94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029

Analysis

max time kernel
136s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
Size

512KB
MD5

0e5a109856edc76184b0193e2ff68c1f
SHA1

152e3e21bc0b8fa29ce7ee91811bfb6e714c8425
SHA256

94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029
SHA512

b9a90a27664eb6281ded43960950d8882e12e1721569d361f6bae66a51b088fd3dae8b6cd4d1fe0a412fdd44c9449f94fd136c3a11621cb8ded3bf5288e75841
SSDEEP

12288:2t2udZHCUkY660fIaDZkY660f8jTK/Xhdz:2yUgsaDZgQjGf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigkdmel.exe

Executes dropped EXE 35 IoCs

pid	Process
2228	Bbhildae.exe
1928	Cpljehpo.exe
2284	Ckbncapd.exe
2336	Ccmcgcmp.exe
2732	Cigkdmel.exe
1604	Ccblbb32.exe
2356	Cildom32.exe
1764	Daeifj32.exe
4836	Dcffnbee.exe
548	Dcibca32.exe
2792	Dpmcmf32.exe
3224	Dnqcfjae.exe
4960	Dpopbepi.exe
5040	Enemaimp.exe
4056	Egnajocq.exe
1656	Epffbd32.exe
2880	Ephbhd32.exe
4344	Ekngemhd.exe
3196	Ecikjoep.exe
2280	Edihdb32.exe
4412	Fjeplijj.exe
5112	Fgiaemic.exe
3960	Fqbeoc32.exe
1584	Fcpakn32.exe
4552	Fnffhgon.exe
3328	Fqdbdbna.exe
4980	Fcbnpnme.exe
2868	Fjmfmh32.exe
4812	Fnhbmgmk.exe
2540	Fqfojblo.exe
4276	Fcekfnkb.exe
2692	Fklcgk32.exe
1760	Fjocbhbo.exe
512	Fbfkceca.exe
780	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egnajocq.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Ephbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Daeifj32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
File created	C:\Windows\SysWOW64\Ecikjoep.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Edihdb32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Edihdb32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Lhaiafem.dll	Egnajocq.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Ephbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Daeifj32.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	Enemaimp.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Npgqep32.dll	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Fnffhgon.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Dcibca32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4188	780	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmcmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edihdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllinoed.dll"	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Edihdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjmfmh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2228	3468	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe	93
PID 3468 wrote to memory of 2228	3468	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe	93
PID 3468 wrote to memory of 2228	3468	94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe	93
PID 2228 wrote to memory of 1928	2228	Bbhildae.exe	94
PID 2228 wrote to memory of 1928	2228	Bbhildae.exe	94
PID 2228 wrote to memory of 1928	2228	Bbhildae.exe	94
PID 1928 wrote to memory of 2284	1928	Cpljehpo.exe	95
PID 1928 wrote to memory of 2284	1928	Cpljehpo.exe	95
