Analysis
-
max time kernel
92s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 23:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe
-
Size
89KB
-
MD5
ddebe1f2b7783e511b751f2aef0f5001
-
SHA1
e12f0d32796a6b172b31edb55393de9f48b533e3
-
SHA256
6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676
-
SHA512
fb907e8965f27d8e751a46c62c117333bd380453857cac36020828528be4bbe532a2eb192f755e033ee753469fb687802fdf55c1cac508a1d7894285875027c2
-
SSDEEP
1536:RNEZ2U72GfEKjwEZSlKFdSTL7cW/bprmOcavbgiyyyyyyTRQMPR+KRFR3RzR1URs:RFU72GfEKjLSlKmT/PNrmAgCeqjb5ZXd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmefklfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghklfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffbpcbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doicia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggnlampe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdfjhaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmbkbdfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdamjmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnihhjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbddii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbmbklla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqknlbmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phneep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmmepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhbmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocmcbice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfhhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijanl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqffmkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfcqcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekifdqec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmhfnjkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djaiikgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mliphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gglpln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmpoldhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjnjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocfcbgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefbcogf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqdqbaee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Giienb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaejmano.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqjcemj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgbmfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechpjdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdonf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knpmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjcajgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikndjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnbpkcad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoogiiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iocqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbkbpjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmoeocd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhfbacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edemnodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eagabceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noehelej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjjiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldfmcfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojgegoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnjjiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oiakinkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afebeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moknegii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhecjmhf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3044 Lfckdcoe.exe 3064 Libgpooi.exe 4936 Lplpmi32.exe 1148 Lffhjcmb.exe 640 Lmppfm32.exe 4944 Lpnlbi32.exe 2544 Lekekp32.exe 3544 Llemgj32.exe 4828 Mboeddad.exe 4716 Miiman32.exe 2604 Mlgjmi32.exe 4896 Mcabjcoa.exe 5100 Mikjfn32.exe 4960 Minglmdk.exe 4568 Mdckifda.exe 1868 Medgan32.exe 1016 Mmkpbl32.exe 2800 Mgddka32.exe 2136 Mibpgm32.exe 2612 Mnnlgkho.exe 4888 Nghmfqmm.exe 2096 Ndlnoelf.exe 4276 Ngkjlpkj.exe 1524 Npcodf32.exe 3016 Ndagjd32.exe 4692 Ophhpene.exe 820 Ojplhkdf.exe 1120 Ofgmml32.exe 4440 Odhmkcbi.exe 5032 Olcbpe32.exe 1688 Odjjqc32.exe 1456 Olfoee32.exe 336 Ogkcbn32.exe 4120 Onekoh32.exe 5008 Pgnphnke.exe 3928 Pnghdh32.exe 4436 Pdapabjo.exe 1572 Pfcmij32.exe 448 Pqhafcoc.exe 4492 Pgbicm32.exe 3120 Pqknlbmp.exe 2208 Pgdfim32.exe 3088 Pnoneglj.exe 4808 Pdhfbacf.exe 4744 Pfjcji32.exe 1652 Qmdkfcaa.exe 4576 Qgiodlqh.exe 4832 Qncgqf32.exe 3980 Qqadmagh.exe 872 Qjjheg32.exe 3896 Aqdqbaee.exe 2648 Agniok32.exe 3672 Amkagb32.exe 2504 Aceidl32.exe 2204 Afcfph32.exe 4432 Anjnae32.exe 2100 Ammnmbig.exe 1964 Aedfnoii.exe 4124 Afebeg32.exe 2460 Ampkbagd.exe 4184 Aefbcogf.exe 1232 Ageopj32.exe 2576 Afhokgme.exe 2528 Ambgha32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ghbipb32.exe Fahachjh.exe File opened for modification C:\Windows\SysWOW64\Kegaif32.exe Knmimlck.exe File created C:\Windows\SysWOW64\Achejo32.exe Aomiiqoq.exe File created C:\Windows\SysWOW64\Gkljbjqm.dll Dmpeeg32.exe File created C:\Windows\SysWOW64\Gaikpp32.dll Ljkpbl32.exe File created C:\Windows\SysWOW64\Menpabgn.exe Mhjpgn32.exe File created C:\Windows\SysWOW64\Nekogclj.dll Bncqgd32.exe File opened for modification C:\Windows\SysWOW64\Lfcdjm32.exe Lnllhp32.exe File created C:\Windows\SysWOW64\Bbdhlkej.exe Bhlcce32.exe File created C:\Windows\SysWOW64\Opgaeojj.exe Neamhfjd.exe File created C:\Windows\SysWOW64\Aocfcbgk.exe Alejgfgh.exe File created C:\Windows\SysWOW64\Dipalain.dll Aocfcbgk.exe File created C:\Windows\SysWOW64\Bfdkkioc.dll Cmofdb32.exe File created C:\Windows\SysWOW64\Kechhl32.dll Nhdjhcce.exe File opened for modification C:\Windows\SysWOW64\Pcammi32.exe Plgdpo32.exe File opened for modification C:\Windows\SysWOW64\Qlcdlmmf.exe Qfilocfi.exe File created C:\Windows\SysWOW64\Pdqhmpoa.dll Nacmgapa.exe File created C:\Windows\SysWOW64\Acfhdpil.exe Allphe32.exe File opened for modification C:\Windows\SysWOW64\Jlmgegjf.exe Jecoimci.exe File created C:\Windows\SysWOW64\Kecpomjn.dll Cokeko32.exe File opened for modification C:\Windows\SysWOW64\Oekpnebi.exe Ocmcbice.exe File created C:\Windows\SysWOW64\Bijnhleg.exe Bgiapc32.exe File opened for modification C:\Windows\SysWOW64\Nkiejg32.exe Nelmbq32.exe File created C:\Windows\SysWOW64\Ckfpko32.exe Cihcoc32.exe File opened for modification C:\Windows\SysWOW64\Hfdfkddo.exe Hnmnigdl.exe File created C:\Windows\SysWOW64\Ehiebe32.dll Jfkebq32.exe File created C:\Windows\SysWOW64\Hdafqklc.exe Hngndadf.exe File opened for modification C:\Windows\SysWOW64\Eagabceo.exe Eipiqfdm.exe File created C:\Windows\SysWOW64\Bgnafinp.exe Bepeinol.exe File created C:\Windows\SysWOW64\Nfnehjqi.dll Bepeinol.exe File opened for modification C:\Windows\SysWOW64\Eapkad32.exe Diicpgje.exe File created C:\Windows\SysWOW64\Hghedf32.dll Acfhdpil.exe File opened for modification C:\Windows\SysWOW64\Kghjkahi.exe Keinoeie.exe File opened for modification C:\Windows\SysWOW64\Fkdfpokf.exe Fhfjdclb.exe File created C:\Windows\SysWOW64\Ggnlampe.exe Ghklfq32.exe File created C:\Windows\SysWOW64\Jlaaohoh.dll Bmkccjik.exe File created C:\Windows\SysWOW64\Cppepdbg.exe Cfgago32.exe File opened for modification C:\Windows\SysWOW64\Dmpeeg32.exe Djaiikgp.exe File created C:\Windows\SysWOW64\Ndlnoelf.exe Nghmfqmm.exe File created C:\Windows\SysWOW64\Lhekcplc.dll Bcebkjdd.exe File created C:\Windows\SysWOW64\Iebpho32.dll Gdijecgi.exe File created C:\Windows\SysWOW64\Haepco32.dll Hhpeapee.exe File opened for modification C:\Windows\SysWOW64\Ahngagki.exe Afpkelle.exe File created C:\Windows\SysWOW64\Acjqjnng.dll Hohahjod.exe File created C:\Windows\SysWOW64\Fnomap32.dll Cfjnmn32.exe File opened for modification C:\Windows\SysWOW64\Kqihcgea.exe Kbfhhk32.exe File created C:\Windows\SysWOW64\Deifkkoi.dll Qclena32.exe File created C:\Windows\SysWOW64\Lbkhlo32.dll Hggohl32.exe File opened for modification C:\Windows\SysWOW64\Nidfbf32.exe Nfejfk32.exe File created C:\Windows\SysWOW64\Fhecjmhf.exe Fpnkhpgd.exe File created C:\Windows\SysWOW64\Eecaah32.dll Mhhcbo32.exe File created C:\Windows\SysWOW64\Dhdehlbp.dll Giienb32.exe File opened for modification C:\Windows\SysWOW64\Liqikb32.exe Leenkdoh.exe File created C:\Windows\SysWOW64\Pgnphnke.exe Onekoh32.exe File created C:\Windows\SysWOW64\Dmnpjmla.exe Dfdgnc32.exe File opened for modification C:\Windows\SysWOW64\Ohiljpam.exe Oekpnebi.exe File opened for modification C:\Windows\SysWOW64\Fmbkbdfn.exe Fkdofhgj.exe File created C:\Windows\SysWOW64\Gighhcpb.exe Ggillgao.exe File created C:\Windows\SysWOW64\Anaajb32.dll Bcokknab.exe File created C:\Windows\SysWOW64\Pdapabjo.exe Pnghdh32.exe File created C:\Windows\SysWOW64\Oncgehgf.dll Lejnpi32.exe File opened for modification C:\Windows\SysWOW64\Ampkbagd.exe Afebeg32.exe File opened for modification C:\Windows\SysWOW64\Dfiaibap.exe Dhfqmf32.exe File created C:\Windows\SysWOW64\Djcebb32.dll Mfcmqknf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13916 13644 WerFault.exe 749 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohdkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmipeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liickcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cokeko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekpmepok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licmkhij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acilde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddekah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idnlgpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onekoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkbagd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmpii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdopdnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghjkahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchlcael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonmibc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcammi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efamdkei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhokgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbogqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdbah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggillgao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomfkko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfcmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bijnhleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemnodc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpbikel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhppmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikpeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgijgaqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnimcmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnggjpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboeddad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knpmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldfmcfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaddldgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekabpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpknifl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlnoelf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpdklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhfaepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmpjejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfmdfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnllhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmcbice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peobonjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmimhpoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhokmgpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopijpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmbklla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcmmphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidaek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaag32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 8608 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkiejg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eagabceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heedpj32.dll" Lhfflo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjbmginf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpho32.dll" Gdijecgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lechpjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plnkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngkjlpkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afpkelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nghflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cikgoife.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djmpnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkcne32.dll" Fdlcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nobdef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aklcnbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahonlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobial32.dll" Kiagokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oecbcpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiakinkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnadadld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moaaga32.dll" Gaogdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpkdcic.dll" Keinoeie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Linmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpando32.dll" Eggmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdlcpab.dll" Aqffmkpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfchlopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjpkilcg.dll" Hnjjiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llofgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbgeajcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plnkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llnaag32.dll" Jnpcfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mecqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmjfj32.dll" Ahlafnag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbpkech.dll" Bqafii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaani32.dll" Cppepdbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdlcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikndjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgiiheei.dll" Hbfmdfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afpkelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcepnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pchlcael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgnegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnfko32.dll" Mlfcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nemcmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjodmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mankedbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iocqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oifedmgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Facghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkcdohbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mldfmcfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfiaibap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbclnc32.dll" Qlcdlmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jikgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acaoipmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emlllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcammi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbec32.dll" Oaejmano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlemopg.dll" Fgpppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghook32.dll" Eacoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neamhfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eabhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gplgjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heielpai.dll" Ghhhfjha.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3668 wrote to memory of 3044 3668 6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe 81 PID 3668 wrote to memory of 3044 3668 6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe 81 PID 3668 wrote to memory of 3044 3668 6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe 81 PID 3044 wrote to memory of 3064 3044 Lfckdcoe.exe 82 PID 3044 wrote to memory of 3064 3044 Lfckdcoe.exe 82 PID 3044 wrote to memory of 3064 3044 Lfckdcoe.exe 82 PID 3064 wrote to memory of 4936 3064 Libgpooi.exe 83 PID 3064 wrote to memory of 4936 3064 Libgpooi.exe 83 PID 3064 wrote to memory of 4936 3064 Libgpooi.exe 83 PID 4936 wrote to memory of 1148 4936 Lplpmi32.exe 84 PID 4936 wrote to memory of 1148 4936 Lplpmi32.exe 84 PID 4936 wrote to memory of 1148 4936 Lplpmi32.exe 84 PID 1148 wrote to memory of 640 1148 Lffhjcmb.exe 85 PID 1148 wrote to memory of 640 1148 Lffhjcmb.exe 85 PID 1148 wrote to memory of 640 1148 Lffhjcmb.exe 85 PID 640 wrote to memory of 4944 640 Lmppfm32.exe 86 PID 640 wrote to memory of 4944 640 Lmppfm32.exe 86 PID 640 wrote to memory of 4944 640 Lmppfm32.exe 86 PID 4944 wrote to memory of 2544 4944 Lpnlbi32.exe 87 PID 4944 wrote to memory of 2544 4944 Lpnlbi32.exe 87 PID 4944 wrote to memory of 2544 4944 Lpnlbi32.exe 87 PID 2544 wrote to memory of 3544 2544 Lekekp32.exe 88 PID 2544 wrote to memory of 3544 2544 Lekekp32.exe 88 PID 2544 wrote to memory of 3544 2544 Lekekp32.exe 88 PID 3544 wrote to memory of 4828 3544 Llemgj32.exe 89 PID 3544 wrote to memory of 4828 3544 Llemgj32.exe 89 PID 3544 wrote to memory of 4828 3544 Llemgj32.exe 89 PID 4828 wrote to memory of 4716 4828 Mboeddad.exe 90 PID 4828 wrote to memory of 4716 4828 Mboeddad.exe 90 PID 4828 wrote to memory of 4716 4828 Mboeddad.exe 90 PID 4716 wrote to memory of 2604 4716 Miiman32.exe 91 PID 4716 wrote to memory of 2604 4716 Miiman32.exe 91 PID 4716 wrote to memory of 2604 4716 Miiman32.exe 91 PID 2604 wrote to memory of 4896 2604 Mlgjmi32.exe 92 PID 2604 wrote to memory of 4896 2604 Mlgjmi32.exe 92 PID 2604 wrote to memory of 4896 2604 Mlgjmi32.exe 92 PID 4896 wrote to memory of 5100 4896 Mcabjcoa.exe 93 PID 4896 wrote to memory of 5100 4896 Mcabjcoa.exe 93 PID 4896 wrote to memory of 5100 4896 Mcabjcoa.exe 93 PID 5100 wrote to memory of 4960 5100 Mikjfn32.exe 94 PID 5100 wrote to memory of 4960 5100 Mikjfn32.exe 94 PID 5100 wrote to memory of 4960 5100 Mikjfn32.exe 94 PID 4960 wrote to memory of 4568 4960 Minglmdk.exe 95 PID 4960 wrote to memory of 4568 4960 Minglmdk.exe 95 PID 4960 wrote to memory of 4568 4960 Minglmdk.exe 95 PID 4568 wrote to memory of 1868 4568 Mdckifda.exe 96 PID 4568 wrote to memory of 1868 4568 Mdckifda.exe 96 PID 4568 wrote to memory of 1868 4568 Mdckifda.exe 96 PID 1868 wrote to memory of 1016 1868 Medgan32.exe 97 PID 1868 wrote to memory of 1016 1868 Medgan32.exe 97 PID 1868 wrote to memory of 1016 1868 Medgan32.exe 97 PID 1016 wrote to memory of 2800 1016 Mmkpbl32.exe 98 PID 1016 wrote to memory of 2800 1016 Mmkpbl32.exe 98 PID 1016 wrote to memory of 2800 1016 Mmkpbl32.exe 98 PID 2800 wrote to memory of 2136 2800 Mgddka32.exe 99 PID 2800 wrote to memory of 2136 2800 Mgddka32.exe 99 PID 2800 wrote to memory of 2136 2800 Mgddka32.exe 99 PID 2136 wrote to memory of 2612 2136 Mibpgm32.exe 100 PID 2136 wrote to memory of 2612 2136 Mibpgm32.exe 100 PID 2136 wrote to memory of 2612 2136 Mibpgm32.exe 100 PID 2612 wrote to memory of 4888 2612 Mnnlgkho.exe 101 PID 2612 wrote to memory of 4888 2612 Mnnlgkho.exe 101 PID 2612 wrote to memory of 4888 2612 Mnnlgkho.exe 101 PID 4888 wrote to memory of 2096 4888 Nghmfqmm.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe"C:\Users\Admin\AppData\Local\Temp\6ba94ffc0adaa7c827c480e66b560eb2be638fe64d6b59a782e030bbf4cfc676.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Lfckdcoe.exeC:\Windows\system32\Lfckdcoe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Libgpooi.exeC:\Windows\system32\Libgpooi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Lplpmi32.exeC:\Windows\system32\Lplpmi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Lffhjcmb.exeC:\Windows\system32\Lffhjcmb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Lmppfm32.exeC:\Windows\system32\Lmppfm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Lpnlbi32.exeC:\Windows\system32\Lpnlbi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Lekekp32.exeC:\Windows\system32\Lekekp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Llemgj32.exeC:\Windows\system32\Llemgj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Mboeddad.exeC:\Windows\system32\Mboeddad.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Miiman32.exeC:\Windows\system32\Miiman32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mlgjmi32.exeC:\Windows\system32\Mlgjmi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Mcabjcoa.exeC:\Windows\system32\Mcabjcoa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Mikjfn32.exeC:\Windows\system32\Mikjfn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Minglmdk.exeC:\Windows\system32\Minglmdk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Mdckifda.exeC:\Windows\system32\Mdckifda.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Medgan32.exeC:\Windows\system32\Medgan32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Mmkpbl32.exeC:\Windows\system32\Mmkpbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Mgddka32.exeC:\Windows\system32\Mgddka32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Mibpgm32.exeC:\Windows\system32\Mibpgm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Mnnlgkho.exeC:\Windows\system32\Mnnlgkho.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Ndlnoelf.exeC:\Windows\system32\Ndlnoelf.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Npcodf32.exeC:\Windows\system32\Npcodf32.exe25⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ndagjd32.exeC:\Windows\system32\Ndagjd32.exe26⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ophhpene.exeC:\Windows\system32\Ophhpene.exe27⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ojplhkdf.exeC:\Windows\system32\Ojplhkdf.exe28⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe29⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe30⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Olcbpe32.exeC:\Windows\system32\Olcbpe32.exe31⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Odjjqc32.exeC:\Windows\system32\Odjjqc32.exe32⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe33⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ogkcbn32.exeC:\Windows\system32\Ogkcbn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe36⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Pnghdh32.exeC:\Windows\system32\Pnghdh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Pdapabjo.exeC:\Windows\system32\Pdapabjo.exe38⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Pfcmij32.exeC:\Windows\system32\Pfcmij32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Pqhafcoc.exeC:\Windows\system32\Pqhafcoc.exe40⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe41⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Pnoneglj.exeC:\Windows\system32\Pnoneglj.exe44⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Pdhfbacf.exeC:\Windows\system32\Pdhfbacf.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Pfjcji32.exeC:\Windows\system32\Pfjcji32.exe46⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Qmdkfcaa.exeC:\Windows\system32\Qmdkfcaa.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Qgiodlqh.exeC:\Windows\system32\Qgiodlqh.exe48⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Qncgqf32.exeC:\Windows\system32\Qncgqf32.exe49⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe50⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Qjjheg32.exeC:\Windows\system32\Qjjheg32.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Agniok32.exeC:\Windows\system32\Agniok32.exe53⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Amkagb32.exeC:\Windows\system32\Amkagb32.exe54⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Aceidl32.exeC:\Windows\system32\Aceidl32.exe55⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe56⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Anjnae32.exeC:\Windows\system32\Anjnae32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe58⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Aedfnoii.exeC:\Windows\system32\Aedfnoii.exe59⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Ampkbagd.exeC:\Windows\system32\Ampkbagd.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Aefbcogf.exeC:\Windows\system32\Aefbcogf.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe63⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Afhokgme.exeC:\Windows\system32\Afhokgme.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Ambgha32.exeC:\Windows\system32\Ambgha32.exe65⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe66⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\Agglej32.exeC:\Windows\system32\Agglej32.exe67⤵PID:1116
-
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe68⤵
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Bmddma32.exeC:\Windows\system32\Bmddma32.exe69⤵PID:1132
-
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe70⤵PID:1976
-
C:\Windows\SysWOW64\Bfmhff32.exeC:\Windows\system32\Bfmhff32.exe71⤵PID:2540
-
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe72⤵
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Babmco32.exeC:\Windows\system32\Babmco32.exe73⤵PID:2712
-
C:\Windows\SysWOW64\Bcqipk32.exeC:\Windows\system32\Bcqipk32.exe74⤵PID:3772
-
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe75⤵PID:3312
-
C:\Windows\SysWOW64\Bmimhpoj.exeC:\Windows\system32\Bmimhpoj.exe76⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\Bepeinol.exeC:\Windows\system32\Bepeinol.exe77⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe78⤵PID:1792
-
C:\Windows\SysWOW64\Bfabaf32.exeC:\Windows\system32\Bfabaf32.exe79⤵PID:2016
-
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe80⤵PID:2848
-
C:\Windows\SysWOW64\Bcebkjdd.exeC:\Windows\system32\Bcebkjdd.exe81⤵
- Drops file in System32 directory
PID:3640 -
C:\Windows\SysWOW64\Bfcogecg.exeC:\Windows\system32\Bfcogecg.exe82⤵PID:2632
-
C:\Windows\SysWOW64\Bjokgd32.exeC:\Windows\system32\Bjokgd32.exe83⤵PID:5004
-
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe84⤵PID:1000
-
C:\Windows\SysWOW64\Bcgopjba.exeC:\Windows\system32\Bcgopjba.exe85⤵PID:2440
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe86⤵PID:1484
-
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe87⤵PID:632
-
C:\Windows\SysWOW64\Ccjlfi32.exeC:\Windows\system32\Ccjlfi32.exe88⤵PID:2548
-
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4564 -
C:\Windows\SysWOW64\Cnopcb32.exeC:\Windows\system32\Cnopcb32.exe90⤵PID:876
-
C:\Windows\SysWOW64\Ceihplga.exeC:\Windows\system32\Ceihplga.exe91⤵PID:3424
-
C:\Windows\SysWOW64\Chhdlhfe.exeC:\Windows\system32\Chhdlhfe.exe92⤵PID:2752
-
C:\Windows\SysWOW64\Cjfqhcei.exeC:\Windows\system32\Cjfqhcei.exe93⤵PID:1896
-
C:\Windows\SysWOW64\Capiemme.exeC:\Windows\system32\Capiemme.exe94⤵PID:3472
-
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe95⤵PID:3872
-
C:\Windows\SysWOW64\Chjaag32.exeC:\Windows\system32\Chjaag32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Cndinalo.exeC:\Windows\system32\Cndinalo.exe97⤵PID:4316
-
C:\Windows\SysWOW64\Cenakl32.exeC:\Windows\system32\Cenakl32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Chlngg32.exeC:\Windows\system32\Chlngg32.exe99⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\Cjkjcb32.exeC:\Windows\system32\Cjkjcb32.exe100⤵PID:3704
-
C:\Windows\SysWOW64\Dhokmgpm.exeC:\Windows\system32\Dhokmgpm.exe101⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Doicia32.exeC:\Windows\system32\Doicia32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Dagoel32.exeC:\Windows\system32\Dagoel32.exe103⤵PID:3324
-
C:\Windows\SysWOW64\Ddekah32.exeC:\Windows\system32\Ddekah32.exe104⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\Dfdgnc32.exeC:\Windows\system32\Dfdgnc32.exe105⤵
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Dmnpjmla.exeC:\Windows\system32\Dmnpjmla.exe106⤵PID:4264
-
C:\Windows\SysWOW64\Deehkk32.exeC:\Windows\system32\Deehkk32.exe107⤵PID:944
-
C:\Windows\SysWOW64\Ddhhggdo.exeC:\Windows\system32\Ddhhggdo.exe108⤵PID:5088
-
C:\Windows\SysWOW64\Dkbpda32.exeC:\Windows\system32\Dkbpda32.exe109⤵PID:4840
-
C:\Windows\SysWOW64\Domldpcd.exeC:\Windows\system32\Domldpcd.exe110⤵PID:4980
-
C:\Windows\SysWOW64\Dalhqlbh.exeC:\Windows\system32\Dalhqlbh.exe111⤵PID:2736
-
C:\Windows\SysWOW64\Dhfqmf32.exeC:\Windows\system32\Dhfqmf32.exe112⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Dfiaibap.exeC:\Windows\system32\Dfiaibap.exe113⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Dopijpab.exeC:\Windows\system32\Dopijpab.exe114⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe115⤵PID:5184
-
C:\Windows\SysWOW64\Dejafj32.exeC:\Windows\system32\Dejafj32.exe116⤵PID:5244
-
C:\Windows\SysWOW64\Dhhncehb.exeC:\Windows\system32\Dhhncehb.exe117⤵PID:5292
-
C:\Windows\SysWOW64\Dkfjoagf.exeC:\Windows\system32\Dkfjoagf.exe118⤵PID:5344
-
C:\Windows\SysWOW64\Dmefklfj.exeC:\Windows\system32\Dmefklfj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Daqblk32.exeC:\Windows\system32\Daqblk32.exe120⤵PID:5504
-
C:\Windows\SysWOW64\Ddonhf32.exeC:\Windows\system32\Ddonhf32.exe121⤵PID:5552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-