Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 13:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe
-
Size
96KB
-
MD5
a360b6dc95ea255397394bee7225b610
-
SHA1
c0eb184f569521f2bdb7235f4b3e978eb4ba983a
-
SHA256
94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235
-
SHA512
150d0216301b6663ff0282420278c74c405831d9e0b5c2c6d8b01f8583056a4c900d2dbca4c771271481a36dd74d8191d850fe025a2afba7ed2e8d7a9d6af867
-
SSDEEP
1536:ZkNDjgFamTnVjgGqp4wrpHcFpQH4t7IrvOEB2bduV9jojTIvjrH:ONvAamTnV0k4usdjtB2bd69jc0vf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aopmfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhikci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbponja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phlacbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefphb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fielph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgccb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfmgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgpkonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpofii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jllokajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hginecde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfigpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnajppda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmihij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmmni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nemmoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplgeokq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdbacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 832 Moobbb32.exe 4608 Mehjol32.exe 2348 Mhgfkg32.exe 1284 Moaogand.exe 4120 Mhicpg32.exe 2936 Mpqkad32.exe 2148 Mfjcnold.exe 4260 Niipjj32.exe 2196 Noehba32.exe 64 Ngmpcn32.exe 344 Niklpj32.exe 2628 Nohehq32.exe 3396 Nebmekoi.exe 932 Nlleaeff.exe 5044 Ncfmno32.exe 2368 Nipekiep.exe 4184 Npjnhc32.exe 4580 Nomncpcg.exe 916 Nheble32.exe 4196 Nlqomd32.exe 4388 Ncjginjn.exe 2820 Oidofh32.exe 4476 Olckbd32.exe 1968 Ocmconhk.exe 4576 Oigllh32.exe 3252 Opadhb32.exe 4876 Ocopdn32.exe 1376 Oiihahme.exe 4872 Oofaiokl.exe 2696 Oileggkb.exe 3664 Oljaccjf.exe 3660 Ogpepl32.exe 4724 Ophjiaql.exe 1496 Pgbbek32.exe 2932 Pjpobg32.exe 4912 Ppjgoaoj.exe 3612 Pcicklnn.exe 444 Pfgogh32.exe 4468 Ppmcdq32.exe 220 Pgflqkdd.exe 4888 Phhhhc32.exe 2744 Plcdiabk.exe 4744 Pcmlfl32.exe 1580 Pflibgil.exe 2144 Pleaoa32.exe 2728 Podmkm32.exe 1920 Pgkelj32.exe 448 Phlacbfm.exe 3144 Pofjpl32.exe 4592 Qgnbaj32.exe 1372 Qjlnnemp.exe 1368 Qljjjqlc.exe 4444 Qcdbfk32.exe 3052 Qhakoa32.exe 3300 Aokcklid.exe 3952 Afelhf32.exe 3884 Amodep32.exe 3460 Ajcdnd32.exe 4464 Aopmfk32.exe 4332 Afjeceml.exe 4740 Amcmpodi.exe 3656 Aobilkcl.exe 4564 Ajhniccb.exe 3932 Aodfajaj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lbngllob.exe Ljgpkonp.exe File opened for modification C:\Windows\SysWOW64\Bkkple32.exe Bhldpj32.exe File created C:\Windows\SysWOW64\Angdnk32.dll Dkahilkl.exe File opened for modification C:\Windows\SysWOW64\Eiloco32.exe Dbbffdlq.exe File created C:\Windows\SysWOW64\Accimdgp.dll Jekqmhia.exe File created C:\Windows\SysWOW64\Kfpcoefj.exe Kofkbk32.exe File created C:\Windows\SysWOW64\Nohehq32.exe Niklpj32.exe File created C:\Windows\SysWOW64\Lnmeliho.dll Biadeoce.exe File opened for modification C:\Windows\SysWOW64\Bjfjka32.exe Bclang32.exe File created C:\Windows\SysWOW64\Pibdmp32.exe Pchlpfjb.exe File opened for modification C:\Windows\SysWOW64\Pibdmp32.exe Pchlpfjb.exe File created C:\Windows\SysWOW64\Mbgeqmjp.exe Mohidbkl.exe File opened for modification C:\Windows\SysWOW64\Nohehq32.exe Niklpj32.exe File created C:\Windows\SysWOW64\Kcllei32.dll Cabomkll.exe File created C:\Windows\SysWOW64\Mennkfdm.dll Cfcqpa32.exe File created C:\Windows\SysWOW64\Epagkd32.exe Embkoi32.exe File created C:\Windows\SysWOW64\Gdapai32.dll Gkgeoklj.exe File opened for modification C:\Windows\SysWOW64\Kgopidgf.exe Keqdmihc.exe File created C:\Windows\SysWOW64\Fkpiopih.dll Qoelkp32.exe File created C:\Windows\SysWOW64\Moehgcil.dll Adikdfna.exe File created C:\Windows\SysWOW64\Afelhf32.exe Aokcklid.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Hpchib32.exe File created C:\Windows\SysWOW64\Epopbo32.dll Bhkfkmmg.exe File created C:\Windows\SysWOW64\Nndbpeal.dll Glfmgp32.exe File opened for modification C:\Windows\SysWOW64\Bojomm32.exe Bhpfqcln.exe File created C:\Windows\SysWOW64\Amodep32.exe Afelhf32.exe File opened for modification C:\Windows\SysWOW64\Fcniglmb.exe Elgaeolp.exe File created C:\Windows\SysWOW64\Nohffe32.dll Dkokcl32.exe File created C:\Windows\SysWOW64\Npdhdlin.dll Edbiniff.exe File opened for modification C:\Windows\SysWOW64\Lojmcdgl.exe Lllagh32.exe File opened for modification C:\Windows\SysWOW64\Pleaoa32.exe Pflibgil.exe File opened for modification C:\Windows\SysWOW64\Dlkbjqgm.exe Djjebh32.exe File created C:\Windows\SysWOW64\Gikkfqmf.exe Gfmojenc.exe File opened for modification C:\Windows\SysWOW64\Onnmdcjm.exe Oeehkn32.exe File created C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File created C:\Windows\SysWOW64\Boihcf32.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Iacngdgj.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Npmknd32.dll Jifecp32.exe File created C:\Windows\SysWOW64\Jkakadbk.dll Ciafbg32.exe File created C:\Windows\SysWOW64\Qckcba32.dll Pqbala32.exe File created C:\Windows\SysWOW64\Lojkhk32.dll Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Innfnl32.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Oanfen32.exe Onpjichj.exe File created C:\Windows\SysWOW64\Pdkoch32.exe Palbgl32.exe File opened for modification C:\Windows\SysWOW64\Cfkmkf32.exe Cndeii32.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Nncccnol.exe Nflkbanj.exe File created C:\Windows\SysWOW64\Hpgiggmj.dll Hnfjbdmk.exe File created C:\Windows\SysWOW64\Jkomneim.exe Jdedak32.exe File created C:\Windows\SysWOW64\Aablof32.dll Kgiiiidd.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll Ppahmb32.exe File created C:\Windows\SysWOW64\Iohmnmmb.dll Agimkk32.exe File created C:\Windows\SysWOW64\Hicpgc32.exe Hbihjifh.exe File created C:\Windows\SysWOW64\Jaonbc32.exe Jpnakk32.exe File opened for modification C:\Windows\SysWOW64\Fdcjlb32.exe Fineoi32.exe File created C:\Windows\SysWOW64\Fpkefnho.dll Nagpeo32.exe File created C:\Windows\SysWOW64\Hiciojhd.dll Klbnajqc.exe File created C:\Windows\SysWOW64\Lancko32.exe Lhenai32.exe File created C:\Windows\SysWOW64\Ebkibb32.dll Ooqqdi32.exe File opened for modification C:\Windows\SysWOW64\Ahcajk32.exe Aeddnp32.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jenmcggo.exe File created C:\Windows\SysWOW64\Jcdjbk32.exe Jljbeali.exe File created C:\Windows\SysWOW64\Ojehbail.dll Feenjgfq.exe File opened for modification C:\Windows\SysWOW64\Geoapenf.exe Gndick32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7176 8064 Process not Found 1130 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggocmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiigadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpegkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcclncbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conanfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khiofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebmekoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhknpmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbngllob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahqddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhimhobl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgeqmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noehba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olckbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfjbdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflkbanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchidda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaohcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbagbebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnphoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmdec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdiknlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmhko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boipmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnhajba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqbcbkab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjjlhle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mniallpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdhjknm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaolmbc.dll" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glengm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdkbfj.dll" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbkfjcb.dll" Ncfmno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnecgoki.dll" Kjmmepfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbccge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfogeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mennkfdm.dll" Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckefh32.dll" Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll" Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll" Dhgonidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpggodfg.dll" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkgcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbjoeojc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbch32.dll" Cgndoeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddadpdmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Njpdnedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll" Ilnlom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbbcpq.dll" Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmnbfhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjlnlii.dll" Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmcolgbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapjhc32.dll" Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aogbfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpccmhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdcpk32.dll" Pfgogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pebndcpg.dll" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fooclapd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll" Njbgmjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmdonkgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbcjnilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbiado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jekqmhia.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4084 wrote to memory of 832 4084 94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe 83 PID 4084 wrote to memory of 832 4084 94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe 83 PID 4084 wrote to memory of 832 4084 94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe 83 PID 832 wrote to memory of 4608 832 Moobbb32.exe 84 PID 832 wrote to memory of 4608 832 Moobbb32.exe 84 PID 832 wrote to memory of 4608 832 Moobbb32.exe 84 PID 4608 wrote to memory of 2348 4608 Mehjol32.exe 85 PID 4608 wrote to memory of 2348 4608 Mehjol32.exe 85 PID 4608 wrote to memory of 2348 4608 Mehjol32.exe 85 PID 2348 wrote to memory of 1284 2348 Mhgfkg32.exe 86 PID 2348 wrote to memory of 1284 2348 Mhgfkg32.exe 86 PID 2348 wrote to memory of 1284 2348 Mhgfkg32.exe 86 PID 1284 wrote to memory of 4120 1284 Moaogand.exe 88 PID 1284 wrote to memory of 4120 1284 Moaogand.exe 88 PID 1284 wrote to memory of 4120 1284 Moaogand.exe 88 PID 4120 wrote to memory of 2936 4120 Mhicpg32.exe 89 PID 4120 wrote to memory of 2936 4120 Mhicpg32.exe 89 PID 4120 wrote to memory of 2936 4120 Mhicpg32.exe 89 PID 2936 wrote to memory of 2148 2936 Mpqkad32.exe 91 PID 2936 wrote to memory of 2148 2936 Mpqkad32.exe 91 PID 2936 wrote to memory of 2148 2936 Mpqkad32.exe 91 PID 2148 wrote to memory of 4260 2148 Mfjcnold.exe 92 PID 2148 wrote to memory of 4260 2148 Mfjcnold.exe 92 PID 2148 wrote to memory of 4260 2148 Mfjcnold.exe 92 PID 4260 wrote to memory of 2196 4260 Niipjj32.exe 93 PID 4260 wrote to memory of 2196 4260 Niipjj32.exe 93 PID 4260 wrote to memory of 2196 4260 Niipjj32.exe 93 PID 2196 wrote to memory of 64 2196 Noehba32.exe 94 PID 2196 wrote to memory of 64 2196 Noehba32.exe 94 PID 2196 wrote to memory of 64 2196 Noehba32.exe 94 PID 64 wrote to memory of 344 64 Ngmpcn32.exe 95 PID 64 wrote to memory of 344 64 Ngmpcn32.exe 95 PID 64 wrote to memory of 344 64 Ngmpcn32.exe 95 PID 344 wrote to memory of 2628 344 Niklpj32.exe 96 PID 344 wrote to memory of 2628 344 Niklpj32.exe 96 PID 344 wrote to memory of 2628 344 Niklpj32.exe 96 PID 2628 wrote to memory of 3396 2628 Nohehq32.exe 98 PID 2628 wrote to memory of 3396 2628 Nohehq32.exe 98 PID 2628 wrote to memory of 3396 2628 Nohehq32.exe 98 PID 3396 wrote to memory of 932 3396 Nebmekoi.exe 99 PID 3396 wrote to memory of 932 3396 Nebmekoi.exe 99 PID 3396 wrote to memory of 932 3396 Nebmekoi.exe 99 PID 932 wrote to memory of 5044 932 Nlleaeff.exe 100 PID 932 wrote to memory of 5044 932 Nlleaeff.exe 100 PID 932 wrote to memory of 5044 932 Nlleaeff.exe 100 PID 5044 wrote to memory of 2368 5044 Ncfmno32.exe 101 PID 5044 wrote to memory of 2368 5044 Ncfmno32.exe 101 PID 5044 wrote to memory of 2368 5044 Ncfmno32.exe 101 PID 2368 wrote to memory of 4184 2368 Nipekiep.exe 102 PID 2368 wrote to memory of 4184 2368 Nipekiep.exe 102 PID 2368 wrote to memory of 4184 2368 Nipekiep.exe 102 PID 4184 wrote to memory of 4580 4184 Npjnhc32.exe 103 PID 4184 wrote to memory of 4580 4184 Npjnhc32.exe 103 PID 4184 wrote to memory of 4580 4184 Npjnhc32.exe 103 PID 4580 wrote to memory of 916 4580 Nomncpcg.exe 104 PID 4580 wrote to memory of 916 4580 Nomncpcg.exe 104 PID 4580 wrote to memory of 916 4580 Nomncpcg.exe 104 PID 916 wrote to memory of 4196 916 Nheble32.exe 105 PID 916 wrote to memory of 4196 916 Nheble32.exe 105 PID 916 wrote to memory of 4196 916 Nheble32.exe 105 PID 4196 wrote to memory of 4388 4196 Nlqomd32.exe 106 PID 4196 wrote to memory of 4388 4196 Nlqomd32.exe 106 PID 4196 wrote to memory of 4388 4196 Nlqomd32.exe 106 PID 4388 wrote to memory of 2820 4388 Ncjginjn.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe"C:\Users\Admin\AppData\Local\Temp\94ea32bd0fc9efca315aa307cd0d12aaf271c3f0f3d2fd90474b716a48049235N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe25⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe26⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe27⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe29⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe30⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe31⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe32⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe33⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe34⤵PID:4424
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe35⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe38⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe39⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe41⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe43⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe44⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe45⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe47⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe48⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe49⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe51⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe52⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe54⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe55⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe56⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe59⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe60⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe62⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe63⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe64⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe65⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe66⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe67⤵PID:4836
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe68⤵PID:3868
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe69⤵PID:1576
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe70⤵PID:1572
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe71⤵PID:4396
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe73⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe74⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe75⤵PID:768
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe76⤵PID:2632
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe77⤵PID:3768
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe78⤵PID:232
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe79⤵PID:4940
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe80⤵PID:4228
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe81⤵PID:5024
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe82⤵
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe83⤵PID:3368
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe84⤵PID:1812
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe85⤵
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe86⤵
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe87⤵PID:1932
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe88⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe89⤵PID:3380
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe90⤵PID:3508
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe91⤵PID:4968
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe93⤵PID:5216
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe94⤵PID:5268
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe95⤵PID:5328
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe96⤵PID:5360
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe97⤵PID:5416
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe98⤵PID:5468
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe99⤵PID:5520
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe100⤵
- System Location Discovery: System Language Discovery
PID:5564 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe101⤵PID:5608
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe102⤵PID:5652
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe103⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe104⤵PID:5740
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe106⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe107⤵PID:5872
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe109⤵PID:5956
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe111⤵PID:6044
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe112⤵PID:6088
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe113⤵
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe114⤵PID:5188
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe115⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe116⤵PID:5312
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe117⤵PID:5404
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe118⤵PID:5496
-
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe119⤵PID:5560
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe120⤵PID:5636
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe121⤵PID:5704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-