PID 1928 wrote to memory of 2284	1928	Cpljehpo.exe	95
PID 2284 wrote to memory of 2336	2284	Ckbncapd.exe	96
PID 2284 wrote to memory of 2336	2284	Ckbncapd.exe	96
PID 2284 wrote to memory of 2336	2284	Ckbncapd.exe	96
PID 2336 wrote to memory of 2732	2336	Ccmcgcmp.exe	98
PID 2336 wrote to memory of 2732	2336	Ccmcgcmp.exe	98
PID 2336 wrote to memory of 2732	2336	Ccmcgcmp.exe	98
PID 2732 wrote to memory of 1604	2732	Cigkdmel.exe	100
PID 2732 wrote to memory of 1604	2732	Cigkdmel.exe	100
PID 2732 wrote to memory of 1604	2732	Cigkdmel.exe	100
PID 1604 wrote to memory of 2356	1604	Ccblbb32.exe	101
PID 1604 wrote to memory of 2356	1604	Ccblbb32.exe	101
PID 1604 wrote to memory of 2356	1604	Ccblbb32.exe	101
PID 2356 wrote to memory of 1764	2356	Cildom32.exe	102
PID 2356 wrote to memory of 1764	2356	Cildom32.exe	102
PID 2356 wrote to memory of 1764	2356	Cildom32.exe	102
PID 1764 wrote to memory of 4836	1764	Daeifj32.exe	103
PID 1764 wrote to memory of 4836	1764	Daeifj32.exe	103
PID 1764 wrote to memory of 4836	1764	Daeifj32.exe	103
PID 4836 wrote to memory of 548	4836	Dcffnbee.exe	105
PID 4836 wrote to memory of 548	4836	Dcffnbee.exe	105
PID 4836 wrote to memory of 548	4836	Dcffnbee.exe	105
PID 548 wrote to memory of 2792	548	Dcibca32.exe	106
PID 548 wrote to memory of 2792	548	Dcibca32.exe	106
PID 548 wrote to memory of 2792	548	Dcibca32.exe	106
PID 2792 wrote to memory of 3224	2792	Dpmcmf32.exe	107
PID 2792 wrote to memory of 3224	2792	Dpmcmf32.exe	107
PID 2792 wrote to memory of 3224	2792	Dpmcmf32.exe	107
PID 3224 wrote to memory of 4960	3224	Dnqcfjae.exe	108
PID 3224 wrote to memory of 4960	3224	Dnqcfjae.exe	108
PID 3224 wrote to memory of 4960	3224	Dnqcfjae.exe	108
PID 4960 wrote to memory of 5040	4960	Dpopbepi.exe	109
PID 4960 wrote to memory of 5040	4960	Dpopbepi.exe	109
PID 4960 wrote to memory of 5040	4960	Dpopbepi.exe	109
PID 5040 wrote to memory of 4056	5040	Enemaimp.exe	110
PID 5040 wrote to memory of 4056	5040	Enemaimp.exe	110
PID 5040 wrote to memory of 4056	5040	Enemaimp.exe	110
PID 4056 wrote to memory of 1656	4056	Egnajocq.exe	111
PID 4056 wrote to memory of 1656	4056	Egnajocq.exe	111
PID 4056 wrote to memory of 1656	4056	Egnajocq.exe	111
PID 1656 wrote to memory of 2880	1656	Epffbd32.exe	112
PID 1656 wrote to memory of 2880	1656	Epffbd32.exe	112
PID 1656 wrote to memory of 2880	1656	Epffbd32.exe	112
PID 2880 wrote to memory of 4344	2880	Ephbhd32.exe	113
PID 2880 wrote to memory of 4344	2880	Ephbhd32.exe	113
PID 2880 wrote to memory of 4344	2880	Ephbhd32.exe	113
PID 4344 wrote to memory of 3196	4344	Ekngemhd.exe	114
PID 4344 wrote to memory of 3196	4344	Ekngemhd.exe	114
PID 4344 wrote to memory of 3196	4344	Ekngemhd.exe	114
PID 3196 wrote to memory of 2280	3196	Ecikjoep.exe	115
PID 3196 wrote to memory of 2280	3196	Ecikjoep.exe	115
PID 3196 wrote to memory of 2280	3196	Ecikjoep.exe	115
PID 2280 wrote to memory of 4412	2280	Edihdb32.exe	116
PID 2280 wrote to memory of 4412	2280	Edihdb32.exe	116
PID 2280 wrote to memory of 4412	2280	Edihdb32.exe	116
PID 4412 wrote to memory of 5112	4412	Fjeplijj.exe	117

C:\Users\Admin\AppData\Local\Temp\94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe
"C:\Users\Admin\AppData\Local\Temp\94c0730e5dad4b5fa76f26bb3fc81c84afc4f120dd12e68081c2d3b5be821029.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\Bbhildae.exe
  C:\Windows\system32\Bbhildae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Cpljehpo.exe
    C:\Windows\system32\Cpljehpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\Ckbncapd.exe
      C:\Windows\system32\Ckbncapd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 412
        37⤵
        Program crash
        
        PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 780 -ip 780
1⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbhildae.exe

Filesize
512KB

MD5
e7df37b13fb3d5dc061ab7413288b5c7

SHA1
cd0cd00154167dd64598ebd8971d8403d010a715

SHA256
b0e45356fa590d5bfa1a86a0d1cc2325801f3eb036bf4fe37d0d316a8fcbbb62

SHA512
cb65b3585eb1e7979f9edb82b3a91f3aec74d9f0c7e5f7ba22c8396d0346578a6b55316e5bc953b484d733d35f6fbddb87ffef92c8442354f8a8312cfd4289bf

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
512KB

MD5
0c52b602fc8722c896c32d83fe595a5b

SHA1
71651ec9575fb6ca50c517ccb4358b2b94f2800a

SHA256
61da6e40ba03f7eb38e2f944f45425faea7fdd248813cd2a046655a115bffb88

SHA512
5441e8b26d7f2bd2438944f160bebfcb8b61897888dbe3f56e498582da5dbcbc89dfe84773333cd1f051c6f45327ce585d5fbae0d04f713a85a1efe59b43b530

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
512KB

MD5
32ce8ba4bb3449658d5979b3087ffcde

SHA1
8e2e8812e39aeba240b13d65341087a68dd7277e

SHA256
4153640dff15dc6905119c796994d650d6ebb35f26c04c043cb5e70b42a58180

SHA512
3c58e8e2c3096f3d637153b3475ac23132d95d9dfa68ea190c8de9773db319af8dda5f0adb0db38b557038da9a70a0cd25abb069a035debbd9dda91bd094bb61

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
512KB

MD5
a187ed5ead260bf1fb9a4abe3a161d58

SHA1
46f084c6bc03808a75f2616a63292a6b3e6b6779

SHA256
f4fe5944e88e4aac10aba89fed971b3f5bc750b3298ae48d5983b1a63148c29e

SHA512
3705991df3a6f7d2b13235451fa72c673d79186ea7e16e29f4104002a22bbb8bc865204af7afdd2200a33beed520b31c93a7d9a8ee6334166954db219f8d7926

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
512KB

MD5
42c76a308bbeb56f2a958e98e4e0aca7

SHA1
65c7aad0aff61a65ee7f869057b777ba02f7cc1f

SHA256
3e7638977a40c4064f8677ab4097bf2ee0b219afa2a666dd9abeec14b8eabc79

SHA512
12b266d389d784a7d3b3431ac5ae286cc0e8f90738160f2c3292ae826ae1a1cd6250b04afecd8667901a7ca0a10291e152038aaf24a90121607a78fc40f61d72

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
512KB

MD5
d9de0152c532752da6c87a7b0e49ab08

SHA1
845abfbc2d7674e888c0bf9cec2debd04d0244e2

SHA256
a6ad25177688a0f8cbd114eb0a9d504de2ed5fc149ace6ed51e8defe8149fd14

SHA512
548c1523ee041c68415208738047b622659405836a964161500ad4fd136eb62afdc4404e966075133fe91fa05caddf0eda1165b8af83a9a8435bac9448f9b3f5

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
512KB

MD5
2c8c9b4ac55632396c95054844b6f757

SHA1
65c450d7dc4617dc25788e2934a7d452ef58ba5a

SHA256
1aae4ba3aadffac7581baea08973ab95de3e830bebb6ce5092d52c1e6231dfb5

SHA512
acacc4ad7b89b64df58369586b0998351e80469c68b211a94d6c25ae94a909c2693e1ac080f8f5f7c51869c6cad11413aacb3edb252f0033560a6a095f8c0149

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
512KB

MD5
ae09957c3acd686207baff918380e112

SHA1
692457f7b86476a76a71736f1666ce318f908d25

SHA256
8c199317aea5f77371f6ed7f3f788c74776d96313f060ca1259cd546cf82cdf9

SHA512
78af0053b7ee767ce3ca278b732b8898a67e44bcccb6d30759b0dbc39b555ea2a16e081b77eb6a4838768855576d8db9080751803477de0fffa8d0a97530e536

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
512KB

MD5
327025977d846682f8de649b80671368

SHA1
a598e943c8e859ae29754423f180ae534042bb1e

SHA256
bc37b86ee0cccc6ec0ef87d7c6e23cbd49eff54f1c7d9aea3a5797b79bd0dcd2

SHA512
18a5bcbd8bcc83a13e9f0e4a0af9b2495c8151a9042779f994ba9dd885016bce50e78323c22cc8459f56cde4d446c2f4f051fee3242856ec5869de35ba9c008f

