Windows\system32\Anmjpj32.exe35⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Bnogfj32.exeC:\Windows\system32\Bnogfj32.exe36⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Bgglop32.exeC:\Windows\system32\Bgglop32.exe37⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Bjfhkk32.exeC:\Windows\system32\Bjfhkk32.exe38⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Bgjhdo32.exeC:\Windows\system32\Bgjhdo32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Bcqiip32.exeC:\Windows\system32\Bcqiip32.exe40⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Bnfmfi32.exeC:\Windows\system32\Bnfmfi32.exe41⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Badibd32.exeC:\Windows\system32\Badibd32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Bhnaoodm.exeC:\Windows\system32\Bhnaoodm.exe43⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Cebbhc32.exeC:\Windows\system32\Cebbhc32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Windows\SysWOW64\Chqnen32.exeC:\Windows\system32\Chqnen32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Cnkfahig.exeC:\Windows\system32\Cnkfahig.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Cedonb32.exeC:\Windows\system32\Cedonb32.exe47⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Cnmcghgd.exeC:\Windows\system32\Cnmcghgd.exe48⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Cakpccfh.exeC:\Windows\system32\Cakpccfh.exe49⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe50⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Cfhhkj32.exeC:\Windows\system32\Cfhhkj32.exe51⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Cnopmh32.exeC:\Windows\system32\Cnopmh32.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Canlic32.exeC:\Windows\system32\Canlic32.exe53⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Cdlheo32.exeC:\Windows\system32\Cdlheo32.exe54⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Cdoejn32.exeC:\Windows\system32\Cdoejn32.exe55⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Cfmafjqj.exeC:\Windows\system32\Cfmafjqj.exe56⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Cjhmgh32.exeC:\Windows\system32\Cjhmgh32.exe57⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Dabfdbpp.exeC:\Windows\system32\Dabfdbpp.exe58⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Denada32.exeC:\Windows\system32\Denada32.exe59⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Dfonliog.exeC:\Windows\system32\Dfonliog.exe60⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Daebibnm.exeC:\Windows\system32\Daebibnm.exe61⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Dfakaile.exeC:\Windows\system32\Dfakaile.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Dhcdalae.exeC:\Windows\system32\Dhcdalae.exe63⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Eobfieel.exeC:\Windows\system32\Eobfieel.exe64⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Eogodd32.exeC:\Windows\system32\Eogodd32.exe65⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Eaekpppk.exeC:\Windows\system32\Eaekpppk.exe66⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ehocmj32.exeC:\Windows\system32\Ehocmj32.exe67⤵PID:4256
-
C:\Windows\SysWOW64\Emllea32.exeC:\Windows\system32\Emllea32.exe68⤵PID:5064
-
C:\Windows\SysWOW64\Fokhodmb.exeC:\Windows\system32\Fokhodmb.exe69⤵PID:2680
-
C:\Windows\SysWOW64\Fgfmcf32.exeC:\Windows\system32\Fgfmcf32.exe70⤵PID:2752
-
C:\Windows\SysWOW64\Foneec32.exeC:\Windows\system32\Foneec32.exe71⤵PID:4288
-
C:\Windows\SysWOW64\Fkdfjdqc.exeC:\Windows\system32\Fkdfjdqc.exe72⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Faonfo32.exeC:\Windows\system32\Faonfo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Fneokp32.exeC:\Windows\system32\Fneokp32.exe74⤵PID:5228
-
C:\Windows\SysWOW64\Fkioed32.exeC:\Windows\system32\Fkioed32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Fdadnico.exeC:\Windows\system32\Fdadnico.exe76⤵PID:5308
-
C:\Windows\SysWOW64\Fgppje32.exeC:\Windows\system32\Fgppje32.exe77⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Goghkb32.exeC:\Windows\system32\Goghkb32.exe78⤵PID:5388
-
C:\Windows\SysWOW64\Gahamm32.exeC:\Windows\system32\Gahamm32.exe79⤵PID:5428
-
C:\Windows\SysWOW64\Gkpeec32.exeC:\Windows\system32\Gkpeec32.exe80⤵PID:5468
-
C:\Windows\SysWOW64\Golafaoo.exeC:\Windows\system32\Golafaoo.exe81⤵PID:5508
-
C:\Windows\SysWOW64\Gonnlaml.exeC:\Windows\system32\Gonnlaml.exe82⤵PID:5552
-
C:\Windows\SysWOW64\Goqkaa32.exeC:\Windows\system32\Goqkaa32.exe83⤵PID:5596
-
C:\Windows\SysWOW64\Gglpec32.exeC:\Windows\system32\Gglpec32.exe84⤵PID:5640
-
C:\Windows\SysWOW64\Hfmpckpd.exeC:\Windows\system32\Hfmpckpd.exe85⤵PID:5700
-
C:\Windows\SysWOW64\Hhklpfoh.exeC:\Windows\system32\Hhklpfoh.exe86⤵PID:5760
-
C:\Windows\SysWOW64\Hogabpdb.exeC:\Windows\system32\Hogabpdb.exe87⤵PID:5804
-
C:\Windows\SysWOW64\Hnjamm32.exeC:\Windows\system32\Hnjamm32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Hddijgbi.exeC:\Windows\system32\Hddijgbi.exe89⤵PID:5888
-
C:\Windows\SysWOW64\Hgeblb32.exeC:\Windows\system32\Hgeblb32.exe90⤵PID:5932
-
C:\Windows\SysWOW64\Hdicef32.exeC:\Windows\system32\Hdicef32.exe91⤵PID:5976
-
C:\Windows\SysWOW64\Inagnled.exeC:\Windows\system32\Inagnled.exe92⤵PID:6020
-
C:\Windows\SysWOW64\Ihglkd32.exeC:\Windows\system32\Ihglkd32.exe93⤵PID:6064
-
C:\Windows\SysWOW64\Ikehgp32.exeC:\Windows\system32\Ikehgp32.exe94⤵PID:6108
-
C:\Windows\SysWOW64\Ifklei32.exeC:\Windows\system32\Ifklei32.exe95⤵PID:5128
-
C:\Windows\SysWOW64\Idnlpeko.exeC:\Windows\system32\Idnlpeko.exe96⤵PID:5164
-
C:\Windows\SysWOW64\Ikhdmp32.exeC:\Windows\system32\Ikhdmp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Ifmijh32.exeC:\Windows\system32\Ifmijh32.exe98⤵PID:5344
-
C:\Windows\SysWOW64\Igoebq32.exeC:\Windows\system32\Igoebq32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Ibdioi32.exeC:\Windows\system32\Ibdioi32.exe100⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Iebfke32.exeC:\Windows\system32\Iebfke32.exe101⤵PID:5560
-
C:\Windows\SysWOW64\Iohjin32.exeC:\Windows\system32\Iohjin32.exe102⤵PID:5628
-
C:\Windows\SysWOW64\Jkokno32.exeC:\Windows\system32\Jkokno32.exe103⤵PID:5132
-
C:\Windows\SysWOW64\Jfdokg32.exeC:\Windows\system32\Jfdokg32.exe104⤵PID:5792
-
C:\Windows\SysWOW64\Jibkgc32.exeC:\Windows\system32\Jibkgc32.exe105⤵PID:5868
-
C:\Windows\SysWOW64\Jnpcoj32.exeC:\Windows\system32\Jnpcoj32.exe106⤵PID:5940
-
C:\Windows\SysWOW64\Jbkppham.exeC:\Windows\system32\Jbkppham.exe107⤵PID:6016
-
C:\Windows\SysWOW64\Jeilldqa.exeC:\Windows\system32\Jeilldqa.exe108⤵PID:6072
-
C:\Windows\SysWOW64\Jkcdinhn.exeC:\Windows\system32\Jkcdinhn.exe109⤵PID:6136
-
C:\Windows\SysWOW64\Jfihfggd.exeC:\Windows\system32\Jfihfggd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Jgjeno32.exeC:\Windows\system32\Jgjeno32.exe111⤵PID:5364
-
C:\Windows\SysWOW64\Jndmjieo.exeC:\Windows\system32\Jndmjieo.exe112⤵PID:5492
-
C:\Windows\SysWOW64\Jijahbde.exeC:\Windows\system32\Jijahbde.exe113⤵PID:5592
-
C:\Windows\SysWOW64\Jpcidllb.exeC:\Windows\system32\Jpcidllb.exe114⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Jfnaaf32.exeC:\Windows\system32\Jfnaaf32.exe115⤵PID:5832
-
C:\Windows\SysWOW64\Kilnma32.exeC:\Windows\system32\Kilnma32.exe116⤵PID:5924
-
C:\Windows\SysWOW64\Kpffjljo.exeC:\Windows\system32\Kpffjljo.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Kfpogf32.exeC:\Windows\system32\Kfpogf32.exe118⤵PID:5136
-
C:\Windows\SysWOW64\Kecobbhf.exeC:\Windows\system32\Kecobbhf.exe119⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Knkckhog.exeC:\Windows\system32\Knkckhog.exe120⤵PID:5516
-
C:\Windows\SysWOW64\Kfbklepi.exeC:\Windows\system32\Kfbklepi.exe121⤵PID:5712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-