c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Size

96KB
MD5

39582cb26018b3dd662e5896080a5971
SHA1

a99c5b51120b207877c42d18ee2a58426433d821
SHA256

c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c
SHA512

5ff17fbabba456dfb6aa708975f71c525bb088b7a258ed47a5436ae62ab60b3c29843a9a3a7725e2e94def281a286945425f005db23f66d2e49ac74ae830da05
SSDEEP

1536:CxBEQwW4SS7Y+4omUDmXWVrFr5MeyqoALYmypnj2Po1RDrduV9jojTIvjr:EBwBCANRFraeyjALspn9vfd69jc0v

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe

Executes dropped EXE 43 IoCs

pid	Process
4960	Ccppmc32.exe
3804	Cmedjl32.exe
216	Ccblbb32.exe
2460	Ckidcpjl.exe
2256	Cdaile32.exe
4460	Dkkaiphj.exe
4324	Daeifj32.exe
3004	Dcffnbee.exe
3972	Dahfkimd.exe
1356	Dcibca32.exe
4688	Dkpjdo32.exe
2344	Dajbaika.exe
1984	Dckoia32.exe
1564	Dkbgjo32.exe
4864	Dalofi32.exe
3628	Dkedonpo.exe
4856	Dpalgenf.exe
4148	Egkddo32.exe
2608	Enemaimp.exe
876	Ekimjn32.exe
2276	Epffbd32.exe
800	Edaaccbj.exe
4352	Ejojljqa.exe
3652	Ephbhd32.exe
3604	Ekngemhd.exe
1520	Ejagaj32.exe
3412	Edfknb32.exe
4424	Ekqckmfb.exe
3980	Eqmlccdi.exe
880	Fggdpnkf.exe
3968	Fnalmh32.exe
4620	Fdkdibjp.exe
2120	Fjhmbihg.exe
3044	Fqbeoc32.exe
4636	Fcpakn32.exe
2476	Fjjjgh32.exe
3992	Fnffhgon.exe
2432	Fcbnpnme.exe
4504	Fkjfakng.exe
456	Fbdnne32.exe
4776	Fgqgfl32.exe
1904	Fnjocf32.exe
2716	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkedonpo.exe	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Daeifj32.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Daeifj32.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Enemaimp.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Ekqckmfb.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Abocgb32.dll	Dcibca32.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Fofobm32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Edfknb32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Eaecci32.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dajbaika.exe
File created	C:\Windows\SysWOW64\Egkddo32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Fggdpnkf.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Fohogfgd.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fbdnne32.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Dckoia32.exe
File created	C:\Windows\SysWOW64\Epffbd32.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Epffbd32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Epffbd32.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Fllinoed.dll	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Dcibca32.exe	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Dajbaika.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Dckoia32.exe
File created	C:\Windows\SysWOW64\Npgqep32.dll	Egkddo32.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dkedonpo.exe
File opened for modification	C:\Windows\SysWOW64\Fnalmh32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fjjjgh32.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Ejojljqa.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fdkdibjp.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Dahfkimd.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Ejojljqa.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Edfknb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpjdo32.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekqckmfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4296	2716	WerFault.exe	136

