Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe
Resource
win10v2004-20241007-en
General
-
Target
e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe
-
Size
305KB
-
MD5
53d413cd5445e8c9e6da1a170622bdc0
-
SHA1
277c79662245aedfc81f91e1d43a1baf5c939725
-
SHA256
e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8
-
SHA512
841b3ce2b7d88847ba84f0938680a9b02b14a487865f5d2cfdd4877414ff3781db9d1434793d494303ad30d35f41217570e1c8b09139e553b72c167acc31051b
-
SSDEEP
3072:2PcJQZ2c8+KYsEXNjShi9R+lc802eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCM:2H2wXdSh2Ilc85dZMGXF5ahdt3b0668
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokehc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnaokmco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjgjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnnpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmeapmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alnfpcag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgfce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leadnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amjbbfgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahjgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmconhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppfmigl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgcakon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhgbhfbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moobbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nglhld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkcogno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fibhpbea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bobabg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedmqk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3604 Fojedapj.exe 4888 Fedmqk32.exe 2808 Fnobem32.exe 836 Fkcboack.exe 4252 Fnaokmco.exe 3476 Fhgbhfbe.exe 3460 Fnckpmql.exe 3624 Gaogak32.exe 456 Gdncmghi.exe 468 Gglpibgm.exe 3156 Gochjpho.exe 4928 Gempgj32.exe 1500 Ghklce32.exe 208 Gkjhoq32.exe 2532 Gnhdkl32.exe 464 Gepmlimi.exe 2836 Gdbmhf32.exe 540 Ggqida32.exe 5092 Gohaeo32.exe 640 Gfbibikg.exe 372 Gddinf32.exe 2852 Ggcfja32.exe 5076 Gnmnfkia.exe 5108 Gahjgj32.exe 4680 Gdgfce32.exe 3652 Ggeboaob.exe 2760 Hnoklk32.exe 5040 Hffcmh32.exe 3032 Hheoid32.exe 1832 Hkckeo32.exe 4780 Hnagak32.exe 2344 Hdlpneli.exe 3356 Hgjljpkm.exe 4512 Hoadkn32.exe 4316 Hbpphi32.exe 4384 Hdnldd32.exe 3000 Hglipp32.exe 1672 Hnfamjqg.exe 2764 Hfningai.exe 1340 Hgoeep32.exe 2884 Hninbj32.exe 3812 Hfpecg32.exe 4960 Hgabkoee.exe 3644 Iohjlmeg.exe 2992 Ibffhhek.exe 3404 Ihqoeb32.exe 3256 Ikokan32.exe 1204 Inmgmijo.exe 4508 Ifdonfka.exe 3908 Igfkfo32.exe 1640 Iomcgl32.exe 720 Ibkpcg32.exe 2484 Iiehpahb.exe 1884 Ioopml32.exe 1756 Ibnligoc.exe 4720 Iigdfa32.exe 4272 Ibpiogmp.exe 1040 Iijaka32.exe 2052 Jodjhkkj.exe 644 Jbbfdfkn.exe 2568 Jgonlm32.exe 1648 Jnifigpa.exe 4348 Jecofa32.exe 4760 Jgakbm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iicfkknk.dll Pflibgil.exe File created C:\Windows\SysWOW64\Pdmkhgho.exe Paoollik.exe File created C:\Windows\SysWOW64\Kpbfii32.exe Kihnmohm.exe File opened for modification C:\Windows\SysWOW64\Ppjgoaoj.exe Phcomcng.exe File created C:\Windows\SysWOW64\Hfcnpn32.exe Hpiecd32.exe File opened for modification C:\Windows\SysWOW64\Kpbfii32.exe Kihnmohm.exe File created C:\Windows\SysWOW64\Fadggj32.dll Aojefobm.exe File created C:\Windows\SysWOW64\Oheihn32.dll Ejdocm32.exe File created C:\Windows\SysWOW64\Knknhqjn.dll Dlieda32.exe File created C:\Windows\SysWOW64\Cdlqqcnl.exe Blqllqqa.exe File created C:\Windows\SysWOW64\Oidofh32.exe Ogfcjm32.exe File opened for modification C:\Windows\SysWOW64\Pofjpl32.exe Plhnda32.exe File created C:\Windows\SysWOW64\Bcelmhen.exe Biogppeg.exe File opened for modification C:\Windows\SysWOW64\Mifljdjo.exe Mnphmkji.exe File opened for modification C:\Windows\SysWOW64\Efafgifc.exe Ecbjkngo.exe File created C:\Windows\SysWOW64\Ogfcjm32.exe Nplkmckj.exe File opened for modification C:\Windows\SysWOW64\Gfbibikg.exe Gohaeo32.exe File opened for modification C:\Windows\SysWOW64\Ehailbaa.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Ejdocm32.exe Epokedmj.exe File opened for modification C:\Windows\SysWOW64\Fhofmq32.exe Faenpf32.exe File created C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Ibknda32.dll Bohbhmfm.exe File opened for modification C:\Windows\SysWOW64\Lhncdi32.exe Lbqklb32.exe File opened for modification C:\Windows\SysWOW64\Lndham32.exe Llflea32.exe File opened for modification C:\Windows\SysWOW64\Pcepkfld.exe Pllgnl32.exe File created C:\Windows\SysWOW64\Ljhpog32.dll Neqopnhb.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Lqkqhm32.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Dkceokii.exe File created C:\Windows\SysWOW64\Gemkelcd.exe Gncchb32.