c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4

Analysis

max time kernel
134s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
Size

56KB
MD5

573abe84ff67ebea7a5def35922712e6
SHA1

d1da531125177781435ff268b6c516d7810d50db
SHA256

c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4
SHA512

dd7bc385f8fe19a506242ddb00113f9e130fffcd297d5657fa45a760a7fda48117dad6677514f92939915ff1e29ee9de908f65d4c4d37cfe13dd80728b19577a
SSDEEP

1536:+QhkUOX+qBHq0alGKEU+x5mzAmJjBPUD/:HVORBHq06GKEU+x5mztBPUD/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djegekil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgihop32.exe

Executes dropped EXE 44 IoCs

pid	Process
3088	Ccppmc32.exe
4960	Cmedjl32.exe
632	Cpcpfg32.exe
2008	Cdolgfbp.exe
968	Cgmhcaac.exe
2840	Cacmpj32.exe
3396	Ccdihbgg.exe
4328	Dinael32.exe
5072	Dphiaffa.exe
1988	Ddcebe32.exe
336	Dnljkk32.exe
4296	Dcibca32.exe
2988	Dickplko.exe
3084	Ddhomdje.exe
3248	Djegekil.exe
1732	Dalofi32.exe
2060	Dcnlnaom.exe
5064	Dgihop32.exe
2608	Egkddo32.exe
4996	Ejjaqk32.exe
1016	Edoencdm.exe
4536	Egnajocq.exe
4380	Ekimjn32.exe
4312	Edaaccbj.exe
5068	Enjfli32.exe
1204	Eddnic32.exe
1136	Ejagaj32.exe
1472	Eqkondfl.exe
2660	Ekqckmfb.exe
4156	Enopghee.exe
3480	Fclhpo32.exe
4940	Fnalmh32.exe
3408	Fdkdibjp.exe
2740	Fkemfl32.exe
4856	Fboecfii.exe
3044	Fcpakn32.exe
3552	Fjjjgh32.exe
2836	Fqdbdbna.exe
2860	Fcbnpnme.exe
556	Fgnjqm32.exe
1460	Fqfojblo.exe
4496	Fgqgfl32.exe
1684	Fjocbhbo.exe
4616	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Mbddol32.dll	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Enjfli32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Djegekil.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dalofi32.exe
File created	C:\Windows\SysWOW64\Gfbhcl32.dll	Egkddo32.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Eqkondfl.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Dickplko.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Dalofi32.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Enjfli32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Ikpndppf.dll	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Fohogfgd.dll	Djegekil.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Enopghee.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dickplko.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fboecfii.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Dcibca32.exe
File created	C:\Windows\SysWOW64\Jjnmkgom.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Egnajocq.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cacmpj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	4616	WerFault.exe	136