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejojljqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dckoia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enemaimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllinoed.dll"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedgjno.dll"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkjfakng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 4960	3112	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe	91
PID 3112 wrote to memory of 4960	3112	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe	91
PID 3112 wrote to memory of 4960	3112	c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe	91
PID 4960 wrote to memory of 3804	4960	Ccppmc32.exe	92
PID 4960 wrote to memory of 3804	4960	Ccppmc32.exe	92
PID 4960 wrote to memory of 3804	4960	Ccppmc32.exe	92
PID 3804 wrote to memory of 216	3804	Cmedjl32.exe	93
PID 3804 wrote to memory of 216	3804	Cmedjl32.exe	93
PID 3804 wrote to memory of 216	3804	Cmedjl32.exe	93
PID 216 wrote to memory of 2460	216	Ccblbb32.exe	94
PID 216 wrote to memory of 2460	216	Ccblbb32.exe	94
PID 216 wrote to memory of 2460	216	Ccblbb32.exe	94
PID 2460 wrote to memory of 2256	2460	Ckidcpjl.exe	95
PID 2460 wrote to memory of 2256	2460	Ckidcpjl.exe	95
PID 2460 wrote to memory of 2256	2460	Ckidcpjl.exe	95
PID 2256 wrote to memory of 4460	2256	Cdaile32.exe	96
PID 2256 wrote to memory of 4460	2256	Cdaile32.exe	96
PID 2256 wrote to memory of 4460	2256	Cdaile32.exe	96
PID 4460 wrote to memory of 4324	4460	Dkkaiphj.exe	97
PID 4460 wrote to memory of 4324	4460	Dkkaiphj.exe	97
PID 4460 wrote to memory of 4324	4460	Dkkaiphj.exe	97
PID 4324 wrote to memory of 3004	4324	Daeifj32.exe	98
PID 4324 wrote to memory of 3004	4324	Daeifj32.exe	98
PID 4324 wrote to memory of 3004	4324	Daeifj32.exe	98
PID 3004 wrote to memory of 3972	3004	Dcffnbee.exe	99
PID 3004 wrote to memory of 3972	3004	Dcffnbee.exe	99
PID 3004 wrote to memory of 3972	3004	Dcffnbee.exe	99
PID 3972 wrote to memory of 1356	3972	Dahfkimd.exe	100
PID 3972 wrote to memory of 1356	3972	Dahfkimd.exe	100
PID 3972 wrote to memory of 1356	3972	Dahfkimd.exe	100
PID 1356 wrote to memory of 4688	1356	Dcibca32.exe	101
PID 1356 wrote to memory of 4688	1356	Dcibca32.exe	101
PID 1356 wrote to memory of 4688	1356	Dcibca32.exe	101
PID 4688 wrote to memory of 2344	4688	Dkpjdo32.exe	102
PID 4688 wrote to memory of 2344	4688	Dkpjdo32.exe	102
PID 4688 wrote to memory of 2344	4688	Dkpjdo32.exe	102
PID 2344 wrote to memory of 1984	2344	Dajbaika.exe	103
PID 2344 wrote to memory of 1984	2344	Dajbaika.exe	103
PID 2344 wrote to memory of 1984	2344	Dajbaika.exe	103
PID 1984 wrote to memory of 1564	1984	Dckoia32.exe	104
PID 1984 wrote to memory of 1564	1984	Dckoia32.exe	104
PID 1984 wrote to memory of 1564	1984	Dckoia32.exe	104
PID 1564 wrote to memory of 4864	1564	Dkbgjo32.exe	106
PID 1564 wrote to memory of 4864	1564	Dkbgjo32.exe	106
PID 1564 wrote to memory of 4864	1564	Dkbgjo32.exe	106
PID 4864 wrote to memory of 3628	4864	Dalofi32.exe	107
PID 4864 wrote to memory of 3628	4864	Dalofi32.exe	107
PID 4864 wrote to memory of 3628	4864	Dalofi32.exe	107
PID 3628 wrote to memory of 4856	3628	Dkedonpo.exe	108
PID 3628 wrote to memory of 4856	3628	Dkedonpo.exe	108
PID 3628 wrote to memory of 4856	3628	Dkedonpo.exe	108
PID 4856 wrote to memory of 4148	4856	Dpalgenf.exe	110
PID 4856 wrote to memory of 4148	4856	Dpalgenf.exe	110
PID 4856 wrote to memory of 4148	4856	Dpalgenf.exe	110
PID 4148 wrote to memory of 2608	4148	Egkddo32.exe	111
PID 4148 wrote to memory of 2608	4148	Egkddo32.exe	111
PID 4148 wrote to memory of 2608	4148	Egkddo32.exe	111
PID 2608 wrote to memory of 876	2608	Enemaimp.exe	112
PID 2608 wrote to memory of 876	2608	Enemaimp.exe	112
PID 2608 wrote to memory of 876	2608	Enemaimp.exe	112
PID 876 wrote to memory of 2276	876	Ekimjn32.exe	113
PID 876 wrote to memory of 2276	876	Ekimjn32.exe	113
PID 876 wrote to memory of 2276	876	Ekimjn32.exe	113
PID 2276 wrote to memory of 800	2276	Epffbd32.exe	115

C:\Users\Admin\AppData\Local\Temp\c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe
"C:\Users\Admin\AppData\Local\Temp\c189074a0c7148dd9c3036ec125dfa0125298e352d684d5dd2fd7984090e2f1c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\SysWOW64\Ccppmc32.exe
  C:\Windows\system32\Ccppmc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\Cmedjl32.exe
    C:\Windows\system32\Cmedjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\SysWOW64\Ccblbb32.exe
      C:\Windows\system32\Ccblbb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 412
        45⤵
        Program crash
        
        PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 2716
1⤵
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:8
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
96KB

MD5
421f7334a2af1f93e92a87d8b5302daf

SHA1
206a39c21a38b56b60253f69d38a5a0b706b4f5e

SHA256
ece2ceceb3e7440e9b97a1b6c2d8ba1b23c6c886ef2e885e1d03e9a572a81a82

SHA512
53c9da9a34408fea8eb9190768f76a419a77e12eac991d02e09e20e953a5417f0ae8b3dfd5ea4511a80b934f32367460db08806fdc9185aaac5e848084d95e05

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
96KB

MD5
4beb99e8450e68e0674eca03b50d44d0

SHA1
a36e1e8fa868f3de911b8028bac325e96d233e0c

SHA256
adf457acddd9db655f8522f81295db15b4468d62a1374fb8df1092ceb05b8eff

SHA512
3017b4fbcbf54f5188d261d13259f78d563eda086dac542187f8657e773b51fc6ceed571999d602943648eab1ae3211eb7e60335e81a753f237a762c39be4f4b

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
96KB

MD5
21d9ec86495d3d7ab46a88d2bf7f10bf

SHA1
914f0229a971063e32b1e0ec570c86f7e016fd0e

SHA256
8fd5eb6ae49f1f66836e84f37315d96e2721a55a45349af2b3fe84613c3dc728

SHA512
9e1704f78a62780eec47b442da5e4ecee7b210ba4e6a0d9bf79b30333fb3b6ccf4e2a1ad2538a2545809e887c5a5c3035a266d47be8c335e921809503999863d

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
96KB

MD5
93492941e90f30950f8851f56b6cdc1e

SHA1
0e584e074beaa1f5109ccdd2f3d5bfbb3c7fc8f6

SHA256
9c4cafc7fb1bfd40d0b56126b45921845a67bdbf657171e70f31344bb318c539

SHA512
5f6c451aaa098ec5ea7a607e323b119b6b9dd10ee8a0f61b2816179cb9b31bd6e5efcbf6602d7ec3aeb327b23002458ab0216947d2ea8868ae7ef935c2b7fde5

Download Submit
C:\Windows\SysWOW64\Clbidkde.dll

Filesize
7KB

MD5
9f708cb7b0340d848bae0e1462c68247

SHA1
731c1e0111395609f0a9e454bd902220c3f7e54a

SHA256
1291a7b2f8170d1883920e09f22b06d4244dccf6af9b6e2249b34710b6845d96

SHA512
eaad7240fa7617736a511c505430bd783e47fe6ddba617b1f13193297aa2cc185a1ec8a10b11532abf940932ec7e79c60b5a3d4d0271842ad8709da2ac2f9b3e

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
96KB

MD5
1b7c8cb8351a09c1cf4b964c65b0228d

SHA1
36cc2c6843724af015c7f7062f0fa2faa680a5a5

SHA256
0fb8c44ed4777c4856fa9e7240a00e8433c5efe916c525461a05650ad41b6bd4

SHA512
9414063d508771e956445f0365e9d6ce59e1dd59c76339403df23fc0c50e0f0a765b78aff52a1dba12c7621f238f162a8fbe60a72e1d60c25d080b58ff5ae4d8

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
96KB

MD5
4777a59eb313bafc423983745dca4637

SHA1
6585b6613c016728421e4819f548e8287d96c75a

SHA256
f5f6f6f042f8b9acfe4a6db74c5cbc492586447175fc0154d893707f504f5fb1

SHA512
c5289c63854d60233ff6f2ceee4b907b2028af89517b7708594e90164fd2f8dc3c66737f72018820964e8a0e55dc508c341d0b20ad5d0622d15fda21d252cd18

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
96KB

MD5
0132a091bebf3645becda4d90d429e6a

SHA1
05cff706f76cab44cd405165e8f570394aceb0dd

SHA256
42dcdb4bfedb4b777f98b8cf429535abb53065e60c0430ba1974f9a2aa70946b

SHA512
3c317baad18413b99a6d940f2f5f9e73b544b7e02ba124f95b1a808b88ca863c122d53eef16212bd70067ea3a4706ac2c23a096743a778c3584f02d24bddb1ad