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lckiihok.exe File created C:\Windows\SysWOW64\Amqhbe32.exe Aggpfkjj.exe File opened for modification C:\Windows\SysWOW64\Lkabjbih.exe Licfngjd.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Ckebcg32.exe File created C:\Windows\SysWOW64\Opcqnb32.exe Oiihahme.exe File created C:\Windows\SysWOW64\Nhkikq32.exe Nemmoe32.exe File created C:\Windows\SysWOW64\Iafkni32.dll Alqjpi32.exe File created C:\Windows\SysWOW64\Ghqomgid.dll Gbmingjo.exe File created C:\Windows\SysWOW64\Fbbpmb32.exe Fpdcag32.exe File created C:\Windows\SysWOW64\Dhblne32.dll Bfngdn32.exe File created C:\Windows\SysWOW64\Effkpc32.dll Clchbqoo.exe File opened for modification C:\Windows\SysWOW64\Gdgfce32.exe Gahjgj32.exe File opened for modification C:\Windows\SysWOW64\Afghneoo.exe Aqkpeopg.exe File created C:\Windows\SysWOW64\Bppfmigl.exe Bifmqo32.exe File opened for modification C:\Windows\SysWOW64\Hhknpmma.exe Haafcb32.exe File created C:\Windows\SysWOW64\Pjigamma.dll Jkhgmf32.exe File created C:\Windows\SysWOW64\Bicdfa32.dll Lgcjdd32.exe File created C:\Windows\SysWOW64\Jongga32.dll Fnnjmbpm.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Lpekef32.exe File created C:\Windows\SysWOW64\Fhofmq32.exe Faenpf32.exe File opened for modification C:\Windows\SysWOW64\Ahjgjj32.exe Acmobchj.exe File opened for modification C:\Windows\SysWOW64\Ljeafb32.exe Lckiihok.exe File created C:\Windows\SysWOW64\Mpolbbim.dll Nmdgikhi.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Ppjbmc32.exe File created C:\Windows\SysWOW64\Lppbkgcj.exe Lifjnm32.exe File created C:\Windows\SysWOW64\Qoifflkg.exe Qhonib32.exe File created C:\Windows\SysWOW64\Jgenbfoa.exe Jqlefl32.exe File opened for modification C:\Windows\SysWOW64\Mjneln32.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Flhkmbmp.dll Omnjojpo.exe File created C:\Windows\SysWOW64\Bjodjb32.exe Bcelmhen.exe File opened for modification C:\Windows\SysWOW64\Nknobkje.exe Nimbkc32.exe File created C:\Windows\SysWOW64\Gikkfqmf.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kqphfe32.exe File opened for modification C:\Windows\SysWOW64\Omcjep32.exe Oalipoiq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6076 1584 WerFault.exe 862 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncchae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leadnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjchaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikkfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnlme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbibikg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddllkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgoeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfmdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfpbmfdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biogppeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedjmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiihahme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciafbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohjlmeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfealaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnagak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljaccjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfbibikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cigddnif.dll" Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mholheco.dll" Bjodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khblgpag.dll" Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmehdam.dll" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll" Bhoqeibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll" Ahmjjoig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkefnho.dll" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" Hbohpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiehpahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joahqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gglpibgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmppfooc.dll" Olehhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lejgch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nknobkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nahgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnkmnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epokedmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Popbpqjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgibng32.dll" Lijlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgabkoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihqoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkmnj32.dll" Aggegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjehmfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmoin32.dll" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll" Gimqajgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnnnod.dll" Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkec32.dll" Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mennkfdm.dll" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll" Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnnjmbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahglpk.dll" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caienjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipckj32.dll" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqcp32.dll" Ghmbno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 