Analysis
-
max time kernel
107s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
c9f04bfcb904066265b1283c120b38e0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c9f04bfcb904066265b1283c120b38e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
c9f04bfcb904066265b1283c120b38e0N.exe
-
Size
109KB
-
MD5
c9f04bfcb904066265b1283c120b38e0
-
SHA1
d0a6e94a282a3599de8092f8080b573a6203021d
-
SHA256
5a0f4c19e41ead5c96d2c2662e29c93a8e619b8c1622114eaef1ea8708995f3d
-
SHA512
03762d428f381d624dda2ae9785ac234b242889b6332da622f1ee5de7fe591ff1fda6b01ca52a3d59ec4bb71187a41eb80e1c375affc037914f321d9562690d9
-
SSDEEP
3072:Kh6+e5w0+ytJx4kMSh8Ouy0J9JLCqwzBu1DjHLMVDqqkSp:KhDytJx4kkTJ9xwtu1DjrFqh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" c9f04bfcb904066265b1283c120b38e0N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncofm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagobalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Andqdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnlhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c9f04bfcb904066265b1283c120b38e0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnilpah.exe -
Executes dropped EXE 64 IoCs
pid Process 1768 Neeqea32.exe 2908 Nnlhfn32.exe 4764 Npjebj32.exe 4592 Ngdmod32.exe 1916 Njciko32.exe 1260 Ndhmhh32.exe 4584 Nfjjppmm.exe 2616 Nnqbanmo.exe 1412 Odkjng32.exe 2772 Ogifjcdp.exe 4892 Oncofm32.exe 5112 Olfobjbg.exe 4816 Odmgcgbi.exe 4732 Ogkcpbam.exe 1872 Olhlhjpd.exe 3540 Odocigqg.exe 2184 Ojllan32.exe 4680 Odapnf32.exe 1488 Ojoign32.exe 2972 Oqhacgdh.exe 3204 Ogbipa32.exe 1964 Pnlaml32.exe 4140 Pdfjifjo.exe 2900 Pgefeajb.exe 3028 Pmannhhj.exe 3160 Pclgkb32.exe 1572 Pjeoglgc.exe 4992 Pmdkch32.exe 3448 Pcncpbmd.exe 3232 Pjhlml32.exe 2708 Pmfhig32.exe 3912 Pdmpje32.exe 2436 Pfolbmje.exe 368 Pmidog32.exe 2320 Pdpmpdbd.exe 2556 Pgnilpah.exe 3848 Pjmehkqk.exe 2288 Qmkadgpo.exe 1952 Qceiaa32.exe 3680 Qfcfml32.exe 4280 Qnjnnj32.exe 2452 Qqijje32.exe 3836 Qcgffqei.exe 4404 Qffbbldm.exe 3516 Ampkof32.exe 1684 Adgbpc32.exe 1164 Afhohlbj.exe 4352 Anogiicl.exe 1120 Aeiofcji.exe 4092 Agglboim.exe 1004 Ajfhnjhq.exe 3128 Amddjegd.exe 2044 Acnlgp32.exe 4348 Afmhck32.exe 3504 Andqdh32.exe 5080 Aabmqd32.exe 2660 Acqimo32.exe 4852 Afoeiklb.exe 2892 Aepefb32.exe 2052 Bfabnjjp.exe 5040 Bnhjohkb.exe 2132 Bebblb32.exe 1652 Bganhm32.exe 4884 Bnkgeg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe Andqdh32.exe File created C:\Windows\SysWOW64\Lcnhho32.dll Odmgcgbi.exe File opened for modification C:\Windows\SysWOW64\Pcncpbmd.exe Pmdkch32.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Pmidog32.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Amddjegd.exe Ajfhnjhq.exe File created C:\Windows\SysWOW64\Jbaqqh32.dll Olhlhjpd.exe File opened for modification C:\Windows\SysWOW64\Qqijje32.exe Qnjnnj32.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Neeqea32.exe c9f04bfcb904066265b1283c120b38e0N.exe File created C:\Windows\SysWOW64\Ndhmhh32.exe Njciko32.exe File opened for modification C:\Windows\SysWOW64\Qceiaa32.exe Qmkadgpo.exe File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Ghekgcil.dll Afhohlbj.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Banllbdn.exe File created C:\Windows\SysWOW64\Bilonkon.dll Cmnpgb32.exe File created C:\Windows\SysWOW64\Dhhnpjmh.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Pkfhoiaf.dll Oncofm32.exe File created C:\Windows\SysWOW64\Mjpabk32.dll Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Qhbepcmd.dll Pmannhhj.exe File created C:\Windows\SysWOW64\Pjeoglgc.exe Pclgkb32.exe File created C:\Windows\SysWOW64\Dpmdoo32.dll Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File opened for modification C:\Windows\SysWOW64\Daconoae.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Gnpllc32.dll Nfjjppmm.exe File created C:\Windows\SysWOW64\Pdfjifjo.exe Pnlaml32.exe File created C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Daqbip32.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pgefeajb.exe File created C:\Windows\SysWOW64\Cdabcm32.exe Cenahpha.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qcgffqei.exe File created C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File opened for modification C:\Windows\SysWOW64\Pjhlml32.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Ajfhnjhq.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Oqhacgdh.exe Ojoign32.exe File opened for modification C:\Windows\SysWOW64\Ogbipa32.exe Oqhacgdh.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Qqijje32.exe Qnjnnj32.exe File created C:\Windows\SysWOW64\Maghgl32.dll Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Afmhck32.exe File created C:\Windows\SysWOW64\Echegpbb.dll Afmhck32.exe File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Ciopbjik.dll Pmfhig32.exe File created C:\Windows\SysWOW64\Djnkap32.dll Qmkadgpo.exe File opened for modification C:\Windows\SysWOW64\Pdmpje32.exe Pmfhig32.exe File opened for modification C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Agglboim.exe Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Bnhjohkb.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Ngdmod32.exe Npjebj32.exe File created C:\Windows\SysWOW64\Pjcbnbmg.dll Ndhmhh32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Gokgpogl.dll Qceiaa32.exe File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Ingfla32.dll Chcddk32.exe File opened for modification C:\Windows\SysWOW64\Pgnilpah.exe Pdpmpdbd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5304 5152 WerFault.exe 189 