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
96KB

MD5
174adbfdc6de4324ef2a8bc4116ef61f

SHA1
3af3253f3dd8927172820a2ab1af69503038f7d4

SHA256
8471fd5f2f00081ac857fc86858342ce8a0f5aa66683dfd08df01829689b7184

SHA512
0d52bc3aa13b093a658c924b50f580d76e86ef4f1993f0154bb1e2d6c5fa743c1843f15273011bf979e6084c6021cc3b15a564fc6c2eb855b5a75a71b166dbcb

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
96KB

MD5
38feffe924d70aa1befde81f3f085b3b

SHA1
e501cd1bdffd3a14445f203e067a0719d9b0326a

SHA256
6850de71cb117e84279778379be59e794d03c8e8148c7eba91cfe513ac6bab4c

SHA512
9b6b562e432f9b12d283027a27395ae1542622814384d4170791caac43335c35c097232c7117ec5682014449cd38c397e4b8e54ebf1e71d8e8a5041f6162cb6b

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
96KB

MD5
0f2281e81545cac3776112171ab700de

SHA1
b7f20d3e6d6e4f8840472dfde22deac88d439b6e

SHA256
6127d8d8b18242e965b6ad68615814d702e1f979b1fa10099a1a390941f4cd17

SHA512
3c930332216fd68d8ddb0ca22651ab511dac5dfd72e73d84ec93ccf0b1bc5fc44f9991a2abd223ece80051661069a2a797873c6e059842289cfb44aeee3ddfa4

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
96KB

MD5
7b718472a029fd510caebd779e568b27

SHA1
fe0401797d39415c702d47db7ef30292e6ed6ec9

SHA256
a1c80e4a32fb087836201561bb7f3f159223be73ee27bbf949601573c4cc84f9

SHA512
68acb1a054a6aa149fad11b81a87e2f42b9a37f1dc2e8ffbefe5d72c268a18017ec64b076e3b99b112bbc895a0910f1fd38711f7485720ed31c597d2880157e3

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
96KB

MD5
9c00eb262c26cbb3ac4f5ecb2e85aa39

SHA1
9c8233780f4c834db084ae44116c2de993fc1444

SHA256
4147508fbfb99e175ece12ed93173e20377f407bb26525118a43cb7053554060

SHA512
4566ae39132275fc4f3eabe01b850b10c9653227c7c31b43c2c98e7e728b98ddd044effa6553852c878f723c73574c56e5e55582d25fff960668cd566fb037c8

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
96KB

MD5
a54b13b2bb2f23f1655ad85de2b1beb3

SHA1
d4e97741de348525071fe18c10a3d47370c3f0fb

SHA256
b3502e01ec4ba24a268670e41ff077a4483efeb181b6b5ae639135278ed89f0f

SHA512
5ae75c41df2e5a6f2b55acbcf9f290aab7c1dd79f2061cdaaa0c3001f30d879b94d426ca64eab7178737e792990317504c95e2e77989657656a522ca1cbccfc9

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
96KB

MD5
047c312004d0e25775538df06c1b8560

SHA1
d159dcdff380483311c2484f87038ee461da2f28

SHA256
3c5e7b0d8190762d68cfb684de22ed33ca317adf5b4374aa31e685d684d30177

SHA512
189c947aef26a6c0b32d859cd754839eaf35ba8e30c12b6e8b16577f629d5d99959e31e26604aa62aaad72124e5f0f34927ead1faf5973e5e878d6061fed4330

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
96KB

MD5
b37d5d1ad9f4e39a11942779a9a0457f

SHA1
be249bcc897b8602192bf629f0d58b7c377b6089

SHA256
0e2e8949ea6d07933c85e79a61426276b74fb6bffc336658f31bbf25d73e3f92

SHA512
fdbc7bbec4ba68521fc751d0ac95307ff72c0dd94ada214c1109e19aeff16eb8c3a9338da9e475ff19967bc32851da9451c065a264120f8decf0ae27ec20ac81

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
96KB

MD5
5a2e696a648d933876f10fda5bfac7fc

SHA1
c52407816d0b9d3f8cc3081563b0a6dc49b74fcd

SHA256
00fd64df52ea5f6ff76dbb219b5322ee67850d4cfbd292e0f418fead5205ae7f

SHA512
4977ae701a649ff02134a3660b577d322a8ee777ce1404da91b42461574fd1122d206107ed97861c40d3463842ad1e690d7201e34925b8f45c31448ceb31db20

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
96KB

MD5
516d6c77a6d55042e7a60ac873a7dee2

SHA1
37b8509ec312365a2e13d7c20a58e640f97924cf

SHA256
ca75d7eba07dfcf82ac305cd02e0201cb61725a86adee2d6807abe377c8bd72a

SHA512
991141702b3ecdf8842a2b8ef7a641ff8a58d7da79ea30e6e9a4ded37bd5c6bb2c596d652b21aa49a18011b35086268794ac9abadeba1dd570f60c0b7a534c61

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
96KB

MD5
3e1904318bbe553457d1ef4e3563606c

SHA1
c0658489100bda8f4a5c5b5eac97c9dc56da714c

SHA256
5f5df317ef73b5babccb2c0cd307fb93509faa3c9eb0edb367a499f4286e7328

SHA512
264a2fe2647c81c31573978452c28aeca0850d18440319f81df2fe2d273ee0274692d43864d58b82975b1ee9409efa98a602625ab16f6edf5ac3fee799ef39f4

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
96KB

MD5
cb41092416386c1eb6c3889958ef7d64

SHA1
796e72a96a4ff97ea41a541120316e82ec746597

SHA256
619014aad5763b84ce7c7e12fa941e026dc455976f78f4b0c6c80ca7942fea3a

SHA512
a6eec4dbb7c339dbff28552dcd4ebcb945b951e7749500b5ec21dd6db17bf19883527eb949f8246187253423a278c452777a47cd426c4d1a7b89d528d707ec74

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
96KB

MD5
ff6f44808a0c54ad01417887316eaea9

SHA1
b20d1a4b1c787435484f42b7c065b8d7060777f2

SHA256
4205b4422440e6fd5a93c9ca8d3db208d78079e5d77ea84a3750595c68bacb2e

SHA512
83b2d2cb233f83124f92e96d08dcf374b3443863b0156e0390fd76c633fc09bbc09d815ecc37388c9647271208f5ba200b113d59a26557e998866a17db978263

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
96KB

MD5
31cd9cfe1673eec96816186fe95d5470

SHA1
5ded85e070ba1660843bc3c06205f7c2b91b6d27

SHA256
9151adc6556ed4bee6739b51e92a03a040684bc1ec94537f8d605a6be42db924

SHA512
88a5908e855bc352c7d0d1fbbd41d9c90ce03cfbd5e7883d823531e26674767e77b511eeffb03e4380933bb91730f65bafa670579fcb05e207f4d9b845153781

Download Submit
C:\Windows\SysWOW64\Ejojljqa.exe

Filesize
96KB

MD5
88e89d2f01680fc2d99ec3ea1a10cbd0

SHA1
0a96a6810b803d60dc2744ad4f608a1b25d4ad7c

SHA256
6fa8c12ddf0886b19642d280b8dc339fc055f28ce0a33be77d3c64f54f0f0674

SHA512
1dc3f26952ed672501713530cf465ef47fc1fec30b2c6670a3ae1ca6bb962930259be07a2ea5df89f91d7d989dacb5a4cd1c299d6f62326c96bb6921cd0d324c

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
96KB

MD5
3c05605598cb20cd0c6d7b6118cdc20c

SHA1
67805b7c6770ab9e503b0dd145b4fb85376fa740

SHA256
6abebd01c0790da2f075b3ff8bccbf46685c8b0d4088698c322ab90f8dbc8b00

SHA512
da0286daca6359ed994f775d0efee0e87ece64238df002f4257c3ff11854d064486ad6ea73e1e88583dc3990bc0250fc339a7e14d8c2f35368d4d103fb33ddee

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
96KB

MD5
3dd4e4b6dcd9a19bf847681106473b89

SHA1
a331bc784721d4557a05e50b2a214b3d55a87e85

SHA256
ac2c53d29dd54223917a016e00d84379d01607055dacf198a7c2c35e384e2bbc

SHA512
9fbf4c621daf096e60db08a537026003690108f333d197677204ed1ef57f0d4e0bf5cc1633b663306460c679595620d3797074cd569551bf3766553363f25cd6

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
96KB

MD5
6a7b846c85f6c8c3012e5f6cdad84810

SHA1
6dd3f10eca5948cbf8c61bd79e36d8b969120c7e

SHA256
c06e32a7ef3ab95dd344cbcd1980d81c28edba46fae8631d02a52cdf66205947

SHA512
6d7744b0ccb4047467d4252aae4179e63e86cd45e2562fb03374e3608ef078f05d0986e6f53248922809c3d99705837c72e80964165740aa00562ca660df96a7

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
96KB

MD5
83cd32daddc984a70bc969a93e9146f5

SHA1
5f5cc65f1c2378b3b88747e9bbe7ce80e135f044

SHA256
56756dd0a2d8521cae07ce099a4767bc7567cdec47f3ff3caf4b9e36e9f2d4dc

SHA512
2829bdc11de1a826141479df0feff2dd4da71977d6cc4c341f0d1f4195a3f51896df52204dc5dab15ac7c3bde2934b13f70867e07705f122b8a47861ab3d0e06

Download Submit
C:\Windows\SysWOW64\Epffbd32.exe

Filesize
96KB

MD5
4b8b9549a8b109a646e792b470796458

SHA1
fd58c11e78ed3b6f53835ae07d70ec0c1288c43d

SHA256
926df521fcd761a03f4b81fa4b8ea858118adcae4051cade515bc9c240e965f1

SHA512
2cf3f3e96d7a964331279c87a23d2c58367156d97aa88178e9a87d72b02e6904b426c230a492a603586c5b03ab7c076f92ed6d8581d778f11168d459404027db

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
96KB

MD5
5455e87f648fb1d70a89d8c81dfb4a2f

SHA1
e1c67c6bba301e855165a9f2d1d385b60e253fbf

SHA256
cbd851be541c00596200e0e51ff903e45adb53cac1b6389c0ee6194427e7e4d8

SHA512
e619ff48f0a844aeb875927aefdc640bb7817789e4f0f10294c9ceef8d651ee8eef27568d684b89eedd2afd3bb60a8bacfb1654ad4c852726ce63aaabdcfa45b

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
96KB

MD5
e1c992a1f3ac42fc2a2d3edefc9693c6

SHA1
892e031d8aa3cd2e3b689360fcb31edfb3234ad6

SHA256
22b47a4bbbe680b20dc6be9445fc6469790df36b3110c4d718c94398a27d7003

SHA512
3de26c3f2208b47b872b08b2c4aafc891f2ed57d019ed22cae25897fb6457944774cf4a84737c4bc4ad3b3946e5777dd8a5dce4a9b5c9e29e865b70eb9356388

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
96KB

MD5
bb88ce3b871a3ead5873ac3555f03001

SHA1
4bb7765673e2d2107b14829aca4a119c218dfb5a

SHA256
e888d80a84ba3a21786e0b8915e8124947b7686faaec3ce0f891c5b23281a327

SHA512
5de87ccb0f929f523377f6a30c584b5fc620937301fbbf34f296494aa5cf3525083b7aa7f03e4179768c1f1b4f6c26efd9eb7c9b42495e6bd771b18b0a5dd484

Download Submit
C:\Windows\SysWOW64\Fggdpnkf.exe

Filesize
96KB

MD5
ecfdd160233991e879ad261b1d1c43ce

SHA1
8f72b5423eec99b5b1c7e4da221086f2e05ff971

SHA256
86e8558a4b1fecd959c88cac279ee47f2e84194687e69dafa73b5c308026a504

SHA512
433657125423baef6d32974d119a47ef08e151e43b4b200e887de6a4b60218f2a0bf3dbb6bc3359e2ba46db27c5372e20618e21d31a27895fe1c7a75c2f1b7f8

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
96KB

MD5
ade7ffe8d8c329f2652bedb13a45cd8b

SHA1
d33c557b55e8fff24f1c2953b2732959b899f598

SHA256
dc615a339c7d8b076d66e2ea267f7867cc3b98f002ae6e11c117fb0100041fff

SHA512
d867f07e3ed1002c33c1a83c56cbcd0a87b35e3153a9cff9eaf745f311c73c618d89c489baf9802ba947d77830de16edc435b2787c31c45bc4b008bbdb688ce0

Download Submit
memory/216-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/216-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1904-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1904-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-331-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2256-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2256-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3112-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3112-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3652-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3652-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3968-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3968-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3992-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3992-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4688-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4688-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads