Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe
Resource
win10v2004-20241007-en
General
-
Target
1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe
-
Size
704KB
-
MD5
d2a3b0ed5f088596faf941edbbf1ace0
-
SHA1
e297a96f7a655029eed6c02faf6313ad2bd494b4
-
SHA256
1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2
-
SHA512
9da8d11e31b61d08ef4f8f35cab7eb2793ebe201baea5a9f198a83f8e01fdf682b130c63f7dc3bd483b3a4b3c2fde04b0434c15070611bab0ca98e69f595a44e
-
SSDEEP
12288:olvVqW2rQg5dzrWAI5KFHTP7rXFr/+zrWAI5KW:oaW2rQg5d0MTP7hm0b
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmajipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmajipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accfbokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodbbdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobfld32.exe -
Executes dropped EXE 64 IoCs
pid Process 3732 Pmfhig32.exe 2764 Pcppfaka.exe 396 Pfolbmje.exe 2920 Pjjhbl32.exe 3424 Qmmnjfnl.exe 1972 Anmjcieo.exe 1888 Aqkgpedc.exe 4988 Ageolo32.exe 2644 Afhohlbj.exe 2380 Aeklkchg.exe 3228 Ajhddjfn.exe 3780 Aeniabfd.exe 4420 Aglemn32.exe 2128 Aminee32.exe 2868 Aadifclh.exe 4908 Accfbokl.exe 3100 Agoabn32.exe 4632 Bfabnjjp.exe 2364 Bnhjohkb.exe 3516 Bmkjkd32.exe 1904 Bagflcje.exe 5024 Bcebhoii.exe 4536 Bganhm32.exe 5036 Bfdodjhm.exe 112 Bnkgeg32.exe 3724 Baicac32.exe 4688 Beeoaapl.exe 2368 Bgcknmop.exe 4400 Bffkij32.exe 2424 Bjagjhnc.exe 2584 Bmpcfdmg.exe 4360 Balpgb32.exe 2296 Bcjlcn32.exe 696 Bgehcmmm.exe 4808 Bjddphlq.exe 3480 Bnpppgdj.exe 544 Banllbdn.exe 2196 Bclhhnca.exe 448 Bhhdil32.exe 4772 Bjfaeh32.exe 964 Bnbmefbg.exe 3004 Bapiabak.exe 3636 Belebq32.exe 4756 Chjaol32.exe 2892 Cfmajipb.exe 4380 Cjinkg32.exe 1188 Cmgjgcgo.exe 4836 Cabfga32.exe 4276 Cdabcm32.exe 4752 Chmndlge.exe 4544 Cjkjpgfi.exe 2848 Cnffqf32.exe 1912 Caebma32.exe 392 Ceqnmpfo.exe 32 Chokikeb.exe 1252 Cjmgfgdf.exe 5160 Cnicfe32.exe 5200 Cagobalc.exe 5236 Ceckcp32.exe 5280 Chagok32.exe 5312 Cfdhkhjj.exe 5360 Cnkplejl.exe 5400 Cmnpgb32.exe 5436 Ceehho32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bfdodjhm.exe Bganhm32.exe File created C:\Windows\SysWOW64\Aoglcqao.dll Cdabcm32.exe File created C:\Windows\SysWOW64\Omocan32.dll Chmndlge.exe File opened for modification C:\Windows\SysWOW64\Chokikeb.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Chagok32.exe File created C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Chmndlge.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Chokikeb.exe Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Chagok32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Doilmc32.exe File created C:\Windows\SysWOW64\Eeiakn32.dll Bagflcje.exe File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe Ceehho32.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Djdmffnn.exe File created C:\Windows\SysWOW64\Pkmlea32.dll Qmmnjfnl.exe File created C:\Windows\SysWOW64\Caebma32.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Pdheac32.dll Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe Chjaol32.exe File created C:\Windows\SysWOW64\Bganhm32.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Chjaol32.exe Belebq32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Bfabnjjp.exe Agoabn32.exe File created C:\Windows\SysWOW64\Dnieoofh.dll Ceqnmpfo.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Accfbokl.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Ogfilp32.dll Cfmajipb.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Cabfga32.exe Cmgjgcgo.exe File created C:\Windows\SysWOW64\Cjbpaf32.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Dddhpjof.exe File created C:\Windows\SysWOW64\Jfihel32.dll Belebq32.exe File opened for modification C:\Windows\SysWOW64\Cagobalc.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Ajhddjfn.exe File opened for modification C:\Windows\SysWOW64\Aadifclh.exe Aminee32.exe File created C:\Windows\SysWOW64\Bfabnjjp.exe Agoabn32.exe File created C:\Windows\SysWOW64\Pmgmnjcj.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Bgehcmmm.exe Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Bnpppgdj.exe Bjddphlq.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dopigd32.exe File created C:\Windows\SysWOW64\Bmkjkd32.exe Bnhjohkb.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bapiabak.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Diphbb32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Ehfnmfki.dll Anmjcieo.exe File created C:\Windows\SysWOW64\Mgbpghdn.dll Aadifclh.exe File created C:\Windows\SysWOW64\Bnhjohkb.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Oicmfmok.dll Aeklkchg.exe File created C:\Windows\SysWOW64\Aglemn32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Ihidlk32.dll Baicac32.exe -
Program crash 1 IoCs
pid pid_target Process 5728 536 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgjgcgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhhnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmnjfnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmjcieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caebma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageolo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dopigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhhdil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" Aqkgpedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Ddjejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqkgpedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnkplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll" Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Bgehcmmm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3732 2884 1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe 84 PID 2884 wrote to memory of 3732 2884 1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe 84 PID 2884 wrote to memory of 3732 2884 1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe 84 PID 3732 wrote to memory of 2764 3732 Pmfhig32.exe 85 PID 3732 wrote to memory of 2764 3732 Pmfhig32.exe 85 PID 3732 wrote to memory of 2764 3732 Pmfhig32.exe 85 PID 2764 wrote to memory of 396 2764 Pcppfaka.exe 86 PID 2764 wrote to memory of 396 2764 Pcppfaka.exe 86 PID 2764 wrote to memory of 396 2764 Pcppfaka.exe 86 PID 396 wrote to memory of 2920 396 Pfolbmje.exe 87 PID 396 wrote to memory of 2920 396 Pfolbmje.exe 87 PID 396 wrote to memory of 2920 396 Pfolbmje.exe 87 PID 2920 wrote to memory of 3424 2920 Pjjhbl32.exe 88 PID 2920 wrote to memory of 3424 2920 Pjjhbl32.exe 88 PID 2920 wrote to memory of 3424 2920 Pjjhbl32.exe 88 PID 3424 wrote to memory of 1972 3424 Qmmnjfnl.exe 89 PID 3424 wrote to memory of 1972 3424 Qmmnjfnl.exe 89 PID 3424 wrote to memory of 1972 3424 Qmmnjfnl.exe 89 PID 1972 wrote to memory of 1888 1972 Anmjcieo.exe 90 PID 1972 wrote to memory of 1888 1972 Anmjcieo.exe 90 PID 1972 wrote to memory of 1888 1972 Anmjcieo.exe 90 PID 1888 wrote to memory of 4988 1888 Aqkgpedc.exe 91 PID 1888 wrote to memory of 4988 1888 Aqkgpedc.exe 91 PID 1888 wrote to memory of 4988 1888 Aqkgpedc.exe 91 PID 4988 wrote to memory of 2644 4988 Ageolo32.exe 93 PID 4988 wrote to memory of 2644 4988 Ageolo32.exe 93 PID 4988 wrote to memory of 2644 4988 Ageolo32.exe 93 PID 2644 wrote to memory of 2380 2644 Afhohlbj.exe 95 PID 2644 wrote to memory of 2380 2644 Afhohlbj.exe 95 PID 2644 wrote to memory of 2380 2644 Afhohlbj.exe 95 PID 2380 wrote to memory of 3228 2380 Aeklkchg.exe 96 PID 2380 wrote to memory of 3228 2380 Aeklkchg.exe 96 PID 2380 wrote to memory of 3228 2380 Aeklkchg.exe 96 PID 3228 wrote to memory of 3780 3228 Ajhddjfn.exe 97 PID 3228 wrote to memory of 3780 3228 Ajhddjfn.exe 97 PID 3228 wrote to memory of 3780 3228 Ajhddjfn.exe 97 PID 3780 wrote to memory of 4420 3780 Aeniabfd.exe 98 PID 3780 wrote to memory of 4420 3780 Aeniabfd.exe 98 PID 3780 wrote to memory of 4420 3780 Aeniabfd.exe 98 PID 4420 wrote to memory of 2128 4420 Aglemn32.exe 99 PID 4420 wrote to memory of 2128 4420 Aglemn32.exe 99 PID 4420 wrote to memory of 2128 4420 Aglemn32.exe 99 PID 2128 wrote to memory of 2868 2128 Aminee32.exe 100 PID 2128 wrote to memory of 2868 2128 Aminee32.exe 100 PID 2128 wrote to memory of 2868 2128 Aminee32.exe 100 PID 2868 wrote to memory of 4908 2868 Aadifclh.exe 101 PID 2868 wrote to memory of 4908 2868 Aadifclh.exe 101 PID 2868 wrote to memory of 4908 2868 Aadifclh.exe 101 PID 4908 wrote to memory of 3100 4908 Accfbokl.exe 102 PID 4908 wrote to memory of 3100 4908 Accfbokl.exe 102 PID 4908 wrote to memory of 3100 4908 Accfbokl.exe 102 PID 3100 wrote to memory of 4632 3100 Agoabn32.exe 103 PID 3100 wrote to memory of 4632 3100 Agoabn32.exe 103 PID 3100 wrote to memory of 4632 3100 Agoabn32.exe 103 PID 4632 wrote to memory of 2364 4632 Bfabnjjp.exe 104 PID 4632 wrote to memory of 2364 4632 Bfabnjjp.exe 104 PID 4632 wrote to memory of 2364 4632 Bfabnjjp.exe 104 PID 2364 wrote to memory of 3516 2364 Bnhjohkb.exe 105 PID 2364 wrote to memory of 3516 2364 Bnhjohkb.exe 105 PID 2364 wrote to memory of 3516 2364 Bnhjohkb.exe 105 PID 3516 wrote to memory of 1904 3516 Bmkjkd32.exe 106 PID 3516 wrote to memory of 1904 3516 Bmkjkd32.exe 106 PID 3516 wrote to memory of 1904 3516 Bmkjkd32.exe 106 PID 1904 wrote to memory of 5024 1904 Bagflcje.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe"C:\Users\Admin\AppData\Local\Temp\1e979c5eab94a7baaae987a283887411bb566614bd50315c5025d0a7871fdbb2N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe26⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3480 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe49⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:32 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5312 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe66⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe75⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6000 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6116 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe88⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe91⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3152 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe95⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 40896⤵
- Program crash
PID:5728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 536 -ip 5361⤵PID:5624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5d539e744ad652d01927db10776289826
SHA1d64d46b1948617e8e317a83061a443cb13f9f557
SHA25684287df0e70120f860a09d77a47f0f25bd020004d334308d60c49eff653a689c
SHA5121542a267f87a340ced6e49d1c7915144a6834311d4038b293211ab1c0364a095cb12514505f3b8d950ce5a942651ba7716e5d10f2c6c40e55f2fd93710af5710
-
Filesize
704KB
MD5cdd14076628ed575609676691e4a0150
SHA1941437b625c41aae09a53ec6156ae21890cbad06
SHA256e2a2cbc6c33845fc8baf9db41a8adb33da5db6800fea7419beff3c77d6aa4c77
SHA512fed5da5f9b688747fb0ab8377de2082f6b4f1e041359255bae6410f7fecf2ab0b50229f55b9df6a50d1a5c58ce387ae265a0b9b31aedd14ed4536c2eb0cefafa
-
Filesize
704KB
MD503364c3dda319f749bd25e53833c79f9
SHA1b7065114ba291bf01215e1c15cb86e58efff000e
SHA256c91ca468669d13f8338b51695fb56e8bfb0c31eaf5fcfaf26a3682e4415a63bb
SHA512c2d2dc791f643d8fdca10d4fea1003ca195d73a57c666c1ad8c4ce66b74387f06529431a1b1176b5865b71c24294d85ec15278c3cac4201e7fd1a68cd13318ef
-
Filesize
704KB
MD55dcc897c8589ca8e4e902cb2161cd4a9
SHA1b4e9cd6c6985ffff9e8c2354d2718ff5f07cf6f1
SHA256439ac2cbea88837820d32be544cc889058c10953e2dbe8be8e8b6764ecbcbba8
SHA5121411d92a8982142ddbec9865b11e97bb525c1d2a5b757b770826e2b74493a7286bc52e07738a8da9317383d11ccffcaa841f52646f631e0b57cf9650c646b2ca
-
Filesize
704KB
MD5d7017cbf5153ebea73d04d75a4ccbed0
SHA1a850d0aba6d26b5cf778504a58a738cf6a5dd4f6
SHA256f18a480dac9207b1d934d6f3a8a78e1a090d2eed7666c027be4cbca9ee91271f
SHA512827e742ee17687be22d14d81a1e613635df293858d23b7ac650dcb7f3ac3e63ca4beb0f5944492a8d8bba2fa756578e2e681788187eb835e3988a151050588ea
-
Filesize
704KB
MD5f29ee8861bc99c835dfe98bec5083392
SHA1e46d4931d20d0107d882a0364b4e2618eb6706e2
SHA256fcc751677d0a9bec7e3180084f41ccd9df200d78f1436bc6defc65b286a3784c
SHA5120ebcac287fe87554eb293fa903576b0879d76296ec6fcbb9c5db3e2ce17dc87f154adae35845265d0013278937d20440c1036d90b4909c6b692d7bef8fe8ff9d
-
Filesize
704KB
MD5c1477c434e59db03b424adf4d50bb49d
SHA1296e2694a81ecb84aef08d91fedaee2132ebba81
SHA256cbafac79021ef6060f3bd762983a8291f2dee2ce1f1010c44fcf50657df5cb36
SHA5128ddf698a3dd1efed18238dfc9d78b5c84d844f54e1b6d2ca7a17bf8c5d2fe9535003e8b3bd3454692bbcf75e8e9d3ea3704975091a98e38449e96c06f811a7a5
-
Filesize
704KB
MD568dbc0ebac44887efaaf0b550e1a68fb
SHA1215ff84d1e6bb85d81a3f1bceb934ca6c857af8b
SHA2569172af283c4878a2d9bc748b9189e81581540cea47bc4825c36a276840f5cab1
SHA5126d1ae4a0de6dca007fabcb7104ea1f19f1ba7fb11a1eab6f8f7185ccc1007050e0582a8a6a2d23e02dc53da339dfa2087d9e5014b7b73bc897f9fc34c0bb27e0
-
Filesize
704KB
MD58f683ecd430aff8fdd7bef9a057d9e98
SHA186c956a92b9ff5739aee82dff31476919a4205b8
SHA25669cc03e4b50243ff4445b880884830ef327c2a60d386f6f5d8d90a8fa0e28c76
SHA512a8f87f1082c863517b93b55be39f47589547bf5a898c9d3f5095ce47dc4d19966a2ebf9ec6e672580758325a512e3b8e40250696795afedeef41f914bf43a858
-
Filesize
704KB
MD519e91bca1420106284e8461b3e326f0e
SHA179937594d0e19c484e251a22e33a02d1eaf32a22
SHA256d49564059df40072f6992bc322655d811fca360f069624efff19a114a4948dad
SHA512de6644ecad3dc641b2ea48208653ba339e564dcd759059fd87b3379ef2146656453c7784a1cb58f792c21097a3f7a6ba496df0ef0aaa446c9f67800e026c1b7f
-
Filesize
704KB
MD5e7ead975c6f3c27c2ebf878fbec9da5b
SHA1794157e4aeaec99f01dc7bd8e61b678dc599271e
SHA2569b4b4601d43a92ef11a40397b8d45e0c1336fb816877e22000e449b98b069885
SHA51276c174bd9d5ddfe99961d068f1c588b1b0328f03217e1ee790f4549b2821265e81a9cfca3cb29997893c967bcb804e197fe9ff1b967ef5aeb758d31ae01ec315
-
Filesize
704KB
MD53fd0ccd9158d91d9dc9446eaf63baaa4
SHA1cdea6bc552cda52e465994d0ed96f70e98880763
SHA256a6a515f88c6aa770972639d10da68fece1a8cddafc725c6819b4c5b85fec8d1f
SHA51246bc5116a30afa0fe4cb37046f8adf1a0446d8b131aaf79a36a63ed499f8f4cebe6c4f62c8cea2b306a5e9e8f16f5fe719bb90a08eb2e48eda143907755b3f11
-
Filesize
704KB
MD5d2f44a10499f891e9acaac00cca6829f
SHA130e9fb8386e5acfa01e31a25ff5e5f508bbc2fdc
SHA256a3134cd6e14988aed486874769140c5b767f0541965cde1de3b57b8bd3ce8a77
SHA5122f755f130e0102903cf32a567ee3f71c5bb81f614b9fb25882ffa195e88465d03dc80871897e9ee2a701f36e257bf2f9363270ed3e0cebc0581e5bf1e399e28a
-
Filesize
704KB
MD53dab25c45e113783090b1e1ad0679054
SHA180672887c202322c086a15c293186ec612be3694
SHA256fb7c69e201a4009a4341e4e36eb5a08dea7044bc1c4ef54197853485c7b81c51
SHA5127d45f8699a73853339ff74b6312c37216a0e2e92d6eeb1503ec72efe0c354da3d042c033016abf5290239e9523abe8f8429c3e82b5172d80c0cca181b727cf38
-
Filesize
704KB
MD59399aadd49346544ce4a12e0b5367466
SHA143d38e81121693eaea598a8976bfb61243bc4327
SHA2566584cdeabda5708c33d77ad2d82bcb81a82aba696b25641f8a6c9ff0a5301cbc
SHA512897feb296fe09e64a425b94b1f6ace0d9df689e9aec63a9ce38586c0e9411dd4036b26a1fc99a1d0f23e3705478d1ae31fa3b573de07385717f8b2bfad2fac6a
-
Filesize
704KB
MD5ba1ebbd2af3c6c363860da2d55a7efe4
SHA1e9ff4298361d1a0b5c6ae5f265d16922080606bd
SHA256be5435e22edc78d7d3fab58d56904af67faaea6a449e5274b78915e584a7652e
SHA51208862e341d710dbef0516082e2618bcbf8b64686d686d887ec3bef37ea8383ced2dcc7ce52366f3a4cf83a5931696f1cd68421975f0eba5b0ddcab2b798d582d
-
Filesize
704KB
MD573d89e6288c0fc61bc89a2746decd0f9
SHA10fe7d80300c658735fa880cde060ba9c1fa1915f
SHA2560dea04fb08778ddbe5736a8a987a5634b89c415d843d2307090d27d72f00aac5
SHA5123db9c166a3a82d26cb7726d4666bb1a59204f9dd01e80f10fa225487e00f0f44e43c49fbe086100d4e9f552add20a66153ad29461f2cf8af4493a703d3f86785
-
Filesize
704KB
MD5e28f6e9f735c7de038087c2352cce932
SHA1b9115f8c9705c9895ce1d6d61a9c0dcb9a797853
SHA256e1bac6134e5e471fdc1152887b95b9cd39978836c14b5994701ae38a802a3c6e
SHA5124113acc01cd3b4852a76535f82735cc8f4901dde8d175ac405e22854fd16bfd8f7f0438a782168eab288a51cef2f8e38d50f7de9726b445f540701301b4162b4
-
Filesize
704KB
MD5b3fcafa8e2dd1ebeb209aefe17397432
SHA16060e6654208870bd7fe8c3dd7c546f6f2aad659
SHA256cde42491f2d96d62f17bb8e974e45bc89482b42f9fcf24e68a49fd0c1451c6b2
SHA5125ebe8842ed639e522ed2376fc689376b75f30bd1eb7028cc1e57dc009150f0bdd8ed19ae5fe0cecde25082b381f1cabf677fa12f65a41f89da4606ffcc2a3d06
-
Filesize
704KB
MD5af7aa033f1b0c41f50b5259fbc47e6e5
SHA1626234593a5cec09af4b7593f84fcef827073354
SHA25669b789ef744813eb10827b01157a1536d866ce51877754ca62a301c852e30fba
SHA5121448b95f3e0c9f3605c8fa6a48bf7ada13ee5d37ba9a8aed6f3596f00682f3fca8e6f2b0d9c6bf7958b50cb1a674b3b873f516aeb1324dbe0256a1831a6878ef
-
Filesize
704KB
MD5d40e0aed0eacaea25954ecdd02d2391b
SHA101e405eb3febcc21020eae84295d261008fe4eb6
SHA25624cd98fc766acd6498710b9b56e3ed0ff16032007237e71ba2dc80d2302f7f0e
SHA512234d9f15bd3286b03b84737331a60785c90ee713ebe4b7f9e3dbdaa3d031d5fb1c52457d07ad21dfcaeac8202381dc8e3240bf9f17a56e35f8f9abb968ff6880
-
Filesize
704KB
MD5df19c2852089c8f61946542b295bc4e4
SHA1a644cfc158ef4bdd65cc986a526a183f50cde603
SHA2569251541f8c5d72d9b6c7721741053ee37273878702d3c358b2790838a236dd08
SHA5128cc2f7ae6e4f4c6193cc6d7f02e6d81c65c2ffe14fa11c90afda6d7a5d57220518bbc7fde1e413cf9bc7709e75fcc12c4148ef589d209041f5a10a9483776fe3
-
Filesize
704KB
MD529ef5467731b2a270cf385741aeca6d3
SHA105507c226bd86da850c6c0da03f5297f05054377
SHA256002123c78a3b7e98d101b78a3797870431d00b21752af56e0e11735b0bfc715c
SHA512813e03074694271555f175c51cc703785056135e15fad1cff49475d5645b90048a7ee8048f89bf83a6ec7a8033fe77d495530234d164121bb676c969821aa087
-
Filesize
704KB
MD56c44aca44318283b92b3b9a6d54c14b2
SHA17fc9061f3c7c6fb94d8111ed0eb1e75f908b05c3
SHA2569e9246470383394bc863c20eac94bc61b082d6ed5f22e991468fc3c0acb99edf
SHA512cb23065d78025b32ddbe5a8d1ae5459e0ed204c923620a2eb3f2e81302503d66a728015390ca6214d80a8cba77a256f2923bc15682a2fb180f721a79a6bf593f
-
Filesize
704KB
MD595145a3dd563bf02b7b79efcc3b8540d
SHA115ad8d82238d41e68714defef372f590a68f750c
SHA256078d620c89a2f2f187512a781461678a279231d65ed0c173da76b557d99c7763
SHA5121c28276de9a47e648b412701175453b5c019f92789e07b2f37a7ae91c8a6d14dcfdd93a6902e91c8741f3355a2dad89a80aa16120cb0ca30cefe4701348a52bd
-
Filesize
704KB
MD5598424daf868b4d69c58c91b877f77a2
SHA1e783ebe6bee5696def5e42ce80ef3cc8273a49ba
SHA256ac1c3d58454f8dd829b91378b2eccbe5773edd5ca4a2cbd2c64604047bfe63b9
SHA512f7b22874eec96640694f0136691fb4fd91d476433a0715252c4baffe5c0b31f73233b01c46471340a63070419168bf6d90925a4864422b17d7469432bebd6c0d
-
Filesize
704KB
MD58399398cbf46c166ab4381a2e3df9b24
SHA132c43559c7ba31790d2c5c8caa5c700e53b7e185
SHA2562f1e1a7af56b271cb737f3484b4be301761fafc238c57c575094ec0e95f0de77
SHA512cb24cd3a6e99168aada11ab006f5575be6bc85d9ffa4b9a666b88cb20a5b8123d2ded52c2de459d2ad0b34bd5065704f35e65089c2008c44d21bfcb390f4d4b3
-
Filesize
7KB
MD508da06e47e86757cdb6c67e856a68fe6
SHA1cadaa729219388b2610a24c713d00984e948261d
SHA2560684186ebd1ce145ea6ebf8d459ed462023261b426b7edd8b45f2172c6a34e78
SHA512865725856b964c972a4ed4d450a63b67e953f1dffd50fdda8901909703c2de092cebd3a6a122d00eab0ee6fae4f3eff72b3c20a1b71ed59fb550b94a58e6a9da
-
Filesize
704KB
MD5fb6ffcc94d38457bc2ca86ca144cf7b9
SHA1c3f206d948d7d3aaf395b015d2387a5b2ad492a7
SHA2568c3a4e828ab89e36ef978a79cc3da0922fdbca7497900b3d80fa2a8818088a33
SHA51259a206a3404642f4cd957da144673af2417d17a4987a8b086d1fb0b44a54605b85278056154b26d6de2d6f311358075ccde76783aedec26da148b2033978dab0
-
Filesize
704KB
MD5e865753074081a0c3b39d04dd0665bef
SHA1a23f51b05b3d4144117ee3435590975bb6336893
SHA2569da5c95f5676edd4f24c54df293f0333a910fe5abb3ab76c4608d23f6ad64df2
SHA512e6c755a9a5bc54181aaa696911a4ec43fef55dc8f4b5d1c83a576a1361727462c8133f4b8a936651acfbe71ffeb22ed9756f71fdd81796b3acafd1e1f1e13dec
-
Filesize
704KB
MD5cbbd1811c2bd2ab6f10583f7c674e707
SHA1766d26ae995eebe72c360e259be9ff81a26e4d2c
SHA25609a5b8482b20e45b412980481166ed51e7036069fbe28417cb8411d171b72384
SHA512f3ad6c9be62d89013b5d525e4a1111fe6711eb7b426b62680b82ffbd6f480e3b0c1a56f38307c98b6da5ad05bc45710fff0809974e77e0948e676686867de4f8
-
Filesize
704KB
MD5c104ad2828c72c8e6d74992c1eb4625c
SHA19cecefbfbf8c09aa74c19a135c5664540d065446
SHA2566f8c2ed027d6b9a836e42fd962bfaf9b977eeadf6997581dcfe75f5510fe10d6
SHA5128c3de6349c563d613c3e6a699e33b861df09c07cbdc05873dd3663bc005f0ad7b3602844c90a2e32d6223c63422fc275d7436636e03def1d39ee21d0cd878479
-
Filesize
704KB
MD5c1986ef5847ffd7f73141ce0fcfffdff
SHA1a6c6280cc0936e156c1ec9f3f87a226c69265112
SHA2566021e3178382bfe28b8998d09b8dfecedebb5a26f3531753f5387a1742335ed0
SHA512dc31934c4f9f89cb7f77992503d44b48c1b200e2682a59f34a1a25812ccb0bcc5bda8dd9369892187667f2429a93351f7d2484adeca83868f0cbbb6d77f49245