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfobjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqijje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njciko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkcpbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiofcji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcncpbmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmidog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odapnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnilpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjjppmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbipa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmannhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeoglgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odocigqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfhnjhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfjifjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qceiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqimo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkjng32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll" Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll" Oqhacgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" Pnlaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll" Odapnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" Afoeiklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnlhfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdfjifjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdmffnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID c9f04bfcb904066265b1283c120b38e0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odmgcgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} c9f04bfcb904066265b1283c120b38e0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjfaeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll" Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnnlaehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnqbanmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll" Ampkof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amddjegd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3196 wrote to memory of 1768 3196 c9f04bfcb904066265b1283c120b38e0N.exe 84 PID 3196 wrote to memory of 1768 3196 c9f04bfcb904066265b1283c120b38e0N.exe 84 PID 3196 wrote to memory of 1768 3196 c9f04bfcb904066265b1283c120b38e0N.exe 84 PID 1768 wrote to memory of 2908 1768 Neeqea32.exe 85 PID 1768 wrote to memory of 2908 1768 Neeqea32.exe 85 PID 1768 wrote to memory of 2908 1768 Neeqea32.exe 85 PID 2908 wrote to memory of 4764 2908 Nnlhfn32.exe 86 PID 2908 wrote to memory of 4764 2908 Nnlhfn32.exe 86 PID 2908 wrote to memory of 4764 2908 Nnlhfn32.exe 86 PID 4764 wrote to memory of 4592 4764 Npjebj32.exe 87 PID 4764 wrote to memory of 4592 4764 Npjebj32.exe 87 PID 4764 wrote to memory of 4592 4764 Npjebj32.exe 87 PID 4592 wrote to memory of 1916 4592 Ngdmod32.exe 88 PID 4592 wrote to memory of 1916 4592 Ngdmod32.exe 88 PID 4592 wrote to memory of 1916 4592 Ngdmod32.exe 88 PID 1916 wrote to memory of 1260 1916 Njciko32.exe 89 PID 1916 wrote to memory of 1260 1916 Njciko32.exe 89 PID 1916 wrote to memory of 1260 1916 Njciko32.exe 89 PID 1260 wrote to memory of 4584 1260 Ndhmhh32.exe 90 PID 1260 wrote to memory of 4584 1260 Ndhmhh32.exe 90 PID 1260 wrote to memory of 4584 1260 Ndhmhh32.exe 90 PID 4584 wrote to memory of 2616 4584 Nfjjppmm.exe 91 PID 4584 wrote to memory of 2616 4584 Nfjjppmm.exe 91 PID 4584 wrote to memory of 2616 4584 Nfjjppmm.exe 91 PID 2616 wrote to memory of 1412 2616 Nnqbanmo.exe 92 PID 2616 wrote to memory of 1412 2616 Nnqbanmo.exe 92 PID 2616 wrote to memory of 1412 2616 Nnqbanmo.exe 92 PID 1412 wrote to memory of 2772 1412 Odkjng32.exe 93 PID 1412 wrote to memory of 2772 1412 Odkjng32.exe 93 PID 1412 wrote to memory of 2772 1412 Odkjng32.exe 93 PID 2772 wrote to memory of 4892 2772 Ogifjcdp.exe 94 PID 2772 wrote to memory of 4892 2772 Ogifjcdp.exe 94 PID 2772 wrote to memory of 4892 2772 Ogifjcdp.exe 94 PID 4892 wrote to memory of 5112 4892 Oncofm32.exe 95 PID 4892 wrote to memory of 5112 4892 Oncofm32.exe 95 PID 4892 wrote to memory of 5112 4892 Oncofm32.exe 95 PID 5112 wrote to memory of 4816 5112 Olfobjbg.exe 96 PID 5112 wrote to memory of 4816 5112 Olfobjbg.exe 96 PID 5112 wrote to memory of 4816 5112 Olfobjbg.exe 96 PID 4816 wrote to memory of 4732 4816 Odmgcgbi.exe 97 PID 4816 wrote to memory of 4732 4816 Odmgcgbi.exe 97 PID 4816 wrote to memory of 4732 4816 Odmgcgbi.exe 97 PID 4732 wrote to memory of 1872 4732 Ogkcpbam.exe 99 PID 4732 wrote to memory of 1872 4732 Ogkcpbam.exe 99 PID 4732 wrote to memory of 1872 4732 Ogkcpbam.exe 99 PID 1872 wrote to memory of 3540 1872 Olhlhjpd.exe 100 PID 1872 wrote to memory of 3540 1872 Olhlhjpd.exe 100 PID 1872 wrote to memory of 3540 1872 Olhlhjpd.exe 100 PID 3540 wrote to memory of 2184 3540 Odocigqg.exe 101 PID 3540 wrote to memory of 2184 3540 Odocigqg.exe 101 PID 3540 wrote to memory of 2184 3540 Odocigqg.exe 101 PID 2184 wrote to memory of 4680 2184 Ojllan32.exe 103 PID 2184 wrote to memory of 4680 2184 Ojllan32.exe 103 PID 2184 wrote to memory of 4680 2184 Ojllan32.exe 103 PID 4680 wrote to memory of 1488 4680 Odapnf32.exe 104 PID 4680 wrote to memory of 1488 4680 Odapnf32.exe 104 PID 4680 wrote to memory of 1488 4680 Odapnf32.exe 104 PID 1488 wrote to memory of 2972 1488 Ojoign32.exe 106 PID 1488 wrote to memory of 2972 1488 Ojoign32.exe 106 PID 1488 wrote to memory of 2972 1488 Ojoign32.exe 106 PID 2972 wrote to memory of 3204 2972 Oqhacgdh.exe 107 PID 2972 wrote to memory of 3204 2972 Oqhacgdh.exe 107 PID 2972 wrote to memory of 3204 2972 Oqhacgdh.exe 107 PID 3204 wrote to memory of 1964 3204 Ogbipa32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9f04bfcb904066265b1283c120b38e0N.exe"C:\Users\Admin\AppData\Local\Temp\c9f04bfcb904066265b1283c120b38e0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe57⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe63⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe66⤵
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe70⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:724 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe75⤵
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4212 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5272 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5816 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe98⤵