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
512KB

MD5
5af4cb772d83bc271f9d1e47d5cc1444

SHA1
f7c1ed034d68b6bae719c33f226be529539e8729

SHA256
1f1adfdf725d9c2e093c42aaaf2f05066d23fa47d71a7f301f12a6aae89e6246

SHA512
66f39e3f33651e2e08ea65117c39a6a2bc6cab20c9e8afc103cf6ce654de8032e85cb3fab5b6fed7b2a81ac285e908f0c672630d006dbe420c1785588b634d81

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
512KB

MD5
985abee3e63e8ab5d2e936d2495f6aa9

SHA1
019e0a13a99061d8bd851bc9a4e29dfb660dacdd

SHA256
dffb1dde4402718a4d943d1b32314951e0db19c5659de248e00099167a0398b7

SHA512
d36677821a24e14ab17c1341a1f73bcf2abddac8d6db997eae9b6f52ae50cf2825db42552474989115190d7e84646cd230a3d14ef2fe13bbd690c0d854bd0419

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
512KB

MD5
42f6f8918c3e13ec4a643d59f287a231

SHA1
13f8a3b47ae59a84925832b79de8130713b7627d

SHA256
b4d26855a2d22ccd1cb1479483046b77a84d41a739c58bdc0c8364b09afa8be0

SHA512
199ba97fbe9a67a94f15fd729fc6b69b1bf62ccfbebbdb8f0bc74fa18d3010de5ceb64601b58566acec63eb85cf64fe9171483082b1ca08d5c749fdaf2e9a82f

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
512KB

MD5
aa4662207f3140c1985f703e7b3e673b

SHA1
cd120343c577c378ea45b3537d07cf4ea17e9324

SHA256
be950a02d7b860c14a2e542bf56f1aa0748589f8d858bd443d93364448c80914

SHA512
40ccf2ef484430d80d491c82d524e10b7c457dce2edd7e8954c31b6ef12254337daf998346fd1cd04bac906ebfa6dea346d739f2e044c309a0a0fa04523d7982

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
512KB

MD5
bdd8c6610b7f5f60f58577ea6e625e3e

SHA1
c97c48fd0d12ba2ae3e3bf912921be65ac2839fa

SHA256
cff5d47c2d1404b9a1d19d0cad9298fdff7733172320fd9d6b0358dbdaad10a8

SHA512
94150890ffe1cad985eed1b877582e66d3bd90923f78e82a8eeb2600ad861da8d734cfde48b1a0dbca0edd5ef146864dfeb463f1df928edacf80930ee2f6a68e

Download Submit
C:\Windows\SysWOW64\Edihdb32.exe

Filesize
512KB

MD5
d433d1ad42813b8246a814b3b9d2bc7e

SHA1
00de74c14c722368d5b03dfd5739eb0bc624994b

SHA256
a47d4a830e2afe728052c9a0f67c65df3dbe1d66014b88053f4fdf24d4635524

SHA512
8804f32b86ebe36721c3a95b44e70766d596edc08d677a47309df9a185f4afedcf182175297d215dc7d6229c72b7bf6d6c4040878601f60f65bf5f44a57be385

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
512KB

MD5
ff1a29fc4fd20d796f3bcae8c2671d04

SHA1
81a2329b644201974e4763f1eb0718575d5956da

SHA256
a4802542e45d030d6341edc0735dddcc9a797b5533c9288ca5e6160f6f617bf0

SHA512
147bd37cd6042ea0c373504cbbc8465a992e2aa21b53683af0e6a86adc2892c3ad06c44304e921876109360fb51ba277bcbfec7ffb2919aab7e226f8002a47be

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
512KB

MD5
bdc2924d2ff4de2bea84a7f209ebec9b

SHA1
55fe5379df489b76c08f3f66433d61774df56df2

SHA256
c26357a598df4a7882cfbe565e631a34bbe41950fb91f1376f7bfc54abc5b811

SHA512
51b416e1c5ffa3541acfaed24b67665a2946ca4bfa2691d5a6f3dfa79add3bc5cbd0c458cf8bc0157f229a8282163e069b110357b4fc4e1f59ba0e94487b2d5d

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
512KB

MD5
b04efb3533feba2e6c1c792637ba6d3f

SHA1
0133a757e715cba2aef0c4548c0415238e2d54df

SHA256
8dde3e84d32f555317a5827423259ba13a1b54c9d46819db117c6e0572d28bc1

SHA512
93049ca01d36f97cd61676e8a110593c325a993372353d54859dda15eb33ad8ac6e53ebaad87eefd53268d8ecb0b1fcb7ad9edd6ce2d6ee58e2c149bebb25561

Download Submit
C:\Windows\SysWOW64\Epffbd32.exe

Filesize
512KB

MD5
39dbdfff2ed48572cec65716b8675bde

SHA1
69b48e5dd7794a227cf7188000ddc2b217dd2535

SHA256
7089514769f118e6e01a54ee88cef6e88656af1bdf7e5873893b1edaae1ca379

SHA512
8a10d7a31d7293cb86a3b3cd97b6975019be0ed99feba9252139365e244afe943ac648d23967db6d3bdc7149718e62c86b01a2819000d13a3907a63de3bf9b43

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
512KB

MD5
6fe9c4455cb376a178b57f254bd0e774

SHA1
f7f9521b10c830e98631aac4c1962099a31c3c7b

SHA256
ddae497f8b3eb97a31fbb677924a3ae0ec08fbb74f88098c9441542c4986f7fb

SHA512
a2c040960801bef0dd6a865cc3c086eb97a69470b8eaa7064121a1976787581fa939b73fec8ef4c72811c2ef2f84efd086538a9b532bfe079bff1ec294f63157

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
512KB

MD5
757a5c3d05005bbb72201c730cba8db9

SHA1
8e6ffa949ed77c0990f0864dbd63a929556c044a

SHA256
27e03a8881ae50a50ff52552328bf0c6ca2dc4147892812321300a24cd8f4856

SHA512
c372e7072e582c02cf21e51b508f05b069756256e6d23e99b00210a50bc998bdab57b7c53d93471934cb8c0867f67e0767066c220a4812de8da4360d2e429f23

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
512KB

MD5
11c33e10ab95b5416b88a30ce41e5a75

SHA1
4aee3033a9c869d32b5b8ceee568f6f1d3cb7dab

SHA256
3ee0380138942f7c2acdaf9c5f1800a7c0d9975e0a2291e1d721b431687fcd98

SHA512
bdd38e92f83f9466943e8d6e22f4730e6892b45de42470367f60afb3681b0d6158fc16e647b82ba239f6ca878b46492f8d99e3ce1daf0fe16d322cb835e8ba18

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
512KB

MD5
3595f722c89a9577f40abe78eb2d8769

SHA1
b3711ffb19565715c690336f8c7670d1b375418a

SHA256
8b06f7b3cf4b2c35b56b37b67f32ce040b7a2c2d260b3238597466138a35aa9c

SHA512
314aba8b506d46329a1c3adfd6d3ec77ff1ad2cd51d56c94457dcd65f46a39f893b2bbb34d15d5718fa55964f2e751d88399034edc7ac656fd4366b06cf92527

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
512KB

MD5
45cf0b744bf40fae567adc3c475841ca

SHA1
30140b0e7f590b66da9e9cdb61e423d232b1226b

SHA256
12268b13d3be70d8168012e449cae8427d6169d946500de50af0e31a8ee4ca4c

SHA512
b70eae9276a54bc45d54ab338ab0f1db6c5a8011f53de2bde1e22051ae25506891c82659c4301ed038b34889c5d1cf2d9a14d3834779c943d64f86c5589bbd92

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
512KB

MD5
0759b68323f51b295d7aefe2b61c1214

SHA1
bcc60543578ed3c075b82e18a40b9d70d9037b01

SHA256
49486aa733494d832706d83cb2f111533edc297e3802ecf23b1ed70e65b8af80

SHA512
44551e88ef9a3320c6d8c18d33658dc4aea3121bc59ce6c34a6784a4c725ca8842640a07e1ac2e246ee256a419419926f630fba963ef629960baf7230274ddea

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
512KB

MD5
2069ed44cd2d5466e3798857b5b622e8

SHA1
d94810e06a20a3d45541b52f5789c5587231f668

SHA256
af4a0ce4800d028717675a2b6c4160301a32935676b53b727a59f91fcbca3b10

SHA512
43e96a9269d03a5c0eadfef1eba3e587e5b703f3a47ffaf67a0f16286fc8b542dcf91125b640ac2a0125d5ad257768279226e94ccc40b085dc9af24969430e16

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
512KB

MD5
3d9c892d5df3ea4ca75b189de6b9ba74

SHA1
1c7407b3f15a11cbb711b57564d5730b4a0fb332

SHA256
f4833b76b475390bc0b21d481ca2ef765dd15324ad8a7c3a1ec60a9372b7d68a

SHA512
c148fe1124def9db2bb3a9b56e06d428b59d76b10f73d518fcb9e12a6edc6f271a277d2c80f97b6acf00a251de289a076e96e521e823fbd6f96b7a54f42f3b2a

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
512KB

MD5
2d1c15151db5139b9264452168104774

SHA1
4b5a5afa3b40fa645f5f156d3026b8f6e2dbc3bd

SHA256
6da64598fcc5e47811844b70604c5dc4743c4d1943354dbcaef39f1fcb5b1e2f

SHA512
de4c9640b6e936270492a0038f3c6a24eaa5829c2df0fb5d9fc6257cc48cf38e990fd3635bb89d286c3dcbddd3f76e3ca402cd594e3f92ac40ac44269ac3d05b

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
512KB

MD5
80e4402b7cd1f722a5adbd8d590aba40

SHA1
5c483b0e1725dd0252b03cc1383411374a335fbb

SHA256
9db0ea4815d3384add8004894d07b57ab5b2c372d893c9c9f55258a9c0913c89

SHA512
a1c57d1c0e68dd199fccbf847872e11882c4e338ae97b4358d3253ad3a0444b8f1cff335040a5cefbeed21585eec603de0057067df9a353662bb51789314429a

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
512KB

MD5
d1106c070a7d3204bbdd958a74051e3e

SHA1
09486c32cd60a8805f2b305434f3d9bbbf18cfdd

SHA256
59cc26a8b253a79d9a891b82e9fe889fdcb12aad6203d87ca1f2b3908e04d834

SHA512
10a09570e419d8991449a00a219a597fddfe1a8ff09c3e93f8231887fc3ee60b439f11cebcb4f4beb0b7a760f4eaf9224225deda98c1f5660d0c419e628193f2

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
512KB

MD5
71770b7c568640bf4687b8091e9e31d2

SHA1
2ec51c2a73379879ba5cd59023027126adb2d8b9

SHA256
11888f162fdd891b4dbd82793b6539e7a3d6f2751e54035eedbf877d904bb03c

SHA512
1707b769f78cb67e3e44e84050cbb1dae4f930ba6364bb222c69d57057099ee312ab115bf4ea17c229adf501ad3ff0246befa23232fd0294c24273119c064c08

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
512KB

MD5
740082796239f4b90e9a57eab5eabcce

SHA1
f898beb0d603191983723df4346735c6e1b4c112

SHA256
f05990f99a28725766a6492a8c721fbe9f05d728694018e28b0c8fa888367162

SHA512
3be155ad897561ac3f709d7070c467f4e100d64b178a31fcc8736b0e27b45c7f207dd2e0fda14baa378d10771c97857b0930402bb0bcaa3ca75f6465b6b197ec

Download Submit
C:\Windows\SysWOW64\Jlojif32.dll

Filesize
7KB

MD5
ffaf5fdce63a6d95c375ef40e0e6f7ea

SHA1
f45c8f7e63c8bb08e6d12267409035b397c4a1bc

SHA256
1e437b82b688aebb613f99842934f2fab4151c5394dcc9368aff8caffe0765f3

SHA512
56864f82b1772245829f14ae0eebe3004a802fa869001b11ba572c4857c6e2740eacd5cd0e2833b5b134e446eb81e8fcc5c4bafba20dfe1fe4a3aef35630c4ba

Download Submit
memory/512-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads