Analysis
-
max time kernel
115s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 10:28
Behavioral task
behavioral1
Sample
f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe
-
Size
318KB
-
MD5
cfc2073aeb14eec902db2c83cabd06b0
-
SHA1
41366b778d6f3fe9cacddc9b8105c08945c6504e
-
SHA256
f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6
-
SHA512
6548a9a5a9f1f536921df811fcfef78e9230fc37f0b10a354aa57955cd99db1b0115bfe288c74240312602b845004f9e849c1485a1536e6c015726157b618359
-
SSDEEP
6144:iiQayCHW3VIRV5qRVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:iiQGHsUcO4wFHoS04wFHoSrZx8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgbqkhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmlkfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcabej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ookhfigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdobq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihgfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enemaimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmlghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjmhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiaboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllkqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqblj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgihaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjficg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qppkhfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhldbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmdblp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijdjfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbcfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpcliao.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3612 Jklphekp.exe 2456 Jgcamf32.exe 592 Jjamia32.exe 824 Jibmgi32.exe 4472 Kqpoakco.exe 4880 Kndojobi.exe 5092 Kbbhqn32.exe 4128 Kgopidgf.exe 3520 Kgamnded.exe 1996 Lgcjdd32.exe 4584 Lnnbqnjn.exe 4172 Lbkkgl32.exe 4436 Laqhhi32.exe 4272 Lihpif32.exe 3244 Lijlof32.exe 3468 Llhikacp.exe 3996 Mhoipb32.exe 2444 Mbenmk32.exe 2000 Miofjepg.exe 4432 Mjpbam32.exe 2132 Mhilfa32.exe 4064 Njghbl32.exe 2280 Nbqmiinl.exe 4052 Nognnj32.exe 4816 Nafjjf32.exe 3012 Neccpd32.exe 640 Nhdlao32.exe 3284 Ohghgodi.exe 2888 Ooqqdi32.exe 3772 Oemefcap.exe 4088 Oadfkdgd.exe 2884 Obcceg32.exe 764 Pkogiikb.exe 2256 Pahpfc32.exe 3264 Pefhlaie.exe 2508 Pamiaboj.exe 1424 Pkenjh32.exe 1988 Papfgbmg.exe 4220 Plejdkmm.exe 2120 Pemomqcn.exe 3460 Qadoba32.exe 972 Qkmdkgob.exe 1840 Akoqpg32.exe 5040 Aeddnp32.exe 3472 Aomifecf.exe 2372 Afgacokc.exe 2528 Akcjkfij.exe 3328 Aanbhp32.exe 3392 Akffafgg.exe 2860 Afkknogn.exe 4084 Ahjgjj32.exe 2644 Bhldpj32.exe 4676 Blhpqhlh.exe 816 Bjlpjm32.exe 3592 Bjnmpl32.exe 4200 Bhcjqinf.exe 3620 Bopocbcq.exe 3524 Ckfphc32.exe 3948 Cobkhb32.exe 4720 Cjgpfk32.exe 3216 Codhnb32.exe 2620 Ccbadp32.exe 4228 Cfqmpl32.exe 1088 Cioilg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebcmfjll.dll Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Kekbjo32.exe Khgbqkhj.exe File opened for modification C:\Windows\SysWOW64\Jklphekp.exe f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe File created C:\Windows\SysWOW64\Pahpfc32.exe Pkogiikb.exe File opened for modification C:\Windows\SysWOW64\Bjnmpl32.exe Bjlpjm32.exe File opened for modification C:\Windows\SysWOW64\Hlpfhe32.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Mjlhgaqp.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Amnebo32.exe Abhqefpg.exe File created C:\Windows\SysWOW64\Mjpbam32.exe Miofjepg.exe File created C:\Windows\SysWOW64\Cjgpfk32.exe Cobkhb32.exe File created C:\Windows\SysWOW64\Olhldm32.dll Jnelok32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bkaobnio.exe File created C:\Windows\SysWOW64\Dmadco32.exe Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Gjcmngnj.exe Gdgdeppb.exe File created C:\Windows\SysWOW64\Eadhip32.dll Chiigadc.exe File created C:\Windows\SysWOW64\Mgpilmfi.dll Gngeik32.exe File created C:\Windows\SysWOW64\Fnhbmgmk.exe Fgnjqm32.exe File created C:\Windows\SysWOW64\Ooqqdi32.exe Ohghgodi.exe File opened for modification C:\Windows\SysWOW64\Oaqbkn32.exe Ojgjndno.exe File created C:\Windows\SysWOW64\Ccppmc32.exe Cpacqg32.exe File created C:\Windows\SysWOW64\Olkpol32.dll Lolcnman.exe File created C:\Windows\SysWOW64\Jmgdeb32.dll Llpchaqg.exe File created C:\Windows\SysWOW64\Omcbkl32.exe Ofijnbkb.exe File created C:\Windows\SysWOW64\Plejdkmm.exe Papfgbmg.exe File created C:\Windows\SysWOW64\Dihlbf32.exe Dbndfl32.exe File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Bmladm32.exe Bbfmgd32.exe File opened for modification C:\Windows\SysWOW64\Ocdgahag.exe Ohncdobq.exe File opened for modification C:\Windows\SysWOW64\Ajaelc32.exe Amnebo32.exe File created C:\Windows\SysWOW64\Hnhmla32.dll Neccpd32.exe File opened for modification C:\Windows\SysWOW64\Bopocbcq.exe Bhcjqinf.exe File created C:\Windows\SysWOW64\Jadelk32.dll Laqhhi32.exe File opened for modification C:\Windows\SysWOW64\Mccfdmmo.exe Mnfnlf32.exe File created C:\Windows\SysWOW64\Fbcolk32.dll Cgfbbb32.exe File created C:\Windows\SysWOW64\Emjnfn32.dll Gqnejaff.exe File created C:\Windows\SysWOW64\Nnmmnbnl.dll Omaeem32.exe File created C:\Windows\SysWOW64\Gkmdecbg.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fiaael32.exe File created C:\Windows\SysWOW64\Gimqajgh.exe Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Dpiplm32.exe File created C:\Windows\SysWOW64\Pknjieep.dll Bgdemb32.exe File created C:\Windows\SysWOW64\Fiboaq32.dll Dmadco32.exe File created C:\Windows\SysWOW64\Pagbaglh.exe Phonha32.exe File opened for modification C:\Windows\SysWOW64\Jjdokb32.exe Jdjfohjg.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Oaqbkn32.exe File created C:\Windows\SysWOW64\Pipeabep.dll Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Iccpniqp.exe Ibbcfa32.exe File created C:\Windows\SysWOW64\Bochcckb.dll Jhhodg32.exe File opened for modification C:\Windows\SysWOW64\Ahpmjejp.exe Aeaanjkl.exe File created C:\Windows\SysWOW64\Fhgcme32.dll Bkjiao32.exe File created C:\Windows\SysWOW64\Gjbpbd32.dll Ollljmhg.exe File opened for modification C:\Windows\SysWOW64\Ebejfk32.exe Dmhand32.exe File created C:\Windows\SysWOW64\Ilmmni32.exe Iinqbn32.exe File created C:\Windows\SysWOW64\Fkmjaa32.exe Fgoakc32.exe File opened for modification C:\Windows\SysWOW64\Aealll32.exe Acppddig.exe File created C:\Windows\SysWOW64\Ahoemi32.dll Fpbflg32.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe Qpeahb32.exe File opened for modification C:\Windows\SysWOW64\Nofoki32.exe Nhlfoodc.exe File created C:\Windows\SysWOW64\Ppahmb32.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Kdkoef32.exe Kongmo32.exe File opened for modification C:\Windows\SysWOW64\Kaaldjil.exe Kocphojh.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Aoioli32.exe File created C:\Windows\SysWOW64\Cgkeml32.dll Fijdjfdb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndidna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjfohjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mociol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijdjfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcmngnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidlqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocphojh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohghgodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphiaffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnknafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giljfddl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecikjoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnebo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklnconj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhknhabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqjjjjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpgca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noaeqjpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafkgphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabglnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdalog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfknmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlkdhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqpapacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcabej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhifjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefabkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbdcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjip32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeknk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbkkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmdecbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phedhmhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pemomqcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klddlckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll" Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll" Dgihop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll" Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijcpmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll" Janghmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll" Kdkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodeh32.dll" Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll" Khabke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifba32.dll" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll" Baepolni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll" Dncpkjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll" Llkjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpgca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgbikfp.dll" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbalopbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkgillpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeco32.dll" Flpmagqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdffee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klahfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll" Enemaimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbond32.dll" Mhoipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlobkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll" Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lebijnak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklnconj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll" Hhdcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlofpg32.dll" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdepoj32.dll" Enmjlojd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 3612 1716 f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe 83 PID 1716 wrote to memory of 3612 1716 f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe 83 PID 1716 wrote to memory of 3612 1716 f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe 83 PID 3612 wrote to memory of 2456 3612 Jklphekp.exe 84 PID 3612 wrote to memory of 2456 3612 Jklphekp.exe 84 PID 3612 wrote to memory of 2456 3612 Jklphekp.exe 84 PID 2456 wrote to memory of 592 2456 Jgcamf32.exe 85 PID 2456 wrote to memory of 592 2456 Jgcamf32.exe 85 PID 2456 wrote to memory of 592 2456 Jgcamf32.exe 85 PID 592 wrote to memory of 824 592 Jjamia32.exe 86 PID 592 wrote to memory of 824 592 Jjamia32.exe 86 PID 592 wrote to memory of 824 592 Jjamia32.exe 86 PID 824 wrote to memory of 4472 824 Jibmgi32.exe 87 PID 824 wrote to memory of 4472 824 Jibmgi32.exe 87 PID 824 wrote to memory of 4472 824 Jibmgi32.exe 87 PID 4472 wrote to memory of 4880 4472 Kqpoakco.exe 88 PID 4472 wrote to memory of 4880 4472 Kqpoakco.exe 88 PID 4472 wrote to memory of 4880 4472 Kqpoakco.exe 88 PID 4880 wrote to memory of 5092 4880 Kndojobi.exe 89 PID 4880 wrote to memory of 5092 4880 Kndojobi.exe 89 PID 4880 wrote to memory of 5092 4880 Kndojobi.exe 89 PID 5092 wrote to memory of 4128 5092 Kbbhqn32.exe 90 PID 5092 wrote to memory of 4128 5092 Kbbhqn32.exe 90 PID 5092 wrote to memory of 4128 5092 Kbbhqn32.exe 90 PID 4128 wrote to memory of 3520 4128 Kgopidgf.exe 91 PID 4128 wrote to memory of 3520 4128 Kgopidgf.exe 91 PID 4128 wrote to memory of 3520 4128 Kgopidgf.exe 91 PID 3520 wrote to memory of 1996 3520 Kgamnded.exe 92 PID 3520 wrote to memory of 1996 3520 Kgamnded.exe 92 PID 3520 wrote to memory of 1996 3520 Kgamnded.exe 92 PID 1996 wrote to memory of 4584 1996 Lgcjdd32.exe 93 PID 1996 wrote to memory of 4584 1996 Lgcjdd32.exe 93 PID 1996 wrote to memory of 4584 1996 Lgcjdd32.exe 93 PID 4584 wrote to memory of 4172 4584 Lnnbqnjn.exe 94 PID 4584 wrote to memory of 4172 4584 Lnnbqnjn.exe 94 PID 4584 wrote to memory of 4172 4584 Lnnbqnjn.exe 94 PID 4172 wrote to memory of 4436 4172 Lbkkgl32.exe 95 PID 4172 wrote to memory of 4436 4172 Lbkkgl32.exe 95 PID 4172 wrote to memory of 4436 4172 Lbkkgl32.exe 95 PID 4436 wrote to memory of 4272 4436 Laqhhi32.exe 96 PID 4436 wrote to memory of 4272 4436 Laqhhi32.exe 96 PID 4436 wrote to memory of 4272 4436 Laqhhi32.exe 96 PID 4272 wrote to memory of 3244 4272 Lihpif32.exe 97 PID 4272 wrote to memory of 3244 4272 Lihpif32.exe 97 PID 4272 wrote to memory of 3244 4272 Lihpif32.exe 97 PID 3244 wrote to memory of 3468 3244 Lijlof32.exe 98 PID 3244 wrote to memory of 3468 3244 Lijlof32.exe 98 PID 3244 wrote to memory of 3468 3244 Lijlof32.exe 98 PID 3468 wrote to memory of 3996 3468 Llhikacp.exe 99 PID 3468 wrote to memory of 3996 3468 Llhikacp.exe 99 PID 3468 wrote to memory of 3996 3468 Llhikacp.exe 99 PID 3996 wrote to memory of 2444 3996 Mhoipb32.exe 100 PID 3996 wrote to memory of 2444 3996 Mhoipb32.exe 100 PID 3996 wrote to memory of 2444 3996 Mhoipb32.exe 100 PID 2444 wrote to memory of 2000 2444 Mbenmk32.exe 101 PID 2444 wrote to memory of 2000 2444 Mbenmk32.exe 101 PID 2444 wrote to memory of 2000 2444 Mbenmk32.exe 101 PID 2000 wrote to memory of 4432 2000 Miofjepg.exe 102 PID 2000 wrote to memory of 4432 2000 Miofjepg.exe 102 PID 2000 wrote to memory of 4432 2000 Miofjepg.exe 102 PID 4432 wrote to memory of 2132 4432 Mjpbam32.exe 103 PID 4432 wrote to memory of 2132 4432 Mjpbam32.exe 103 PID 4432 wrote to memory of 2132 4432 Mjpbam32.exe 103 PID 2132 wrote to memory of 4064 2132 Mhilfa32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe"C:\Users\Admin\AppData\Local\Temp\f1f97863716ebbbae5e89cf9392a44862452b28cfdd4b851f07034c8d6595bf6N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe25⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe26⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe28⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3284 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe30⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe31⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe32⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe36⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe37⤵
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe39⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe41⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe43⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe44⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe46⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe47⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe48⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe51⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe52⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe53⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe54⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe55⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe57⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4200 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe59⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe63⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe64⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe65⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe66⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe67⤵PID:1500
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe68⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4416 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe70⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe71⤵
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe72⤵PID:4564
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe73⤵PID:224
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe74⤵
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe75⤵
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe76⤵PID:2848
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe79⤵PID:1768
-
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe80⤵PID:4208
-
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe81⤵PID:2840
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe82⤵PID:4268
-
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe83⤵PID:1652
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe84⤵PID:2040
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe86⤵PID:2168
-
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe87⤵PID:760
-
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe88⤵PID:5032
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe89⤵
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe90⤵PID:4408
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe91⤵PID:4496
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe92⤵PID:4996
-
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe93⤵PID:4772
-
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe94⤵
- Drops file in System32 directory
PID:3116 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe95⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe96⤵PID:3276
-
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe97⤵PID:2608
-
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe98⤵PID:3396
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe100⤵PID:5012
-
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe101⤵PID:3464
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe102⤵PID:5020
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe103⤵PID:3172
-
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe104⤵PID:5144
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe105⤵PID:5188
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe106⤵PID:5228
-
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe107⤵PID:5276
-
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe108⤵PID:5336
-
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe109⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe110⤵PID:5456
-
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe111⤵PID:5516
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe112⤵PID:5560
-
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe113⤵PID:5608
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe114⤵
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe116⤵PID:5748
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe117⤵PID:5792
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe118⤵PID:5836
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe119⤵PID:5872
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe120⤵PID:5928
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe121⤵PID:5972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-