3604 1208 e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe 83 PID 1208 wrote to memory of 3604 1208 e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe 83 PID 1208 wrote to memory of 3604 1208 e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe 83 PID 3604 wrote to memory of 4888 3604 Fojedapj.exe 84 PID 3604 wrote to memory of 4888 3604 Fojedapj.exe 84 PID 3604 wrote to memory of 4888 3604 Fojedapj.exe 84 PID 4888 wrote to memory of 2808 4888 Fedmqk32.exe 85 PID 4888 wrote to memory of 2808 4888 Fedmqk32.exe 85 PID 4888 wrote to memory of 2808 4888 Fedmqk32.exe 85 PID 2808 wrote to memory of 836 2808 Fnobem32.exe 86 PID 2808 wrote to memory of 836 2808 Fnobem32.exe 86 PID 2808 wrote to memory of 836 2808 Fnobem32.exe 86 PID 836 wrote to memory of 4252 836 Fkcboack.exe 87 PID 836 wrote to memory of 4252 836 Fkcboack.exe 87 PID 836 wrote to memory of 4252 836 Fkcboack.exe 87 PID 4252 wrote to memory of 3476 4252 Fnaokmco.exe 89 PID 4252 wrote to memory of 3476 4252 Fnaokmco.exe 89 PID 4252 wrote to memory of 3476 4252 Fnaokmco.exe 89 PID 3476 wrote to memory of 3460 3476 Fhgbhfbe.exe 90 PID 3476 wrote to memory of 3460 3476 Fhgbhfbe.exe 90 PID 3476 wrote to memory of 3460 3476 Fhgbhfbe.exe 90 PID 3460 wrote to memory of 3624 3460 Fnckpmql.exe 91 PID 3460 wrote to memory of 3624 3460 Fnckpmql.exe 91 PID 3460 wrote to memory of 3624 3460 Fnckpmql.exe 91 PID 3624 wrote to memory of 456 3624 Gaogak32.exe 92 PID 3624 wrote to memory of 456 3624 Gaogak32.exe 92 PID 3624 wrote to memory of 456 3624 Gaogak32.exe 92 PID 456 wrote to memory of 468 456 Gdncmghi.exe 93 PID 456 wrote to memory of 468 456 Gdncmghi.exe 93 PID 456 wrote to memory of 468 456 Gdncmghi.exe 93 PID 468 wrote to memory of 3156 468 Gglpibgm.exe 94 PID 468 wrote to memory of 3156 468 Gglpibgm.exe 94 PID 468 wrote to memory of 3156 468 Gglpibgm.exe 94 PID 3156 wrote to memory of 4928 3156 Gochjpho.exe 95 PID 3156 wrote to memory of 4928 3156 Gochjpho.exe 95 PID 3156 wrote to memory of 4928 3156 Gochjpho.exe 95 PID 4928 wrote to memory of 1500 4928 Gempgj32.exe 96 PID 4928 wrote to memory of 1500 4928 Gempgj32.exe 96 PID 4928 wrote to memory of 1500 4928 Gempgj32.exe 96 PID 1500 wrote to memory of 208 1500 Ghklce32.exe 97 PID 1500 wrote to memory of 208 1500 Ghklce32.exe 97 PID 1500 wrote to memory of 208 1500 Ghklce32.exe 97 PID 208 wrote to memory of 2532 208 Gkjhoq32.exe 98 PID 208 wrote to memory of 2532 208 Gkjhoq32.exe 98 PID 208 wrote to memory of 2532 208 Gkjhoq32.exe 98 PID 2532 wrote to memory of 464 2532 Gnhdkl32.exe 99 PID 2532 wrote to memory of 464 2532 Gnhdkl32.exe 99 PID 2532 wrote to memory of 464 2532 Gnhdkl32.exe 99 PID 464 wrote to memory of 2836 464 Gepmlimi.exe 100 PID 464 wrote to memory of 2836 464 Gepmlimi.exe 100 PID 464 wrote to memory of 2836 464 Gepmlimi.exe 100 PID 2836 wrote to memory of 540 2836 Gdbmhf32.exe 101 PID 2836 wrote to memory of 540 2836 Gdbmhf32.exe 101 PID 2836 wrote to memory of 540 2836 Gdbmhf32.exe 101 PID 540 wrote to memory of 5092 540 Ggqida32.exe 102 PID 540 wrote to memory of 5092 540 Ggqida32.exe 102 PID 540 wrote to memory of 5092 540 Ggqida32.exe 102 PID 5092 wrote to memory of 640 5092 Gohaeo32.exe 103 PID 5092 wrote to memory of 640 5092 Gohaeo32.exe 103 PID 5092 wrote to memory of 640 5092 Gohaeo32.exe 103 PID 640 wrote to memory of 372 640 Gfbibikg.exe 104 PID 640 wrote to memory of 372 640 Gfbibikg.exe 104 PID 640 wrote to memory of 372 640 Gfbibikg.exe 104 PID 372 wrote to memory of 2852 372 Gddinf32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe"C:\Users\Admin\AppData\Local\Temp\e623dc5907eadff382ff39c2afa189d6502b648cf0123a96cc3e903c6c6323d8N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe24⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5108 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe27⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe28⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe30⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe31⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe33⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe34⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe35⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe36⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe37⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe38⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe40⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe42⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe43⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe46⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3404 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe48⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe49⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe51⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe53⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe55⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe56⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe57⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe58⤵PID:1492
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe59⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe60⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe61⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe62⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe63⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe64⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe65⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe66⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe68⤵PID:4188
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe69⤵PID:4356
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4632 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe71⤵PID:2964
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe72⤵PID:3952
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe73⤵PID:2904
-
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe74⤵PID:3772
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe75⤵PID:5140
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe76⤵PID:5180
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe77⤵PID:5220
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe78⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe79⤵PID:5300
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe80⤵PID:5340
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe81⤵PID:5380
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe82⤵PID:5420
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe83⤵PID:5468
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe84⤵PID:5508
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe85⤵PID:5556
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe86⤵PID:5596
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe87⤵PID:5648
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe88⤵PID:5680
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe89⤵PID:5724
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe90⤵PID:5768
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe91⤵PID:5808
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe92⤵PID:5848
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe93⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe94⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe95⤵PID:5968
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe96⤵PID:6008
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe97⤵
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe98⤵PID:6088
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe99⤵PID:6128
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe100⤵PID:4160
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe101⤵PID:4460
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe102⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe103⤵PID:4284
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe105⤵PID:4408
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:412 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe107⤵PID:5128
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe108⤵PID:5168
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe109⤵PID:5252
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe110⤵PID:5292
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe111⤵PID:2132
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe112⤵PID:5496
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe114⤵PID:5672
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe115⤵PID:5716
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe116⤵PID:5784
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe117⤵PID:5844
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe118⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe119⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe120⤵PID:6000
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe122⤵PID:6112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-