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djegekil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dickplko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3088	4500	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe	90
PID 4500 wrote to memory of 3088	4500	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe	90
PID 4500 wrote to memory of 3088	4500	c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe	90
PID 3088 wrote to memory of 4960	3088	Ccppmc32.exe	91
PID 3088 wrote to memory of 4960	3088	Ccppmc32.exe	91
PID 3088 wrote to memory of 4960	3088	Ccppmc32.exe	91
PID 4960 wrote to memory of 632	4960	Cmedjl32.exe	92
PID 4960 wrote to memory of 632	4960	Cmedjl32.exe	92
PID 4960 wrote to memory of 632	4960	Cmedjl32.exe	92
PID 632 wrote to memory of 2008	632	Cpcpfg32.exe	93
PID 632 wrote to memory of 2008	632	Cpcpfg32.exe	93
PID 632 wrote to memory of 2008	632	Cpcpfg32.exe	93
PID 2008 wrote to memory of 968	2008	Cdolgfbp.exe	94
PID 2008 wrote to memory of 968	2008	Cdolgfbp.exe	94
PID 2008 wrote to memory of 968	2008	Cdolgfbp.exe	94
PID 968 wrote to memory of 2840	968	Cgmhcaac.exe	95
PID 968 wrote to memory of 2840	968	Cgmhcaac.exe	95
PID 968 wrote to memory of 2840	968	Cgmhcaac.exe	95
PID 2840 wrote to memory of 3396	2840	Cacmpj32.exe	96
PID 2840 wrote to memory of 3396	2840	Cacmpj32.exe	96
PID 2840 wrote to memory of 3396	2840	Cacmpj32.exe	96
PID 3396 wrote to memory of 4328	3396	Ccdihbgg.exe	97
PID 3396 wrote to memory of 4328	3396	Ccdihbgg.exe	97
PID 3396 wrote to memory of 4328	3396	Ccdihbgg.exe	97
PID 4328 wrote to memory of 5072	4328	Dinael32.exe	98
PID 4328 wrote to memory of 5072	4328	Dinael32.exe	98
PID 4328 wrote to memory of 5072	4328	Dinael32.exe	98
PID 5072 wrote to memory of 1988	5072	Dphiaffa.exe	100
PID 5072 wrote to memory of 1988	5072	Dphiaffa.exe	100
PID 5072 wrote to memory of 1988	5072	Dphiaffa.exe	100
PID 1988 wrote to memory of 336	1988	Ddcebe32.exe	101
PID 1988 wrote to memory of 336	1988	Ddcebe32.exe	101
PID 1988 wrote to memory of 336	1988	Ddcebe32.exe	101
PID 336 wrote to memory of 4296	336	Dnljkk32.exe	102
PID 336 wrote to memory of 4296	336	Dnljkk32.exe	102
PID 336 wrote to memory of 4296	336	Dnljkk32.exe	102
PID 4296 wrote to memory of 2988	4296	Dcibca32.exe	104
PID 4296 wrote to memory of 2988	4296	Dcibca32.exe	104
PID 4296 wrote to memory of 2988	4296	Dcibca32.exe	104
PID 2988 wrote to memory of 3084	2988	Dickplko.exe	105
PID 2988 wrote to memory of 3084	2988	Dickplko.exe	105
PID 2988 wrote to memory of 3084	2988	Dickplko.exe	105
PID 3084 wrote to memory of 3248	3084	Ddhomdje.exe	107
PID 3084 wrote to memory of 3248	3084	Ddhomdje.exe	107
PID 3084 wrote to memory of 3248	3084	Ddhomdje.exe	107
PID 3248 wrote to memory of 1732	3248	Djegekil.exe	108
PID 3248 wrote to memory of 1732	3248	Djegekil.exe	108
PID 3248 wrote to memory of 1732	3248	Djegekil.exe	108
PID 1732 wrote to memory of 2060	1732	Dalofi32.exe	109
PID 1732 wrote to memory of 2060	1732	Dalofi32.exe	109
PID 1732 wrote to memory of 2060	1732	Dalofi32.exe	109
PID 2060 wrote to memory of 5064	2060	Dcnlnaom.exe	110
PID 2060 wrote to memory of 5064	2060	Dcnlnaom.exe	110
PID 2060 wrote to memory of 5064	2060	Dcnlnaom.exe	110
PID 5064 wrote to memory of 2608	5064	Dgihop32.exe	111
PID 5064 wrote to memory of 2608	5064	Dgihop32.exe	111
PID 5064 wrote to memory of 2608	5064	Dgihop32.exe	111
PID 2608 wrote to memory of 4996	2608	Egkddo32.exe	112
PID 2608 wrote to memory of 4996	2608	Egkddo32.exe	112
PID 2608 wrote to memory of 4996	2608	Egkddo32.exe	112
PID 4996 wrote to memory of 1016	4996	Ejjaqk32.exe	113
PID 4996 wrote to memory of 1016	4996	Ejjaqk32.exe	113
PID 4996 wrote to memory of 1016	4996	Ejjaqk32.exe	113
PID 1016 wrote to memory of 4536	1016	Edoencdm.exe	114

C:\Users\Admin\AppData\Local\Temp\c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe
"C:\Users\Admin\AppData\Local\Temp\c451a595422897bad6c2aa68951e776b43cc5ceb3d0b3ff22585e86dc01f70e4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\Ccppmc32.exe
  C:\Windows\system32\Ccppmc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\Cmedjl32.exe
    C:\Windows\system32\Cmedjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\Cpcpfg32.exe
      C:\Windows\system32\Cpcpfg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 408
        46⤵
        Program crash
        
        PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4616 -ip 4616
1⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
56KB

MD5
7e681193796b76141193d73909790f98

SHA1
c6a818e906ec8657965c81e113755bfbf053a24a

SHA256
65a49c54fe195716b828486bc24def12dbe3544cff79c78bc43803550c397c57

SHA512
68640509f953c56f98186cd4766b1a309a802372b1f6b1b3ca5c04a7fba7f47a61e296281770c109ca594f70ef1c6070d7febe03f70c93caff406cf19376fdbd

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
56KB

MD5
711b6ee08350c69225c4fcfa5843483b

SHA1
77397c6a40fb9204fbc3f040b89419de777c981b

SHA256
8a0b3329307a60e013495fb200b739245ded843a6b802b04c22f53b2e2c3ab59

SHA512
ed1122b129e6329c5ee316d81c2d2b4b67e6ed6b68b0344aa6f46d83cf5094cd8c907034f77ab87a610c378fb62f36e9ee3555edfec0a687ef72dfac1c32adf0

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
56KB

MD5
657c388f89899183492436e3de4493ae

SHA1
acd6aff5cce5306ccbe129d3080b748b04a2ac3f

SHA256
71ce2cdc1f967ee772e513db1cffd2015a8876a0417d46550841bf7004f8aa2b

SHA512
c0b4c568182a1b4a851db30fac837d79129707925de5dac0dcbc30da24fa5a2f7e55827c3c801ee350c416e8f87a27725cee4df777997bb658effa1f29e33a88

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
56KB

MD5
1f2a8b873c0eee9c79fc6dc6ceae515b

SHA1
36553cdccc1ae7bd83c091ab1528fbe68c9a0b21

SHA256
780b359595d9f4ddcbcffd20423c27bed897ccb152c201ea75701a37c3dfc95d

SHA512
1b65ccd52502a69ce0d157f930c1878f953b3814bcb06960ca36074e3176d81d076286f93834a9b8b733217c05da9f4f65d75dfa40d5b5ce3a68df5e75b3e431

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
56KB

MD5
b993b8afc8285f6df9fced5a550fa190

SHA1
827c13e736aff14b32579fa35436df185fa69909

SHA256
81be0ce943b164945b604afd1dc8e8fea8a731cc26511e9f0d03ff557dd328c5

SHA512
b441a32f656f8f0a86a4b1d67f66c87dd539124ec8903ace0aec986dd2318ace751c20641f9f3e30a9463cba1a40b0b3f7c100ab2d2b83097ff3237286cba18d

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
56KB

MD5
67dcfecf426a5e2a9cd790e9577f3452

SHA1
670b1266f42d15bbd6ac08bd93c6545f973b7e0f

SHA256
2f7bad8ae6513e2215d3d1e703d564e4064497d7a7a2a35743206d43e4feed83

SHA512
c1467c174787e2fa1e8d4ee6fc027a06338d8db9dff9889441b8ebfc89af9a5e0e8fdf32cb5eb75c713f2e56449c3d7fe782cbf7aa826703fde8e7aa3bf506c0

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
56KB

MD5
f2c4f7cbbb58611df63568bedfcde455

SHA1
c14e8d48d12dcbe4643bb95b576a7141f9b1510d

SHA256
6e239ed89cac11197b57ca342f32bdca983cdd809a855a5651628cb9ecf4301e

SHA512
1154493eab6b42ad2b442a4a5aeceb9894b7d254417b3aa26f167a70b84c464ffce1643b4a7ab4e2006c45e3d5c526b825329d8d1908717c2e4ebe7e29fc9929

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
56KB

MD5
8e6f9845d9624506415c154d358fcf05

SHA1
a1baf4f158e6198dd9ed4dd7f97a46b1206b82d2

SHA256
38863054b73dc0ea88108a9f13db2e2c73756a1bc71c25f548d5fea52730e44a

SHA512
93b3cb13c459f3d2b4c9e8810db717117883022d877f5c012ed1869cb2b3f70c9a8715642fdfaae1149a7d4808af3239bec9fe6c9dd0f1e94089c4c72828f99d

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
56KB

MD5
e1d343ed324cc45a1361aa8a6181373f

SHA1
8a8f92d8852202af1f1c146fcf7611a0b554d538

SHA256
7be2a808aab5c8b9d0657db16eaa0f8fa91c96a41698ff2fda1e94ea6ea1742e

SHA512
da3b5ba6e06a1297c291472951cc31bf67cd31efd1d9f1a23d81ccdbfaba0a5b3d600285d758951a4485a4ae95445b88de65416b75034920e00af6c7a56f2b60

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
56KB

MD5
8ae61c56a5496f8f7ae77790309f6926

SHA1
eb32f437f7a37ac933b27225cce2c6f706d41d3c

SHA256
579d48f184920d6eabd185d89266813b6e29e2f7ccddfae4de6b044c3fab9350

SHA512
1200da55f7b5b023e866c1b3ec598be48f024c86214ef3231510a457ad1eaf665fec38e1afc30d4c217d9b418bc8a4fbc8d9db19d0fcf57dbf71b8f14cefb942

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
56KB

MD5
03e599fa7a8c85ea3df896d8c833e811

SHA1
32bece6ec8241d971bcb0a3fedb862d73ff9f9dc

SHA256
dad09ad714385072b3fe42d476c1ec202d52451485e419d43b4a2480522000b2

SHA512
0178cfe513255a42c440b77ccc7986fe15e28be85d4e6de7f1c324ef0ca44cb6e89208af938661fbd20da4205f7359c08c40d86b3cf0648b7af791713ca3968e

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
56KB

MD5
676e984b2467984628a0d42545aea6b4

SHA1
8ab6b52f3a22d449c195bcdadcb1e9bb42c6e26f

SHA256
d1a8ee681df85e49858da236d86c47006c7106349095c41d17d53a101748fd2f

SHA512
e5a99cc1cbb12a06ba42ece83741bf25851050ca6e7120d1615494e47452b934e0d29d6902bfc272d1ca9e3933aa4432baa81939449777a81958f38ab6035d5d

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
56KB

MD5
15ffa86b1393d1d3f8213246c98299d5

SHA1
f56e89e2a0eb5a2c9674f48e646dd6e571081cc3

SHA256
3f0f9d18b13a329f358fad458bb58af2e54f5e65442cc555809b63d38f24c8f6

SHA512
4cbf8f5347bc82fdbcbde558f24a78348623d9a0ef657f097a2909ca7f65d79b28d7c6871d5c764928b5aa1b77f1df32505dc89192ad7271c20775c2fbe45d01

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
56KB

MD5
e73755f6091fb77710c9721ed0233bf9

SHA1
6c43b5382d723537cba6242d28203b376ab6d12e

SHA256
87452fa9cb91a3907e8e44dfd47c47a29224d8b1710cd0bd10cfab430d3225cc

SHA512
ea28e4671920d55438e992258506bd2e9577238c3a1f73c7e6d4d6f8686a19ea4159aa561c62060b9060d080132294e20557d2e0b58261e00d88cca3537d533d

Download Submit
C:\Windows\SysWOW64\Dinael32.exe

Filesize
56KB

MD5
2f97c7defee4083a5672f270ce036b29

SHA1
a3452a9055960306bddb8f5633290d878c56e40b

SHA256
5e7edcdbe63a5db4734242eaff5159aa99a07f634b75f004627efa59a543c07b

SHA512
8242a3bdf444f2c98d84bcc1cfd5740f1661f581c4316a892a9a1325a23aaf3b77b41f9ab153c9f24b35bcf7c180fb9d6d70ed71fe15706a1b65661eb6bc9df7

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
56KB

MD5
8a5159d15685f269c522f4fcdfddc5e0

SHA1
6001892b6af5e173b557c5a6fe182a762210391c

SHA256
94478e02f65980cccd5fe5e9abb6254c174e7eb3f3e27cfa6c1ee95112dc755a

SHA512
383c916ea5aac4b0b1929dd2543b3c6d457054302d3509591bfdd4027f82fda3f9c515f38f1a866ce992deee8a6a5a40783b56204e2dfd3b2402e9b312488ebe

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
56KB

MD5
f214209459d2ca5ba20dde3ddcf60704

SHA1
2b68bf68dd50c3a31463333190ac08aa1800d3d5

SHA256
c0ace5fb80debfbe7e752e0d497bcd4b3383fff50ab590d88eaff38a9ac20bfe

SHA512
35da2ad59f662a6057881f1561fc3ebd7a77ee9bda989899425b6a010aedc47dd2f80c530b16e877b14906449b5b57bcae55087acae8fa4c6de30b2f85f40e6e

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
56KB

MD5
f2607f8937a7e9a37f1b992c0595d348

SHA1
230f372442ecdefa69bce4d9c649bbba3361ebda

SHA256
db80f5c11435aa6d7b6a2af5b1245357d4308fdf2475e1b6fa9c5e4e32d19d96

SHA512
82dc8d9b5b27ba043dbd9b85bef99238c2d69cfed51d491d7f443e7d0b4a12769b0deabf3423fd816bfc62f864b47e82b65959a5f4bc57c2a09da5707acc36b0

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
56KB

MD5
9881066b3ad229bdf6c6f4d2a2f666d7

SHA1
01012dfeb08aa50a5fa298f7cdfe0a827e7ef266

SHA256
397c26a959a2d3026ff16f71bb8714d1c8ccf8bdfaf32a678c3407a1cbea6dde

SHA512
3af7e22f72ee143de033c6fa6dda6fc45fb08732a9a024ea56759749c4825a175d4054461c5c6753a11aa5f81fc5efa5ba54bbe0c70df7154db8c464d6f2fcb8

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
56KB

MD5
86988ed6665d7f55f1b701ea374ed94e

SHA1
43c02b9f491ea4bb64ba4c1f53cc51132fb30db0

SHA256
65fbbffc4eb61424116d16c85ceac7b958cc926521b8c163fb914fbc523c3f29

SHA512
8ee0c1ace47d33fa47d373c09e11e4f3a4248568d2925ae76bfc21efc313fff6691038d5baf8ee430935cae7fd020d5b61f0837684acad6d3c081e1d26bb6567

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
56KB

MD5
cbe6b613a04beb6786e3c3395ba04503

SHA1
bf1f3cea375777321bddfbcfd54015d6f2242334

SHA256
4b45f58e3be8909a07bf206fab79f7e895227394d54fd7bf278c7c5ff281d829

SHA512
45e8e953b721e098ac3293b26d7580aafefdda74de3fe4862c842161be2d252a4334a2fe348cfcec6ba74f27918e79abc3a0243963fcab78d3731dd985805bc7

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
56KB

MD5
05a9e06701525e2c01533645830958a3

SHA1
5d65da8dcb6b0db5c46721c214a2621ab1ce9ef0

SHA256
fea11d092404c229a755cc40656c6facf5ef5b75c46db270af989dd50cd3160e

SHA512
085dabba2fa6f52954845f365167a61d277190368365e7f421b6637d0a497a5aa993a4f435cd22c91201f238400eb21a43711debcda593a1a3b82452c4327ada

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
56KB

MD5
9ba8efe0293e15f7d96292f5f92c5a8f

SHA1
5fb2addab7f198daf1288b9471e238ca386388a8

SHA256
c08bce2bc3b9ec8dcaa96c455636f2ffd466ec2726e5fb3b7f583b186f1ca360

SHA512
492af7639772897948b791f3c337523d5e4ea7605d43899b7336156ceef9ec5f19b23b5d7d509ca9c157e96d28e5df8d4ef2362b1dadd180aaaebe5746177d9c

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
56KB

MD5
ad6261dbf3644d8ec8aa7e7f46cd351d

SHA1
0c2de8b5d860f3f57f3f609db9501dbfe3767ff4

SHA256
c21b2fea31110b4a67d8823add87765c74cc16b56adc475bd117abc2bcc73618

SHA512
0f339d12850211d403b7e8add36b3cffa02070612a0c02d824f4fb2707844100867e36c072bfcb5009751efc9cfd472535e1f03da9ac9ec5062161e0f886d7d5

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
56KB

MD5
5a7d71afdf352a69285df63c5eb1ff27

SHA1
8db18652e9f6fa9e74841addc1d7f48ca4ae6a1f

SHA256
b20939002cb1a0e61b925ced72981b1cb7cf3a4d8dc66418db83ff092bb1f670

SHA512
571d3aa8c97aca4680d8be56678e8ae109fa067e3aa6d4d7ee661dfd52099facc84dd97837e69f9eff3a3a115ad6da58d51577485291daf5451efd76019227ef

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
56KB

MD5
63f31ce339a9556406eef427abb66644

SHA1
518517d78196996d948b729d7c043d530365882f

SHA256
ec746c3f42ad66bbb69fac992f613fb6561cf16542921a53d3880fabd508a5c5

SHA512
526e0d8b351f775f2d3cf0fd02ddd8d999e5db868e3245ea8494205099aabcb3b17ae474e576cf655b2043a724a0bbe4c185f588e2e20efac69389cb192ca62c

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
56KB

MD5
191ebf60adc9209ebbde8f77b4ba8f74

SHA1
54deafa3590148588e4a11b7592648b652fa03e5

SHA256
681ce13e965f547b3dfd68cefe5c8166d198f82b434d81a3de7e20c72bf1fced

SHA512
660e19d8837aa55f3f002009d248b5fe20933ae71a49a09a1d8d773d27663add556d88d4f1ea5b3c8cee4d72e18caae50f8ab445f335c0a4c533d58200c654e2

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
56KB

MD5
d88706bdb33b2db28e165dcfc915cab8

SHA1
8e995f92f47824a102d08a45c3bc2c1564ef3690

SHA256
7edbbb7b635f00129565d496ba250ca86d000fdede562e084a0605fa8c62201b

SHA512
8eb352ff9641370fa11c17eecab197c394fd237cbce758ea7536f528d24139fbddb3acded331d60d153db85f03626ef0c088f8f7fd53da9adcc5ec4c9d78d7de

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
56KB

MD5
84e028642177f992ebbe465f6a83fda4

SHA1
8a6e8eb9769d9cf5dbc2f9a41284ab6852233bb8

SHA256
52fc449e782dc709109a27d709d2177614aa8a172f4980101a38f3f15dfaa79a

SHA512
e9c065f2d23172faac0c1d84b9bc95e6cb05c92eb66cd24de5914872390ee62f0bfe39cdabd20083e2c2cd20e0a1b133caa7663f3fa80d2f467e1c9296a7f6f9

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
56KB

MD5
0aab76d9f68552404f42be6bf58a619b

SHA1
124e2c21f2a055282f2e81308b47fc028d4340b5

SHA256
2af3f7fc6e484f00e933601c64a420a007d130559d08c92abc11333d11458411

SHA512
045f6dacd2a270f89ddf0e2db6f4e366f8232a82e2229c21d96400bbae5d9dfdb4b045392cf7e069dbcb3a24fff84683defbdc33b312934c47e6c383808c24d8

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
56KB

MD5
764f882782aa1bf15103ff5d437fcaf2

SHA1
c0bf0f717fca5a70013cce76e3dbf07e354afa4e

SHA256
96189928f649fa94df1ceb13a3492576064b4eceacac02b37c94341db3690cc5

SHA512
2825b3b2b9120bc45c4b95a43decea166b819de1d00fbbc9ab2f06eacac2e909b11d338bc3719f284acf2ae32d5a496cc7a3d6ab5379abb1251c21a45e0951a0

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
56KB

MD5
9458611ba246e7ed49c9c1134e61a9ba

SHA1
51137c93154947a67044293c267109fc47179227

SHA256
e5e5960feffc42d61b480c4f5a70caa052529dfa9e730310b40cbcf35affe37a

SHA512
20827ddf6260f0002ae033d06d88d0a075553f0e5f2eec5c3f99d139d603350a9009b897e523ab8aacd5219a8984c73fb8e7fbbdacbf37937e3dbcc63fccd6a7

Download Submit
memory/336-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4536-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads