Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 05:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe
-
Size
92KB
-
MD5
d43b247b2e7b2da13cbb4d05509f0967
-
SHA1
fec65d9ccd61b8bc1d7bb3ce039cda78054859b2
-
SHA256
48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17
-
SHA512
33ec805fb06c2d402b49543859402f2e9c2c760f8a97fa7b9a2d98557005424a066fe47d8cd79e75ff9182233707f9a5a94ee0ae67740a0a941634748f71f83c
-
SSDEEP
1536:n74B6OjMCKFre4E0aXLALI8yJZe8PbobesjwIJacA9/wqpgM4UOXnKQrUoR24Hsn:nUuE0SWmjHCP9nqHRl6THsn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefcihdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hanlkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqcjkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgpkfpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdgcldio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbdmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pehlajkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbanenai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infeoajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkbinj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfeknmgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibfiame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfhmeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Filoiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqiiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdiko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodana32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfhmeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anqfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhgdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikmhoam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojjdnfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Galjabam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nifbka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abdohhog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glljghee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggoiiddd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicokkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnmbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foilcjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cicqaehg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmbdeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmpfeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhcjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbkeoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iallnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabdcoio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldhlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blimkkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moomopmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapkdpfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmdoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihlhlad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blimkkka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnofegmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnokdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfeadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acmllbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqoifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eihlhlad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekmdhpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfphgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojacg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acoiab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgggc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 920 Dagohgah.exe 2916 Dgdgqo32.exe 2376 Dokpbl32.exe 3684 Ddhhjb32.exe 3056 Emplchej.exe 1764 Edjepb32.exe 1968 Embihh32.exe 1768 Ekfjbl32.exe 444 Eelnoe32.exe 4828 Ekifglpn.exe 1680 Eabodf32.exe 4644 Ekkcmknk.exe 3580 Edcgfa32.exe 4340 Foilcjdb.exe 3856 Fnllof32.exe 4956 Fnnidf32.exe 4668 Feeqec32.exe 4136 Fkbinj32.exe 2856 Falajd32.exe 2804 Fehmkchi.exe 2960 Fgijbk32.exe 460 Fejjqcff.exe 3584 Fgkfhk32.exe 2368 Faqkedkk.exe 4172 Ggncnkjb.exe 4316 Gnglje32.exe 4364 Gdadgohl.exe 2812 Gkkldi32.exe 2768 Gddqmo32.exe 4520 Gkniiinf.exe 4580 Gnleedmj.exe 1876 Gecmganl.exe 2220 Golapg32.exe 1792 Gdhjhnbd.exe 5116 Gonnegbj.exe 2980 Galjabam.exe 2412 Hgiciipe.exe 1668 Hboggbok.exe 3492 Hhioclgg.exe 1100 Hocgpf32.exe 3560 Hfmpmpea.exe 3468 Hgnldh32.exe 756 Hbcqba32.exe 5104 Hhmiokbb.exe 1144 Hklekg32.exe 3028 Hnjagb32.exe 1124 Hgbfphgj.exe 2112 Idffilfd.exe 4180 Ioljfe32.exe 4904 Idicol32.exe 2940 Ioogld32.exe 1072 Ifhoiokd.exe 4056 Ikehaejk.exe 1840 Ifklnn32.exe 2716 Iglhffop.exe 4700 Ibamcooe.exe 868 Ignekfmm.exe 5040 Jbdiio32.exe 3244 Jinaeidp.exe 3608 Jbffno32.exe 1492 Jgcofe32.exe 3980 Jojghc32.exe 2632 Jfdodm32.exe 732 Jibkqh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Obkccq32.exe Nkdlbc32.exe File created C:\Windows\SysWOW64\Knadbo32.dll Fjakin32.exe File created C:\Windows\SysWOW64\Jaephoml.dll Jnilic32.exe File created C:\Windows\SysWOW64\Iefnaa32.exe Iolfeg32.exe File created C:\Windows\SysWOW64\Linbchhb.dll Boiobpdf.exe File created C:\Windows\SysWOW64\Iekpbo32.dll Idicol32.exe File created C:\Windows\SysWOW64\Mnkmml32.dll Poeaoe32.exe File opened for modification C:\Windows\SysWOW64\Gdcjbhcm.exe Gmiaen32.exe File created C:\Windows\SysWOW64\Obkiahok.dll Ioclef32.exe File opened for modification C:\Windows\SysWOW64\Cgkigalj.exe Cdmmkemf.exe File created C:\Windows\SysWOW64\Bmopabmi.dll Kqhalm32.exe File opened for modification C:\Windows\SysWOW64\Efdpgkcj.exe Ekokibcd.exe File created C:\Windows\SysWOW64\Enkgnmoc.dll Ebmmalgk.exe File created C:\Windows\SysWOW64\Jlekak32.dll Emnhce32.exe File created C:\Windows\SysWOW64\Gapmpkia.dll Dqajadfj.exe File opened for modification C:\Windows\SysWOW64\Jbeodh32.exe Jgpkfpgo.exe File created C:\Windows\SysWOW64\Ejamagaq.dll Nonkmbbq.exe File created C:\Windows\SysWOW64\Fhdigj32.dll Pcipeolg.exe File opened for modification C:\Windows\SysWOW64\Dmmicbdq.exe Dfcqfhld.exe File opened for modification C:\Windows\SysWOW64\Dcmgog32.exe Dmcobm32.exe File created C:\Windows\SysWOW64\Ckiigeel.exe Cochbdpg.exe File created C:\Windows\SysWOW64\Cnjfaq32.dll Enodkn32.exe File created C:\Windows\SysWOW64\Dpakil32.dll Jelhki32.exe File opened for modification C:\Windows\SysWOW64\Kbpidm32.exe Jleahcki.exe File created C:\Windows\SysWOW64\Oimikpng.exe Occqof32.exe File created C:\Windows\SysWOW64\Igfafklm.exe Ilqmhblg.exe File created C:\Windows\SysWOW64\Jgcgmb32.exe Jpiophee.exe File created C:\Windows\SysWOW64\Efemlh32.exe Dmmicbdq.exe File created C:\Windows\SysWOW64\Gonbak32.dll Nbdmcaoo.exe File opened for modification C:\Windows\SysWOW64\Ckafbk32.exe Cjpikbma.exe File created C:\Windows\SysWOW64\Edpcapjj.dll Mldfpoaf.exe File created C:\Windows\SysWOW64\Hpfjchnd.exe Hngngloq.exe File created C:\Windows\SysWOW64\Paomfkao.exe Popqjpbk.exe File created C:\Windows\SysWOW64\Emgkkb32.dll Igfafklm.exe File created C:\Windows\SysWOW64\Aednddpd.dll Gkkldi32.exe File created C:\Windows\SysWOW64\Lpapjiem.dll Ooehhhpd.exe File created C:\Windows\SysWOW64\Dggndm32.exe Cfgajjfa.exe File created C:\Windows\SysWOW64\Fmohei32.exe Fjakin32.exe File created C:\Windows\SysWOW64\Idehdpol.exe Igahkk32.exe File opened for modification C:\Windows\SysWOW64\Aqcjkf32.exe Ajianleg.exe File opened for modification C:\Windows\SysWOW64\Pehlajkk.exe Pcipeolg.exe File created C:\Windows\SysWOW64\Qhbhid32.exe Qahpljid.exe File opened for modification C:\Windows\SysWOW64\Jgpkfpgo.exe Jbcbniig.exe File opened for modification C:\Windows\SysWOW64\Jidalb32.exe Jbjiohco.exe File created C:\Windows\SysWOW64\Gnleljko.dll Mahkbjnn.exe File created C:\Windows\SysWOW64\Gdcjbhcm.exe Gmiaen32.exe File created C:\Windows\SysWOW64\Hhgfnggb.dll Fdgcldio.exe File created C:\Windows\SysWOW64\Phahgp32.exe Omkdjg32.exe File created C:\Windows\SysWOW64\Blpqmoqh.dll Anccadgg.exe File opened for modification C:\Windows\SysWOW64\Ljibpjgk.exe Lcojcppn.exe File created C:\Windows\SysWOW64\Icgiij32.dll Amcdoh32.exe File created C:\Windows\SysWOW64\Dkbcbh32.dll Cahlmc32.exe File created C:\Windows\SysWOW64\Dfjnpido.exe Dggndm32.exe File opened for modification C:\Windows\SysWOW64\Pdiogj32.exe Pmpfkpca.exe File opened for modification C:\Windows\SysWOW64\Pjbbfp32.exe Ochjjebe.exe File created C:\Windows\SysWOW64\Nonkmbbq.exe Nlooagcm.exe File opened for modification C:\Windows\SysWOW64\Bahaha32.exe Bhompl32.exe File opened for modification C:\Windows\SysWOW64\Ibeepfdn.exe Ioiioh32.exe File created C:\Windows\SysWOW64\Lajhfaha.dll Dajqjhce.exe File created C:\Windows\SysWOW64\Eoqfpjbi.exe Ehfncp32.exe File created C:\Windows\SysWOW64\Hfoddn32.dll Noihmi32.exe File created C:\Windows\SysWOW64\Ooehhhpd.exe Ohkplnhg.exe File opened for modification C:\Windows\SysWOW64\Jgnnapja.exe Inejhj32.exe File created C:\Windows\SysWOW64\Eadmoh32.dll Dfhpkmmg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5512 7064 WerFault.exe 875 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqbdpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgpgkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeeei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhagekb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcqfenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgckhfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgnjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhofee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infeoajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkniiinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibkqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piakli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkoha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppljcjao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebhabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcclbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnchfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llqhlglf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbclgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdodm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobbljpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edinel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggafndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjieqnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnhce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khonbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgboeado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdlbgpmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikmhoam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijekjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdhof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djilaaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobfeilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjgnhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghpecfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcbifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhgdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acoiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcbniig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchndhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chpffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpjaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbffno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbchhhdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibfiame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najjdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohoblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldacdae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbnqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbellcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicdgfbg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapgnpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmelhmfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hflhefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnpoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjqmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bokcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opglhkbp.dll" Cdbnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocbhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aokbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folflhhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohbflmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilijl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdgcldio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgkidbjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhflcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alaola32.dll" Fbggbabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimlmk32.dll" Gkjnom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgkbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeddjgjm.dll" Glljghee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcffkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolgbg32.dll" Ckdibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilnihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlbmie32.dll" Oeoikl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoqfpjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gecmganl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edinel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jglkoipg.dll" Ahngdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kencbp32.dll" Mcafip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiihphd.dll" Ngbellcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpagi32.dll" Eoiqpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edifna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgieni32.dll" Qcffkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfoddn32.dll" Noihmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knfcohen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnigpok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nabmiifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjapof32.dll" Fnpmbkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekamige.dll" Llnkfgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higplhhd.dll" Mobbljpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppngii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgiaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhfhp32.dll" Epehel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jloijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llafbkjg.dll" Hflhefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocebhhpg.dll" Lfimdlcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhjn32.dll" Infeoajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnjjllmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkamlmab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mekmdhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdkbo32.dll" Fbimmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfchai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haphpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgapom.dll" Dagohgah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aokikhdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knioekia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdiogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mldfpoaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcafip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmaiadbo.dll" Aajlaiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnmkb32.dll" Gmcjebho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdflagk.dll" Afpbcm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2580 wrote to memory of 920 2580 48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe 83 PID 2580 wrote to memory of 920 2580 48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe 83 PID 2580 wrote to memory of 920 2580 48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe 83 PID 920 wrote to memory of 2916 920 Dagohgah.exe 84 PID 920 wrote to memory of 2916 920 Dagohgah.exe 84 PID 920 wrote to memory of 2916 920 Dagohgah.exe 84 PID 2916 wrote to memory of 2376 2916 Dgdgqo32.exe 85 PID 2916 wrote to memory of 2376 2916 Dgdgqo32.exe 85 PID 2916 wrote to memory of 2376 2916 Dgdgqo32.exe 85 PID 2376 wrote to memory of 3684 2376 Dokpbl32.exe 86 PID 2376 wrote to memory of 3684 2376 Dokpbl32.exe 86 PID 2376 wrote to memory of 3684 2376 Dokpbl32.exe 86 PID 3684 wrote to memory of 3056 3684 Ddhhjb32.exe 87 PID 3684 wrote to memory of 3056 3684 Ddhhjb32.exe 87 PID 3684 wrote to memory of 3056 3684 Ddhhjb32.exe 87 PID 3056 wrote to memory of 1764 3056 Emplchej.exe 88 PID 3056 wrote to memory of 1764 3056 Emplchej.exe 88 PID 3056 wrote to memory of 1764 3056 Emplchej.exe 88 PID 1764 wrote to memory of 1968 1764 Edjepb32.exe 90 PID 1764 wrote to memory of 1968 1764 Edjepb32.exe 90 PID 1764 wrote to memory of 1968 1764 Edjepb32.exe 90 PID 1968 wrote to memory of 1768 1968 Embihh32.exe 91 PID 1968 wrote to memory of 1768 1968 Embihh32.exe 91 PID 1968 wrote to memory of 1768 1968 Embihh32.exe 91 PID 1768 wrote to memory of 444 1768 Ekfjbl32.exe 93 PID 1768 wrote to memory of 444 1768 Ekfjbl32.exe 93 PID 1768 wrote to memory of 444 1768 Ekfjbl32.exe 93 PID 444 wrote to memory of 4828 444 Eelnoe32.exe 94 PID 444 wrote to memory of 4828 444 Eelnoe32.exe 94 PID 444 wrote to memory of 4828 444 Eelnoe32.exe 94 PID 4828 wrote to memory of 1680 4828 Ekifglpn.exe 95 PID 4828 wrote to memory of 1680 4828 Ekifglpn.exe 95 PID 4828 wrote to memory of 1680 4828 Ekifglpn.exe 95 PID 1680 wrote to memory of 4644 1680 Eabodf32.exe 96 PID 1680 wrote to memory of 4644 1680 Eabodf32.exe 96 PID 1680 wrote to memory of 4644 1680 Eabodf32.exe 96 PID 4644 wrote to memory of 3580 4644 Ekkcmknk.exe 97 PID 4644 wrote to memory of 3580 4644 Ekkcmknk.exe 97 PID 4644 wrote to memory of 3580 4644 Ekkcmknk.exe 97 PID 3580 wrote to memory of 4340 3580 Edcgfa32.exe 99 PID 3580 wrote to memory of 4340 3580 Edcgfa32.exe 99 PID 3580 wrote to memory of 4340 3580 Edcgfa32.exe 99 PID 4340 wrote to memory of 3856 4340 Foilcjdb.exe 100 PID 4340 wrote to memory of 3856 4340 Foilcjdb.exe 100 PID 4340 wrote to memory of 3856 4340 Foilcjdb.exe 100 PID 3856 wrote to memory of 4956 3856 Fnllof32.exe 101 PID 3856 wrote to memory of 4956 3856 Fnllof32.exe 101 PID 3856 wrote to memory of 4956 3856 Fnllof32.exe 101 PID 4956 wrote to memory of 4668 4956 Fnnidf32.exe 102 PID 4956 wrote to memory of 4668 4956 Fnnidf32.exe 102 PID 4956 wrote to memory of 4668 4956 Fnnidf32.exe 102 PID 4668 wrote to memory of 4136 4668 Feeqec32.exe 103 PID 4668 wrote to memory of 4136 4668 Feeqec32.exe 103 PID 4668 wrote to memory of 4136 4668 Feeqec32.exe 103 PID 4136 wrote to memory of 2856 4136 Fkbinj32.exe 104 PID 4136 wrote to memory of 2856 4136 Fkbinj32.exe 104 PID 4136 wrote to memory of 2856 4136 Fkbinj32.exe 104 PID 2856 wrote to memory of 2804 2856 Falajd32.exe 105 PID 2856 wrote to memory of 2804 2856 Falajd32.exe 105 PID 2856 wrote to memory of 2804 2856 Falajd32.exe 105 PID 2804 wrote to memory of 2960 2804 Fehmkchi.exe 106 PID 2804 wrote to memory of 2960 2804 Fehmkchi.exe 106 PID 2804 wrote to memory of 2960 2804 Fehmkchi.exe 106 PID 2960 wrote to memory of 460 2960 Fgijbk32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe"C:\Users\Admin\AppData\Local\Temp\48cf5e781d305018ed230d6888993bda0e0626580d3c47140e3545ed3d820d17.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Dagohgah.exeC:\Windows\system32\Dagohgah.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Dgdgqo32.exeC:\Windows\system32\Dgdgqo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Dokpbl32.exeC:\Windows\system32\Dokpbl32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ddhhjb32.exeC:\Windows\system32\Ddhhjb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Emplchej.exeC:\Windows\system32\Emplchej.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Embihh32.exeC:\Windows\system32\Embihh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ekfjbl32.exeC:\Windows\system32\Ekfjbl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Eelnoe32.exeC:\Windows\system32\Eelnoe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Ekifglpn.exeC:\Windows\system32\Ekifglpn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Eabodf32.exeC:\Windows\system32\Eabodf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Ekkcmknk.exeC:\Windows\system32\Ekkcmknk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Edcgfa32.exeC:\Windows\system32\Edcgfa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Foilcjdb.exeC:\Windows\system32\Foilcjdb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Fnllof32.exeC:\Windows\system32\Fnllof32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Fkbinj32.exeC:\Windows\system32\Fkbinj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe23⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Fgkfhk32.exeC:\Windows\system32\Fgkfhk32.exe24⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe25⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe26⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe27⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe28⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe30⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Gkniiinf.exeC:\Windows\system32\Gkniiinf.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe32⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe34⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe35⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe36⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe38⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe39⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe40⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe41⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe42⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe43⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe44⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe45⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe46⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe47⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Idffilfd.exeC:\Windows\system32\Idffilfd.exe49⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe50⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe53⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe54⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe55⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe57⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe58⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe59⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe60⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe62⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe63⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732 -
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe66⤵PID:2268
-
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe67⤵PID:4624
-
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe68⤵PID:5068
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe69⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe70⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe71⤵PID:4664
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe72⤵PID:660
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe73⤵PID:4396
-
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe74⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe75⤵PID:3744
-
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe76⤵PID:1000
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe77⤵PID:2100
-
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe78⤵PID:1512
-
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe79⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe80⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe81⤵PID:4468
-
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe82⤵PID:3340
-
C:\Windows\SysWOW64\Lfiafj32.exeC:\Windows\system32\Lfiafj32.exe83⤵PID:3992
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe84⤵PID:3652
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe85⤵PID:1776
-
C:\Windows\SysWOW64\Lbboak32.exeC:\Windows\system32\Lbboak32.exe86⤵PID:4452
-
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe87⤵PID:1872
-
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe88⤵PID:848
-
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe89⤵PID:4648
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe90⤵PID:4888
-
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe91⤵PID:1640
-
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe92⤵PID:636
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe93⤵PID:4068
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe94⤵PID:3032
-
C:\Windows\SysWOW64\Mlaijo32.exeC:\Windows\system32\Mlaijo32.exe95⤵PID:392
-
C:\Windows\SysWOW64\Mblagi32.exeC:\Windows\system32\Mblagi32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe97⤵PID:4832
-
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Mfjjmhql.exeC:\Windows\system32\Mfjjmhql.exe100⤵PID:5268
-
C:\Windows\SysWOW64\Mihficpp.exeC:\Windows\system32\Mihficpp.exe101⤵PID:5320
-
C:\Windows\SysWOW64\Mlfbeooc.exeC:\Windows\system32\Mlfbeooc.exe102⤵PID:5368
-
C:\Windows\SysWOW64\Moeoajng.exeC:\Windows\system32\Moeoajng.exe103⤵PID:5440
-
C:\Windows\SysWOW64\Mflgcg32.exeC:\Windows\system32\Mflgcg32.exe104⤵PID:5500
-
C:\Windows\SysWOW64\Mijcoc32.exeC:\Windows\system32\Mijcoc32.exe105⤵PID:5564
-
C:\Windows\SysWOW64\Nliokn32.exeC:\Windows\system32\Nliokn32.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Nbchhhdm.exeC:\Windows\system32\Nbchhhdm.exe107⤵
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Windows\SysWOW64\Nimpdb32.exeC:\Windows\system32\Nimpdb32.exe108⤵PID:5708
-
C:\Windows\SysWOW64\Nhpppobe.exeC:\Windows\system32\Nhpppobe.exe109⤵PID:5752
-
C:\Windows\SysWOW64\Noihmi32.exeC:\Windows\system32\Noihmi32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Ngqpng32.exeC:\Windows\system32\Ngqpng32.exe111⤵PID:5848
-
C:\Windows\SysWOW64\Nhbmeo32.exeC:\Windows\system32\Nhbmeo32.exe112⤵PID:5896
-
C:\Windows\SysWOW64\Nolebiho.exeC:\Windows\system32\Nolebiho.exe113⤵PID:5944
-
C:\Windows\SysWOW64\Nefmoc32.exeC:\Windows\system32\Nefmoc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Nhdiko32.exeC:\Windows\system32\Nhdiko32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Nonbhifl.exeC:\Windows\system32\Nonbhifl.exe116⤵PID:6072
-
C:\Windows\SysWOW64\Nhffqnlm.exeC:\Windows\system32\Nhffqnlm.exe117⤵PID:6112
-
C:\Windows\SysWOW64\Noqomh32.exeC:\Windows\system32\Noqomh32.exe118⤵PID:5160
-
C:\Windows\SysWOW64\Nifbka32.exeC:\Windows\system32\Nifbka32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Oppkgkkl.exeC:\Windows\system32\Oppkgkkl.exe120⤵PID:5312
-
C:\Windows\SysWOW64\Ogjcde32.exeC:\Windows\system32\Ogjcde32.exe121⤵PID:5300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-