- Drops file in System32 directory
PID:5904 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe104⤵PID:5152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 416105⤵
- Program crash
PID:5304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5152 -ip 51521⤵PID:5260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5adb3764cdcbf5c9448e0a47225e50028
SHA11f11cde4d18709dfdcf87ca2b31e356925b6d5fe
SHA256564ef24b1e2be5008e67616a58684b37584b47fe500b2ba61a40f028ab594a7d
SHA51285cd4d0f284cd187fb438d42bd528539d5cbdf599768c7b6ebd9503c6fc0a80aa8a98711a4239539fd109b42b5e9fd60cc6a44563a36b9b30d265bf3bc40ba62
-
Filesize
109KB
MD545da58a9a6322fc594703b4e8adbd247
SHA13ca80d4cb8f6da3ebcf2e6243fab5374accbd410
SHA256746fdd8b4aa5962fcee91517cb59b080860166625cbe4da7ce9d21245b41a51b
SHA512820bce6031735b872c0f60291eba96879aa56780aa75ba54f95ee4291da86e765c1adf0d7250bf90b22a5bdf019dbe91598a7e0bbff6f0193f8d1264f66b54e0
-
Filesize
109KB
MD50bc27ecd3d2b6fb5866a2f60e06bc76a
SHA1c790de51cea47d238e4f05f94745b3a5d71042f7
SHA2567da6b913685851ffd92a6e3060f662b8725ddadd94dd8bd266bf18d223b20a13
SHA512c4c1e85bbd860bb6b3b1071c6da2998bc5f225870c26b0573fc491083ea23ff4468ead898d50e053f846a7e97a3aad3252d2bf589402095bb398bb16d35b13ba
-
Filesize
109KB
MD554bacf257c92e19eef35e60b4483fbdb
SHA1bd13b2847bde1bb9bd165027df6a96a95bab4f6c
SHA25686d7d7e3e1afac5a346af532070f16c063e7b4d2fc50f560d84c688488af650b
SHA512d4c5bdf93bc8bbe7b80f2c874258ea5d999c080d21da15202dad92903cc8bc58b226465356defcf9a8ebb4fd46846c1d395482aa5036e80323de26d862238690
-
Filesize
109KB
MD5192cb526e4ee8c7c6c58ee3a6d04cb38
SHA191cf96768085c2b716550d88cea577aaae8cd7f1
SHA2569e3844cf15832e8085d48279cb543deb7f2d35ad89bf9ad603ad99e03d904235
SHA512e60555a2767ceb46b927edeea7167638aff8ce2f24379738e9b808240f4cc9a05ed740008735a568f8bb122bca80dc4dc475583c8628b6fde6ac353aa2366b70
-
Filesize
109KB
MD59d2a6c2e07da27630d70bad9786ad343
SHA12736de3697a489bb970494565eb5b69f3b80d5ea
SHA2568408104773ef3c2756ec1f88bf81caebe4d1d3bcd06afb889a1b8b2217c2f4e5
SHA512d41e105b10ff8eb7f0d9c1bb2ac82a2ac7ff4e31a2659c7a79ac49d4af1a1d244e3437332a06d44dbfa726a49c684df0b0d419e19176a4ff3c4ab6a8e6e0888b
-
Filesize
109KB
MD511aeb549bc9a2ea29181801d4c19cb41
SHA14ba936fe700aee7f58bb5fdaa3c520d11bd52de1
SHA2565e7d0331a5d1c8e1b2674085e350910c6e3be0c7fb937e38fd2316c2ce5abf1c
SHA512cea438b10ef62c7da0616e04ed020178d1b05a6aa20a6d5625c89df093a0bb75d6e5c809a543dddb15cb5032312bcab736987aaa03e639d1c99902747efa4a7c
-
Filesize
109KB
MD587adcbbffc81c071235142b97fe45810
SHA174a5bb5383d21c01e5fea574b288023eb8466919
SHA25616b9a1c26955355ba31ae9414016bf0e81fa091bc51892614ea474fe77bca363
SHA512fc09b7ed2534fa21a5e5e734a521d8fb0a0c70a067b2430898b8af3debb2d7e00851045930311d0c8dc91a561f0f169180cbbc2e800312a316e5186a98b2ea0f
-
Filesize
109KB
MD55c2e634ff73c73fd3186f4d75174e6e8
SHA1600b7482fa011bbaf4a1ab79bbf5c88f318861f8
SHA256b767bcaa545dc23cc29d8fa8b4ad80cb755707bb5fa07a9338f7ba9e8446e7ff
SHA5129e3b3e736c1fddb5d6d07726410efcd19cafaf45a0a603f4953f3299fe7be2213338d2ed3bd7ff3260c9f27c978754d803bd496d1d0d1ede75dc2104e6d58e3f
-
Filesize
109KB
MD5e8b672ea8956b24cdabfaa83ea719d3d
SHA133b0c6d7c2a27eacd4b8722f06af23e65596e848
SHA256dae510490feedd9b1f8ff4c58ae88c2815392e152cf750e0c9429305122d4828
SHA512e86f30a42f8f6d0bb346cb8642526e84a7e584c95a02061824bbc5ca0ce1f4c23e0afb0f9c607a5786a1b4b7c24608c9de88f8172ff59b563987e06ddbf3e362
-
Filesize
109KB
MD5bf71026d3d9ffd48bb463dddac86a2fa
SHA136e368050a4497ee41de9430f1582af12c182385
SHA256820d2eb3d3b2c03e12775b1bd2ec8435d26999df6a9e07e99a23b109b380daf1
SHA51239117568dcccdc3fc6c6a0c6b4c0a2d5445dffbc0b63b7fa4ec2a72a58b036373c511c93ed382855163e9e0a1dcb7ad4c487dd0d68267ddb34d74cc4e1d11339
-
Filesize
109KB
MD5cc4e402b40f4c23722e14c1ca47c3c15
SHA16a1e09592f40d8b2b687cd3486e227fd584c5f5f
SHA256d9f2daf0363f7fdf95228b2bc500225aa4b8a325723752c2a3e7537d62f331ae
SHA512f0a641e4f6aa9d20cacd87f880d966443faf0cc490a17bd62dc0c1432dfef22385f1e86e45118ba8fdf86471d16a845673912530d0746fbb23b36b4d57b2f17b
-
Filesize
7KB
MD5e4973808bb2917f010fd34a6c3f304d5
SHA1cbc31f6f10cf45395f31b75d2c32ac9bc26ba304
SHA25613ef6e3a51bfa715c7d119787927190a635446ca714d1af010dc6d5b5f20a4e0
SHA512dbfdc063ca1b76a8317f6041b24a11cc1e637f54ccebcc5711a9622528577d006cd43a4956546cda01cec4dc61bd1dc56b301d830739d8f353a1cb0658d6ab97
-
Filesize
109KB
MD5a76d3b3dfb4cf7223c03816e38f85557
SHA199bb243e80f2f630ca779ea5b755c30ffc8b8224
SHA256d046f975a1dfc4f8cb5ae39abc722d1644221178b38b1353b779cdc637671904
SHA512b1d5416a053a93c610d6e5f1c528b47ce650d9d02c9b20e211d11835b4b8c9e017f7cd8f41a8c4e216ef0fcac86abc8e1c7ae44c6928f1e79092a05f3eda858c
-
Filesize
109KB
MD59a48417f4ac24bba8f2688389814590f
SHA1e51d6628a51ac2b7a5bc4c092bff9d355273446a
SHA2563ede87ca829f80d9722e0bb0339c0ca81e1eaefa6912cce799f07dd36dad9165
SHA512ccfaac25f042ea27d417c3ff6ec15033fd592231012160e52e1d9dc02676480bb1e18437b300e469b4b85a3e07d3cf62d7de88bd8a1155c7528246c24dd47844
-
Filesize
109KB
MD5a7500609f462faa356951213858cd57d
SHA1fcc300186c901db12ace681eac507f67c4f0136c
SHA256cf04827d0fc0bc1f595da0714ab8c678d40350837aca7a6614e70f5971422eef
SHA512aa4b9b4ded1779fe6b7faba7d9404ee7778a93ab9814b2d5cc5a05906269eee41e6a7d21fa960258f7f418aa0d87ab9f9bf17075302e1f33d1a4d533989422ce
-
Filesize
109KB
MD5de8ced51cd822e3570a8ec5165679a1d
SHA1ff1b33428f2e5a7cbb8c80ef7ffb5e756b3591dd
SHA256be0f24356a844ab550f53529982c9667081e49fe7b2a7f8cafc332a190fe2cb5
SHA5127166455108f2ef7c486f2d2cc919a1874bcd45a7e7725e40f429b498e87584c01b4fad300ed05039307c1db6066214c456833ceddebafed99434d808bd991cc3
-
Filesize
109KB
MD59d8bfbb741f6e4aee5067b28f46adfa7
SHA1ddfa8a071bcb53ef794513b74a82950b87e277f2
SHA25663a94c25cd159d6d00ac62c008723785da94d49033fa3a622be927347e17c0b1
SHA512cf059026b7ef71b344253f84283be924a62c09c84bf11864b96771704ad193fd0e667da4e21e9e9cf0580cb59d31b01a6ba37630e833406ee1dc6a0e47d4800f
-
Filesize
109KB
MD5bc3f874cecae6f876d1488eea95d3a82
SHA1cacbfacb65204140f73a9adb8cb7ce9e125c3980
SHA256544d6b5323865cf5019ae81047b2f5429f32dc11d25a0a439badd1cdf8b9de04
SHA5123281a4033cddb03ed07fd49b1b69ff1c36769c4a4a72563ed0f85d42181036005f21bd1af8a6944d7a593dbc3896de7db37ccb4611d0bac7874bee2b8fdac9c6
-
Filesize
109KB
MD56bdc38e5bcf5672f3707e7a99e89acbe
SHA103f9a80c20e92ff574fdc2f02b8e10d9d64af73a
SHA25640259c779b9b7c06ba4619fc5a928e9737f1d6e7b18943f2d37e5b131d53bdeb
SHA512ad5756ab97fab1fc2c59c2cf1ee21e42ead321722495a4eebc989d3defab5c9eb6dac45073a30dc29dd280e1e0fad89c66d2500253fd3b8a8b8a03d0c48009d5
-
Filesize
109KB
MD545add788dff5d54699c15929dd56d360
SHA148d579860a3f58319b404fff10697dea04117f49
SHA256df120fc304622e5314ff85481b841a2d2b5737a4b06310522202e568b53edc2b
SHA5127bdc536d1fc1f5f07f97efdeb8f92821278796225c63d51c3a752eaa0a94899e0a188eafb805e0dee1b6d8c6f514355a68fc8c77af95fcdeed018e149ad1e965
-
Filesize
109KB
MD5117e817c1b3b54b196fb0e70bbaf293f
SHA1faa240c8b77f311f3d597373af713cf5b9ee7be8
SHA256a210ac2f7655f70c00f2fd968932e90b0cfe7c565e0d533628623cf76dfb2bd1
SHA512e79ac71ff234d0450b9fd3ad6614417ab60f4bf158fc44918896e34a8505385178e14b67c8e890fc796825cdf628a3aae2a74e5e15b4a81af49e0faf852c0dc7
-
Filesize
109KB
MD56980f482394eb322ec95142e6b88760d
SHA1ff4874a04eb8fe53f1abc9bceeefc0e74ee4dd1c
SHA256f8736883da823580d08d3de0d3164bbd016d9c4902675f034e9f1dc34d17f684
SHA51261863ead9a7aad49146b9a02555f0f69b8ed9a32dbf94a77f04e6021a807a101cfabceba727d83531bd529020d41c4f24cedee9613d08d7b3c8a327396739dbe
-
Filesize
109KB
MD5a8ea2e01301c44c6470dac32b9dfda01
SHA19a1b0879816705c87b54f295f5d8ec4dc68a550a
SHA256f5e96d53f97c6776afcfa68481c6f058c67433c6af8c7a07fe2d2fb64207d4a5
SHA5121898fd31ae5a7250b618e2ad91f37fedeccb0deff5a200bfbe08e85ba9d1ab73cbaf2b1dbcfb550b526e85b8cc6a1a4af3011f9f47444324feab0752c945007e
-
Filesize
109KB
MD571452ca91496bc120ad934b98e3afea3
SHA1ea045f66ae4de688aaabc5dc99139d46b9690373
SHA25694da651d4b3f38f126da68d58108ac4b60132203d623e4f8c314dc4cec828ecd
SHA512eab066e3432bb40722d5a44d6821a0ab1e7fc1028499f6e3be8dd457de9dd78732d4b016c5f7ff209cd35a4dd90c694af378b80bc55cea4c7745e7cc1b05075d
-
Filesize
109KB
MD5a824c6f92f2ce573ddd09ff6970e54c8
SHA1f6248cfe32e53a8f5b1a40534a58d72d535f96cd
SHA256bc4c622d32d59cf119e102c2ca5405d61f1317283430fb77b381263b75b92214
SHA51244d5e0c688821573a157531233a931301f286a2aeb41d31229668d33e1e5a399f0d0bb4d423c222af3b545906f7a402b1195c06239bbc6418a858559f633041e
-
Filesize
109KB
MD50ed96eb23e3285a7b28d5c4cb5cd911e
SHA163825d4abf2a04e57618ceff2d0bb56877154469
SHA25632c4b7b62c5d7f266b449b51b95e4ca657b9c2274629691c56f8822577d72bf6
SHA51230946812249606250981ddc99960a358d31453b1b3c97054cb0ea15f9ca3873885c08522dd925be7e12e1204e19bba4fa1387a904c66c4db6ef2cc4101d08e5a
-
Filesize
109KB
MD5ba98542b4e97da9bfbcc55c839e748bd
SHA147cc2bdd04f1a25608968b1a72966b67ef2cb5c7
SHA2560163a2906b470c787de7c5c59cf59af132d89fead647426fc4c102229f27c662
SHA5125f0d13f442cb34a995ec52b7271efe37d01b44ddb4c11dac37084e42e7899d740b6b361c09fdbf6bbac05eef09d778ffe8210355d530aa72f70554358c619fef
-
Filesize
109KB
MD5660dc5306fa252d6c99f087eeab657d7
SHA11e74bf4b9b36e1794d7bfa751973ae1b53050630
SHA256835e3614e8b0e05c5c75e2cf020fa56aff6a1401c63405fe0999201f9da54242
SHA512d8c6fca1b8fd4975c5b566899c280886ee80fc0530ce6b281875b4d1438fe67c232a251cb72cfa8bd860914dedebce54d2d4d53072117d4c3cf2a7324fb44b17
-
Filesize
109KB
MD50a27ef0be44cc1b39cf4624f750d69a3
SHA1a675bc0c25d1d60078f496bd6c07bd10d0ce2098
SHA2568a4b4e80db8117bc07b2520f8a14d895a8ccd05cdd645c18c2a5e08ebff18815
SHA512f7d6ab0798c37e9d6e795bcbf26ef166fd81672a61304ea2558bf8b2b3299c7534d2b98a5bd81b15b5163382e70b1cf0993f1529ddd33326f8c263d675b35ec2
-
Filesize
109KB
MD5fc2d38282a542ab7b1f9c3470c7e8ad9
SHA17128eddbefd6df64235438e267056b01ce6c91ce
SHA2564be7f98a5323dbb1604fb632523a1380b6288df73e5dce845b7f9146beb352c9
SHA512b3c55f91c9b99e1f48356ef99abf5f6577930769b2c3b59779ab002c4bca2dcbe5b9dcac452c14a89d80ae6c77d7029fc60576fbbacc49f700d4b9f5789a8a25
-
Filesize
109KB
MD562e87ebc7401f70b4d366b4b108ab08d
SHA137fd5849f22768c24f254472a15dc15ad0288195
SHA256017a46ef9ad1707133228dd75c04472212e413d894e9b4c91e0180ae874fbeaf
SHA51264d006320be27d0494441a80e08a1bc5681bf05e4b4839abcfae9949b9f421d64df7eaba43710beea296afaafbb954c4011fa1210e6359d22ef0d2970df77394
-
Filesize
109KB
MD59514b6d1b5514d10527171369f345386
SHA11add05d7b670d846209494e45a749f692ba19e4c
SHA256c02f5665e5933dd0763daa642c44f4724eb383dac71dd074cebde497fc3f2fc8
SHA51273b7b0bbb9274914b79752aa5fb12fc0a5e9dfaaae24c2eb816531f5e69b8d29847cc5b8e77c998bc1735c5ef50b2b373159d5a33bc7e6c86255e1c7f81230f8
-
Filesize
109KB
MD503d018cba5bc3f31d30ab83291d1e50b
SHA19f878adbed6e631d864493a3d38604320013ac46
SHA2569380b1efb8f1ecc5a94f1f7d8e601dfb88cff336a7dd65e00eeec1c82f94625e
SHA51246d354a7b4eae1866da15c151ea19b06f55153b215aaa6121697c48815c4973b8a1ebd7993bf21f85d1ae48254819960004f21f9d79ab042bd5546f6644d0488
-
Filesize
109KB
MD572477a1d5854a2e0a336da0421f89d9c
SHA1274e6d4ac9b79ecc17bb1ba3e31bb70542cad52a
SHA25689c0142eeabde815de7421ddf5d71e78b15559cf19d54726e26b1be89ff0cf62
SHA512e07e3e436ae311af3312c08c2f54ac45d1ef6c139d0469afac55047703f1f2a49434b1392ece22751459a9bb11309fa8fd4240de075957803a3c2fe9a1dac12b
-
Filesize
109KB
MD5cbe0a990df53d6f7ddc25646c9f82b89
SHA1d5f809f4cd186c329aa78848a8d0d0656a1a96fb
SHA25670701ec05399c38876be9befa57bbf799f86892a87892e9de569d27312034881
SHA512db941d5a8e6e2c1ac5312cdc8cc1667e2d986bdf2322917e31455951e032c8ded25298024bf5e8171eb85762168d8bddae3bd0d2a27df9c4549d4d24bf15b216
-
Filesize
109KB
MD5c34dbc2fc4273858aff3a32b37f7d6a8
SHA186995c297a2f9062639e6b936fdcfccbcc8afa05
SHA256231e7ac93c49a613c7a146955b049a50575f3f05f4cbf192da9e9bf8fa67f562
SHA51211f97bd16397784d0b1d7c215ddaa3c8cf3f7e6bb304c75683e9e525a92e0c0ac7ce55a63f29ba727aab6e40a10df343ec8eea7ed29ca3c9bd271c4a57063eaf
-
Filesize
109KB
MD59c1d678e00a3bb19beca0fba336c49ef
SHA14c0b5a3fbb1ea064f45bc69e583b228af7d576e3
SHA256dc7cfafb7864ab2b93d037706d112334781664d47a6ede180210e1ae441eddb7
SHA51292408b3cd15c9dcf8d60ed177c3822e3fe044e9b902182ad89dce31dc36198c1e9d348259b82fd383b34cc95c320f896ecc0c5edaba78bf3b691864a8b187701