b5b9eb4d34338aac38dd82490b5122d4bb652f1d8c0aaf315816b75206e0a9e2

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Size

95KB
MD5

ecb7f2cfa3fb6934a71ae4961a029490
SHA1

372a000af6747875620e3bc4e8356e9ccfadea8d
SHA256

b5b9eb4d34338aac38dd82490b5122d4bb652f1d8c0aaf315816b75206e0a9e2
SHA512

224b53f0a345b8bcc859709a8419aff18fe60944962c3b3424fa59d10a90f766e0791a3e534f75fc90ee03d2e3a06668bdedfcd67096d89614c26d80a33dec78
SSDEEP

1536:WHGx59s2fSYhlZLcRpZmvWYdUJ0YDZvM1XxtDo/E1+5JLAnmrlaOM6bOLXi8PmC/:uC5ja2LcR6vW1DZExe/8+5J7oDrLXfz/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Effcma32.exe

Executes dropped EXE 12 IoCs

pid	Process
2772	Dolnad32.exe
2660	Dhdcji32.exe
2620	Dookgcij.exe
2628	Edkcojga.exe
2684	Ekelld32.exe
2560	Ednpej32.exe
2920	Enfenplo.exe
1172	Emkaol32.exe
1984	Ecejkf32.exe
284	Emnndlod.exe
528	Effcma32.exe
988	Fkckeh32.exe

Loads dropped DLL 28 IoCs

pid	Process
2260	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
2260	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
2772	Dolnad32.exe
2772	Dolnad32.exe
2660	Dhdcji32.exe
2660	Dhdcji32.exe
2620	Dookgcij.exe
2620	Dookgcij.exe
2628	Edkcojga.exe
2628	Edkcojga.exe
2684	Ekelld32.exe
2684	Ekelld32.exe
2560	Ednpej32.exe
2560	Ednpej32.exe
2920	Enfenplo.exe
2920	Enfenplo.exe
1172	Emkaol32.exe
1172	Emkaol32.exe
1984	Ecejkf32.exe
1984	Ecejkf32.exe
284	Emnndlod.exe
284	Emnndlod.exe
528	Effcma32.exe
528	Effcma32.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Inegme32.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Emnndlod.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File created	C:\Windows\SysWOW64\Enfenplo.exe	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ecejkf32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Effcma32.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Cgllco32.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Dookgcij.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Ecejkf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdcji32.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Dhdcji32.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Edkcojga.exe
File created	C:\Windows\SysWOW64\Ednpej32.exe	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Ednpej32.exe	Ekelld32.exe
File created	C:\Windows\SysWOW64\Bpbbfi32.dll	Ekelld32.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Kncphpjl.dll	Dolnad32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	988	WerFault.exe	39

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekelld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecejkf32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2772	2260	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe	28
PID 2260 wrote to memory of 2772	2260	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe	28
PID 2260 wrote to memory of 2772	2260	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe	28
PID 2260 wrote to memory of 2772	2260	ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe	28
PID 2772 wrote to memory of 2660	2772	Dolnad32.exe	29
PID 2772 wrote to memory of 2660	2772	Dolnad32.exe	29
PID 2772 wrote to memory of 2660	2772	Dolnad32.exe	29
PID 2772 wrote to memory of 2660	2772	Dolnad32.exe	29
PID 2660 wrote to memory of 2620	2660	Dhdcji32.exe	30
PID 2660 wrote to memory of 2620	2660	Dhdcji32.exe	30
PID 2660 wrote to memory of 2620	2660	Dhdcji32.exe	30
PID 2660 wrote to memory of 2620	2660	Dhdcji32.exe	30
PID 2620 wrote to memory of 2628	2620	Dookgcij.exe	31
PID 2620 wrote to memory of 2628	2620	Dookgcij.exe	31
PID 2620 wrote to memory of 2628	2620	Dookgcij.exe	31
PID 2620 wrote to memory of 2628	2620	Dookgcij.exe	31
PID 2628 wrote to memory of 2684	2628	Edkcojga.exe	32
PID 2628 wrote to memory of 2684	2628	Edkcojga.exe	32
PID 2628 wrote to memory of 2684	2628	Edkcojga.exe	32
PID 2628 wrote to memory of 2684	2628	Edkcojga.exe	32
PID 2684 wrote to memory of 2560	2684	Ekelld32.exe	33
PID 2684 wrote to memory of 2560	2684	Ekelld32.exe	33
PID 2684 wrote to memory of 2560	2684	Ekelld32.exe	33
PID 2684 wrote to memory of 2560	2684	Ekelld32.exe	33
PID 2560 wrote to memory of 2920	2560	Ednpej32.exe	34
PID 2560 wrote to memory of 2920	2560	Ednpej32.exe	34
PID 2560 wrote to memory of 2920	2560	Ednpej32.exe	34
PID 2560 wrote to memory of 2920	2560	Ednpej32.exe	34
PID 2920 wrote to memory of 1172	2920	Enfenplo.exe	35
PID 2920 wrote to memory of 1172	2920	Enfenplo.exe	35
PID 2920 wrote to memory of 1172	2920	Enfenplo.exe	35
PID 2920 wrote to memory of 1172	2920	Enfenplo.exe	35
PID 1172 wrote to memory of 1984	1172	Emkaol32.exe	37
PID 1172 wrote to memory of 1984	1172	Emkaol32.exe	37
PID 1172 wrote to memory of 1984	1172	Emkaol32.exe	37
PID 1172 wrote to memory of 1984	1172	Emkaol32.exe	37
PID 1984 wrote to memory of 284	1984	Ecejkf32.exe	36
PID 1984 wrote to memory of 284	1984	Ecejkf32.exe	36
PID 1984 wrote to memory of 284	1984	Ecejkf32.exe	36
PID 1984 wrote to memory of 284	1984	Ecejkf32.exe	36
PID 284 wrote to memory of 528	284	Emnndlod.exe	38
PID 284 wrote to memory of 528	284	Emnndlod.exe	38
PID 284 wrote to memory of 528	284	Emnndlod.exe	38
PID 284 wrote to memory of 528	284	Emnndlod.exe	38
PID 528 wrote to memory of 988	528	Effcma32.exe	39
PID 528 wrote to memory of 988	528	Effcma32.exe	39
PID 528 wrote to memory of 988	528	Effcma32.exe	39
PID 528 wrote to memory of 988	528	Effcma32.exe	39
PID 988 wrote to memory of 1488	988	Fkckeh32.exe	40
PID 988 wrote to memory of 1488	988	Fkckeh32.exe	40
PID 988 wrote to memory of 1488	988	Fkckeh32.exe	40
PID 988 wrote to memory of 1488	988	Fkckeh32.exe	40

C:\Users\Admin\AppData\Local\Temp\ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\ecb7f2cfa3fb6934a71ae4961a029490_exe32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\Dolnad32.exe
  C:\Windows\system32\Dolnad32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\Dhdcji32.exe
    C:\Windows\system32\Dhdcji32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\Dookgcij.exe
      C:\Windows\system32\Dookgcij.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984

C:\Windows\SysWOW64\Emnndlod.exe
C:\Windows\system32\Emnndlod.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:284
- C:\Windows\SysWOW64\Effcma32.exe
  C:\Windows\system32\Effcma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\Fkckeh32.exe
    C:\Windows\system32\Fkckeh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
95KB

MD5
4ce17d8948883df660492bb0694d299a

SHA1
cdb99d05e13f7fafc61daed08778fda5b6e95863

SHA256
f61a7e761db52cc466496d327762d3b61b45de90118967ca126e2bb9b571ce2d

SHA512
68a9580ca550734129e51954beb18e10f3507caa91faad3423eb2f2c64faa38ebcb1aa856ca7b56a899a1af364bcd522f6896dbd8c25599e9aa690b9651f76df

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
95KB

MD5
4ce17d8948883df660492bb0694d299a

SHA1
cdb99d05e13f7fafc61daed08778fda5b6e95863

SHA256
f61a7e761db52cc466496d327762d3b61b45de90118967ca126e2bb9b571ce2d

SHA512
68a9580ca550734129e51954beb18e10f3507caa91faad3423eb2f2c64faa38ebcb1aa856ca7b56a899a1af364bcd522f6896dbd8c25599e9aa690b9651f76df

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
95KB

MD5
4ce17d8948883df660492bb0694d299a

SHA1
cdb99d05e13f7fafc61daed08778fda5b6e95863

SHA256
f61a7e761db52cc466496d327762d3b61b45de90118967ca126e2bb9b571ce2d

SHA512
68a9580ca550734129e51954beb18e10f3507caa91faad3423eb2f2c64faa38ebcb1aa856ca7b56a899a1af364bcd522f6896dbd8c25599e9aa690b9651f76df

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
95KB

MD5
46373e14602a6fe8d0e0025fcc748da6

SHA1
b19cb3698c5a341a92d2e440a21149042bfc2572

SHA256
5a269554d3ddee8f424606a6a38c464aa7a6378ed567c5fc90f0f260ff1dd120

SHA512
ad7a3928dd714f3900c9892be95b18b8c9dc1a6706dbe2e15c0bc81958eee23e117837d4be40c21b77d507d611f1d51c12022412ced5846dc3d440f4547b8eab

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
95KB

MD5
46373e14602a6fe8d0e0025fcc748da6

SHA1
b19cb3698c5a341a92d2e440a21149042bfc2572

SHA256
5a269554d3ddee8f424606a6a38c464aa7a6378ed567c5fc90f0f260ff1dd120

SHA512
ad7a3928dd714f3900c9892be95b18b8c9dc1a6706dbe2e15c0bc81958eee23e117837d4be40c21b77d507d611f1d51c12022412ced5846dc3d440f4547b8eab

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
95KB

MD5
46373e14602a6fe8d0e0025fcc748da6

SHA1
b19cb3698c5a341a92d2e440a21149042bfc2572

SHA256
5a269554d3ddee8f424606a6a38c464aa7a6378ed567c5fc90f0f260ff1dd120

SHA512
ad7a3928dd714f3900c9892be95b18b8c9dc1a6706dbe2e15c0bc81958eee23e117837d4be40c21b77d507d611f1d51c12022412ced5846dc3d440f4547b8eab

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
95KB

MD5
ed84405923aec7012f0bcf66a46a3bfa

SHA1
ae7a31651eb7c9b00cc5ec42a21f899c2aee800c

SHA256
2ff2ca4807f9dd48fb7859525cb4e2ccace3b82d20d95ad4d6fd5870e544cb39

SHA512
91c53202609489534358b16cedb6c2c0829c275e27eb0f05b1910a8041859016bb000353232c4c5f24131f45d2b736364d917fca690053c472307d079c6857c4

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
95KB

MD5
ed84405923aec7012f0bcf66a46a3bfa

SHA1
ae7a31651eb7c9b00cc5ec42a21f899c2aee800c

SHA256
2ff2ca4807f9dd48fb7859525cb4e2ccace3b82d20d95ad4d6fd5870e544cb39

SHA512
91c53202609489534358b16cedb6c2c0829c275e27eb0f05b1910a8041859016bb000353232c4c5f24131f45d2b736364d917fca690053c472307d079c6857c4

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
95KB

MD5
ed84405923aec7012f0bcf66a46a3bfa

SHA1
ae7a31651eb7c9b00cc5ec42a21f899c2aee800c

SHA256
2ff2ca4807f9dd48fb7859525cb4e2ccace3b82d20d95ad4d6fd5870e544cb39

SHA512
91c53202609489534358b16cedb6c2c0829c275e27eb0f05b1910a8041859016bb000353232c4c5f24131f45d2b736364d917fca690053c472307d079c6857c4

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
95KB

MD5
7312f950242eef3ab2db2df0b4479f05

SHA1
de7cc2771c31a1ad30247adc7bcc299c4cf4263e

SHA256
7f69c579092ec7579524561b94bfe9245f89160be948f6f0bad3c7983af4f8eb

SHA512
12e5c6e02d52dbd0f7cf5a962b22a41954a3f17822b2790590250a15c3098b1681e1ec472ec3326598e056f94a13171bee0212a304ad56c11cf1532382d395e1

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
95KB

MD5
7312f950242eef3ab2db2df0b4479f05

SHA1
de7cc2771c31a1ad30247adc7bcc299c4cf4263e

SHA256
7f69c579092ec7579524561b94bfe9245f89160be948f6f0bad3c7983af4f8eb

SHA512
12e5c6e02d52dbd0f7cf5a962b22a41954a3f17822b2790590250a15c3098b1681e1ec472ec3326598e056f94a13171bee0212a304ad56c11cf1532382d395e1

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
95KB

MD5
7312f950242eef3ab2db2df0b4479f05

SHA1
de7cc2771c31a1ad30247adc7bcc299c4cf4263e

SHA256
7f69c579092ec7579524561b94bfe9245f89160be948f6f0bad3c7983af4f8eb

SHA512
12e5c6e02d52dbd0f7cf5a962b22a41954a3f17822b2790590250a15c3098b1681e1ec472ec3326598e056f94a13171bee0212a304ad56c11cf1532382d395e1

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
95KB

MD5
274a0fd2d956827aab8cddd7f087ccf4

SHA1
95b13b3fc4ec7528c63026f6a2aa034e6024f45c

SHA256
536101c751012ee1a146ba61b5524859ac6879356bfb4e341b9009fe51b4ba87

SHA512
0b3e53808caa4818d7941c38389e77c92590468654e14962e425c496855d46eba1665e23bd3ab543dab624cdf783ea32461d846749b380ea6f745ad59e17eb5a

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
95KB

MD5
274a0fd2d956827aab8cddd7f087ccf4

SHA1
95b13b3fc4ec7528c63026f6a2aa034e6024f45c

SHA256
536101c751012ee1a146ba61b5524859ac6879356bfb4e341b9009fe51b4ba87

SHA512
0b3e53808caa4818d7941c38389e77c92590468654e14962e425c496855d46eba1665e23bd3ab543dab624cdf783ea32461d846749b380ea6f745ad59e17eb5a

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
95KB

MD5
274a0fd2d956827aab8cddd7f087ccf4

SHA1
95b13b3fc4ec7528c63026f6a2aa034e6024f45c

SHA256
536101c751012ee1a146ba61b5524859ac6879356bfb4e341b9009fe51b4ba87

SHA512
0b3e53808caa4818d7941c38389e77c92590468654e14962e425c496855d46eba1665e23bd3ab543dab624cdf783ea32461d846749b380ea6f745ad59e17eb5a

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
95KB

MD5
164cc3a5cfae328723884f658e539cf5

SHA1
2df16b376b3aeabeff293aa32ed8ec6ce8ccb04f

SHA256
e12a80d6482d30071a666f3382d83362508cac2dcbf29d3da97260d618a0a319

SHA512
fe0e6e34a31ecd015046c9d687a7833ef4ac24a8c769067958a2b8088b7ae027feb591ab3a56c5d127b1b33f8d7b9f78f02999944824126e55d936515029f9e6

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
95KB

MD5
164cc3a5cfae328723884f658e539cf5

SHA1
2df16b376b3aeabeff293aa32ed8ec6ce8ccb04f

SHA256
e12a80d6482d30071a666f3382d83362508cac2dcbf29d3da97260d618a0a319

SHA512
fe0e6e34a31ecd015046c9d687a7833ef4ac24a8c769067958a2b8088b7ae027feb591ab3a56c5d127b1b33f8d7b9f78f02999944824126e55d936515029f9e6

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
95KB

MD5
164cc3a5cfae328723884f658e539cf5

SHA1
2df16b376b3aeabeff293aa32ed8ec6ce8ccb04f

SHA256
e12a80d6482d30071a666f3382d83362508cac2dcbf29d3da97260d618a0a319

SHA512
fe0e6e34a31ecd015046c9d687a7833ef4ac24a8c769067958a2b8088b7ae027feb591ab3a56c5d127b1b33f8d7b9f78f02999944824126e55d936515029f9e6

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
95KB

MD5
8e50e980caa1cd431fb120d4f7d3e1a5

SHA1
d985291bb98ac8e9e2b6d68734e72c5c41a44c2a

SHA256
7cef0a64e493abedea7df4ad5b42b4699f81e27dd8744d7b30c2fb53e14336a2

SHA512
5fa04d2eb205a9ebf634277963458169f54b9a796d2476f4860f29b36829ee47987e90f895f6c6b373f56147ab237f80e8ebdb62226933ff58ee5d44d23c0164

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
95KB

MD5
8e50e980caa1cd431fb120d4f7d3e1a5

SHA1
d985291bb98ac8e9e2b6d68734e72c5c41a44c2a

SHA256
7cef0a64e493abedea7df4ad5b42b4699f81e27dd8744d7b30c2fb53e14336a2

SHA512
5fa04d2eb205a9ebf634277963458169f54b9a796d2476f4860f29b36829ee47987e90f895f6c6b373f56147ab237f80e8ebdb62226933ff58ee5d44d23c0164

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
95KB

MD5
8e50e980caa1cd431fb120d4f7d3e1a5

SHA1
d985291bb98ac8e9e2b6d68734e72c5c41a44c2a

SHA256
7cef0a64e493abedea7df4ad5b42b4699f81e27dd8744d7b30c2fb53e14336a2

SHA512
5fa04d2eb205a9ebf634277963458169f54b9a796d2476f4860f29b36829ee47987e90f895f6c6b373f56147ab237f80e8ebdb62226933ff58ee5d44d23c0164

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
95KB

MD5
f027eab3e065d4cdf9ec1939709ac910

SHA1
b7d5d8520dbd0f0ea3d79843531e5aa2ebc7ea0a

SHA256
70961cc9d8c36ffd0d19e3002ff78050db81956935c735b611e38f2bb40428e0

SHA512
4f233b84d35989f456411110836d688ddfecce4ce2438d36b08c7506e38d0e045afaa1788c5abf9840ed6e432020eabe715e420ac032683263e81ace1c4c6457

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
95KB

MD5
f027eab3e065d4cdf9ec1939709ac910

SHA1
b7d5d8520dbd0f0ea3d79843531e5aa2ebc7ea0a

SHA256
70961cc9d8c36ffd0d19e3002ff78050db81956935c735b611e38f2bb40428e0

SHA512
4f233b84d35989f456411110836d688ddfecce4ce2438d36b08c7506e38d0e045afaa1788c5abf9840ed6e432020eabe715e420ac032683263e81ace1c4c6457

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
95KB

MD5
f027eab3e065d4cdf9ec1939709ac910

SHA1
b7d5d8520dbd0f0ea3d79843531e5aa2ebc7ea0a

SHA256
70961cc9d8c36ffd0d19e3002ff78050db81956935c735b611e38f2bb40428e0

SHA512
4f233b84d35989f456411110836d688ddfecce4ce2438d36b08c7506e38d0e045afaa1788c5abf9840ed6e432020eabe715e420ac032683263e81ace1c4c6457

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
95KB

MD5
c830bb512a7105f79696956a6a5a7f29

SHA1
a6335f0a596dde9dc96525186f44e16bfe974aa7

SHA256
e3075f42fc128d99439d491452351bc85c77f59bdee0ea1e8a568968d38b193b

SHA512
3525fc7b08d15cbbe0ecd359d76bf1f802acdaf93842d097726ff8dc963aff0291c6c918589e50c750536acf4df6a6fa284871113cc976b8d2e611aafbe03577

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
95KB

MD5
c830bb512a7105f79696956a6a5a7f29

SHA1
a6335f0a596dde9dc96525186f44e16bfe974aa7

SHA256
e3075f42fc128d99439d491452351bc85c77f59bdee0ea1e8a568968d38b193b

SHA512
3525fc7b08d15cbbe0ecd359d76bf1f802acdaf93842d097726ff8dc963aff0291c6c918589e50c750536acf4df6a6fa284871113cc976b8d2e611aafbe03577

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
95KB

MD5
c830bb512a7105f79696956a6a5a7f29

SHA1
a6335f0a596dde9dc96525186f44e16bfe974aa7

SHA256
e3075f42fc128d99439d491452351bc85c77f59bdee0ea1e8a568968d38b193b

SHA512
3525fc7b08d15cbbe0ecd359d76bf1f802acdaf93842d097726ff8dc963aff0291c6c918589e50c750536acf4df6a6fa284871113cc976b8d2e611aafbe03577

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
95KB

MD5
497631b5f46cee2abf70a8c9d69d7cae

SHA1
afc9ee9b9a2b3eb75b2044b9ca1760fca96af8bc

SHA256
9717ab7ac52ad496bbf04ff8c14eb1e2cbb702e507cd2746ecddbf39e033daa3

SHA512
6dd4baefbc7ea5fc95467264e9076f6f65e1bc95f9e48d6ccb68490c56a3fe9dac98c91de215166900290fb258dc8a956986b3ecb39a76d6ae428614b7a2a5b8

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
95KB

MD5
497631b5f46cee2abf70a8c9d69d7cae

SHA1
afc9ee9b9a2b3eb75b2044b9ca1760fca96af8bc

SHA256
9717ab7ac52ad496bbf04ff8c14eb1e2cbb702e507cd2746ecddbf39e033daa3

SHA512
6dd4baefbc7ea5fc95467264e9076f6f65e1bc95f9e48d6ccb68490c56a3fe9dac98c91de215166900290fb258dc8a956986b3ecb39a76d6ae428614b7a2a5b8

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
95KB

MD5
497631b5f46cee2abf70a8c9d69d7cae

SHA1
afc9ee9b9a2b3eb75b2044b9ca1760fca96af8bc

SHA256
9717ab7ac52ad496bbf04ff8c14eb1e2cbb702e507cd2746ecddbf39e033daa3

SHA512
6dd4baefbc7ea5fc95467264e9076f6f65e1bc95f9e48d6ccb68490c56a3fe9dac98c91de215166900290fb258dc8a956986b3ecb39a76d6ae428614b7a2a5b8

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
95KB

MD5
a5c2a086ca5b0b40af875c8b8acd86a5

SHA1
5097d05e1c5948929d40e835adc53406ab48f782

SHA256
a177b65e99f5fe5fb86ad1a0c56c33a8a791d50317d0528d9912fe45d51f2881

SHA512
b3b1c58b90511634727c03fa1ae8d1ed471d171da9313f62069f453a3b64471dbbd5c433e2864ead8c29ce32aa4cafa4c07691cec4ddb247ee1e3fc56dcaa36d

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
95KB

MD5
a5c2a086ca5b0b40af875c8b8acd86a5

SHA1
5097d05e1c5948929d40e835adc53406ab48f782

SHA256
a177b65e99f5fe5fb86ad1a0c56c33a8a791d50317d0528d9912fe45d51f2881

SHA512
b3b1c58b90511634727c03fa1ae8d1ed471d171da9313f62069f453a3b64471dbbd5c433e2864ead8c29ce32aa4cafa4c07691cec4ddb247ee1e3fc56dcaa36d

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
95KB

MD5
a5c2a086ca5b0b40af875c8b8acd86a5

SHA1
5097d05e1c5948929d40e835adc53406ab48f782

SHA256
a177b65e99f5fe5fb86ad1a0c56c33a8a791d50317d0528d9912fe45d51f2881

SHA512
b3b1c58b90511634727c03fa1ae8d1ed471d171da9313f62069f453a3b64471dbbd5c433e2864ead8c29ce32aa4cafa4c07691cec4ddb247ee1e3fc56dcaa36d

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
C:\Windows\SysWOW64\Olfeho32.dll

Filesize
7KB

MD5
02c24ec51fe1b639ec8b78af4dac05c6

SHA1
1ec99680ea1ac9d061961177852811ce1a7c3097

SHA256
2d7db41175e61450ebd6df12e0a6d4f766941f67fb524163d4b92c1e4da41bd0

SHA512
fa3a8d8164b697f19fffc2415a2f89d1d162217ab0294d98473532321b86a397c5d90060f6898f816f248ab9b9d7a5669efe6d57cb51e1e774b98d9435e74c77

Download Submit
\Windows\SysWOW64\Dhdcji32.exe

Filesize
95KB

MD5
4ce17d8948883df660492bb0694d299a

SHA1
cdb99d05e13f7fafc61daed08778fda5b6e95863

SHA256
f61a7e761db52cc466496d327762d3b61b45de90118967ca126e2bb9b571ce2d

SHA512
68a9580ca550734129e51954beb18e10f3507caa91faad3423eb2f2c64faa38ebcb1aa856ca7b56a899a1af364bcd522f6896dbd8c25599e9aa690b9651f76df

Download Submit
\Windows\SysWOW64\Dhdcji32.exe

Filesize
95KB

MD5
4ce17d8948883df660492bb0694d299a

SHA1
cdb99d05e13f7fafc61daed08778fda5b6e95863

SHA256
f61a7e761db52cc466496d327762d3b61b45de90118967ca126e2bb9b571ce2d

SHA512
68a9580ca550734129e51954beb18e10f3507caa91faad3423eb2f2c64faa38ebcb1aa856ca7b56a899a1af364bcd522f6896dbd8c25599e9aa690b9651f76df

Download Submit
\Windows\SysWOW64\Dolnad32.exe

Filesize
95KB

MD5
46373e14602a6fe8d0e0025fcc748da6

SHA1
b19cb3698c5a341a92d2e440a21149042bfc2572

SHA256
5a269554d3ddee8f424606a6a38c464aa7a6378ed567c5fc90f0f260ff1dd120

SHA512
ad7a3928dd714f3900c9892be95b18b8c9dc1a6706dbe2e15c0bc81958eee23e117837d4be40c21b77d507d611f1d51c12022412ced5846dc3d440f4547b8eab

Download Submit
\Windows\SysWOW64\Dolnad32.exe

Filesize
95KB

MD5
46373e14602a6fe8d0e0025fcc748da6

SHA1
b19cb3698c5a341a92d2e440a21149042bfc2572

SHA256
5a269554d3ddee8f424606a6a38c464aa7a6378ed567c5fc90f0f260ff1dd120

SHA512
ad7a3928dd714f3900c9892be95b18b8c9dc1a6706dbe2e15c0bc81958eee23e117837d4be40c21b77d507d611f1d51c12022412ced5846dc3d440f4547b8eab

Download Submit
\Windows\SysWOW64\Dookgcij.exe

Filesize
95KB

MD5
ed84405923aec7012f0bcf66a46a3bfa

SHA1
ae7a31651eb7c9b00cc5ec42a21f899c2aee800c

SHA256
2ff2ca4807f9dd48fb7859525cb4e2ccace3b82d20d95ad4d6fd5870e544cb39

SHA512
91c53202609489534358b16cedb6c2c0829c275e27eb0f05b1910a8041859016bb000353232c4c5f24131f45d2b736364d917fca690053c472307d079c6857c4

Download Submit
\Windows\SysWOW64\Dookgcij.exe

Filesize
95KB

MD5
ed84405923aec7012f0bcf66a46a3bfa

SHA1
ae7a31651eb7c9b00cc5ec42a21f899c2aee800c

SHA256
2ff2ca4807f9dd48fb7859525cb4e2ccace3b82d20d95ad4d6fd5870e544cb39

SHA512
91c53202609489534358b16cedb6c2c0829c275e27eb0f05b1910a8041859016bb000353232c4c5f24131f45d2b736364d917fca690053c472307d079c6857c4

Download Submit
\Windows\SysWOW64\Ecejkf32.exe

Filesize
95KB

MD5
7312f950242eef3ab2db2df0b4479f05

SHA1
de7cc2771c31a1ad30247adc7bcc299c4cf4263e

SHA256
7f69c579092ec7579524561b94bfe9245f89160be948f6f0bad3c7983af4f8eb

SHA512
12e5c6e02d52dbd0f7cf5a962b22a41954a3f17822b2790590250a15c3098b1681e1ec472ec3326598e056f94a13171bee0212a304ad56c11cf1532382d395e1

Download Submit
\Windows\SysWOW64\Ecejkf32.exe

Filesize
95KB

MD5
7312f950242eef3ab2db2df0b4479f05

SHA1
de7cc2771c31a1ad30247adc7bcc299c4cf4263e

SHA256
7f69c579092ec7579524561b94bfe9245f89160be948f6f0bad3c7983af4f8eb

SHA512
12e5c6e02d52dbd0f7cf5a962b22a41954a3f17822b2790590250a15c3098b1681e1ec472ec3326598e056f94a13171bee0212a304ad56c11cf1532382d395e1

Download Submit
\Windows\SysWOW64\Edkcojga.exe

Filesize
95KB

MD5
274a0fd2d956827aab8cddd7f087ccf4

SHA1
95b13b3fc4ec7528c63026f6a2aa034e6024f45c

SHA256
536101c751012ee1a146ba61b5524859ac6879356bfb4e341b9009fe51b4ba87

SHA512
0b3e53808caa4818d7941c38389e77c92590468654e14962e425c496855d46eba1665e23bd3ab543dab624cdf783ea32461d846749b380ea6f745ad59e17eb5a

Download Submit
\Windows\SysWOW64\Edkcojga.exe

Filesize
95KB

MD5
274a0fd2d956827aab8cddd7f087ccf4

SHA1
95b13b3fc4ec7528c63026f6a2aa034e6024f45c

SHA256
536101c751012ee1a146ba61b5524859ac6879356bfb4e341b9009fe51b4ba87

SHA512
0b3e53808caa4818d7941c38389e77c92590468654e14962e425c496855d46eba1665e23bd3ab543dab624cdf783ea32461d846749b380ea6f745ad59e17eb5a

Download Submit
\Windows\SysWOW64\Ednpej32.exe

Filesize
95KB

MD5
164cc3a5cfae328723884f658e539cf5

SHA1
2df16b376b3aeabeff293aa32ed8ec6ce8ccb04f

SHA256
e12a80d6482d30071a666f3382d83362508cac2dcbf29d3da97260d618a0a319

SHA512
fe0e6e34a31ecd015046c9d687a7833ef4ac24a8c769067958a2b8088b7ae027feb591ab3a56c5d127b1b33f8d7b9f78f02999944824126e55d936515029f9e6

Download Submit
\Windows\SysWOW64\Ednpej32.exe

Filesize
95KB

MD5
164cc3a5cfae328723884f658e539cf5

SHA1
2df16b376b3aeabeff293aa32ed8ec6ce8ccb04f

SHA256
e12a80d6482d30071a666f3382d83362508cac2dcbf29d3da97260d618a0a319

SHA512
fe0e6e34a31ecd015046c9d687a7833ef4ac24a8c769067958a2b8088b7ae027feb591ab3a56c5d127b1b33f8d7b9f78f02999944824126e55d936515029f9e6

Download Submit
\Windows\SysWOW64\Effcma32.exe

Filesize
95KB

MD5
8e50e980caa1cd431fb120d4f7d3e1a5

SHA1
d985291bb98ac8e9e2b6d68734e72c5c41a44c2a

SHA256
7cef0a64e493abedea7df4ad5b42b4699f81e27dd8744d7b30c2fb53e14336a2

SHA512
5fa04d2eb205a9ebf634277963458169f54b9a796d2476f4860f29b36829ee47987e90f895f6c6b373f56147ab237f80e8ebdb62226933ff58ee5d44d23c0164

Download Submit
\Windows\SysWOW64\Effcma32.exe

Filesize
95KB

MD5
8e50e980caa1cd431fb120d4f7d3e1a5

SHA1
d985291bb98ac8e9e2b6d68734e72c5c41a44c2a

SHA256
7cef0a64e493abedea7df4ad5b42b4699f81e27dd8744d7b30c2fb53e14336a2

SHA512
5fa04d2eb205a9ebf634277963458169f54b9a796d2476f4860f29b36829ee47987e90f895f6c6b373f56147ab237f80e8ebdb62226933ff58ee5d44d23c0164

Download Submit
\Windows\SysWOW64\Ekelld32.exe

Filesize
95KB

MD5
f027eab3e065d4cdf9ec1939709ac910

SHA1
b7d5d8520dbd0f0ea3d79843531e5aa2ebc7ea0a

SHA256
70961cc9d8c36ffd0d19e3002ff78050db81956935c735b611e38f2bb40428e0

SHA512
4f233b84d35989f456411110836d688ddfecce4ce2438d36b08c7506e38d0e045afaa1788c5abf9840ed6e432020eabe715e420ac032683263e81ace1c4c6457

Download Submit
\Windows\SysWOW64\Ekelld32.exe

Filesize
95KB

MD5
f027eab3e065d4cdf9ec1939709ac910

SHA1
b7d5d8520dbd0f0ea3d79843531e5aa2ebc7ea0a

SHA256
70961cc9d8c36ffd0d19e3002ff78050db81956935c735b611e38f2bb40428e0

SHA512
4f233b84d35989f456411110836d688ddfecce4ce2438d36b08c7506e38d0e045afaa1788c5abf9840ed6e432020eabe715e420ac032683263e81ace1c4c6457

Download Submit
\Windows\SysWOW64\Emkaol32.exe

Filesize
95KB

MD5
c830bb512a7105f79696956a6a5a7f29

SHA1
a6335f0a596dde9dc96525186f44e16bfe974aa7

SHA256
e3075f42fc128d99439d491452351bc85c77f59bdee0ea1e8a568968d38b193b

SHA512
3525fc7b08d15cbbe0ecd359d76bf1f802acdaf93842d097726ff8dc963aff0291c6c918589e50c750536acf4df6a6fa284871113cc976b8d2e611aafbe03577

Download Submit
\Windows\SysWOW64\Emkaol32.exe

Filesize
95KB

MD5
c830bb512a7105f79696956a6a5a7f29

SHA1
a6335f0a596dde9dc96525186f44e16bfe974aa7

SHA256
e3075f42fc128d99439d491452351bc85c77f59bdee0ea1e8a568968d38b193b

SHA512
3525fc7b08d15cbbe0ecd359d76bf1f802acdaf93842d097726ff8dc963aff0291c6c918589e50c750536acf4df6a6fa284871113cc976b8d2e611aafbe03577

Download Submit
\Windows\SysWOW64\Emnndlod.exe

Filesize
95KB

MD5
497631b5f46cee2abf70a8c9d69d7cae

SHA1
afc9ee9b9a2b3eb75b2044b9ca1760fca96af8bc

SHA256
9717ab7ac52ad496bbf04ff8c14eb1e2cbb702e507cd2746ecddbf39e033daa3

SHA512
6dd4baefbc7ea5fc95467264e9076f6f65e1bc95f9e48d6ccb68490c56a3fe9dac98c91de215166900290fb258dc8a956986b3ecb39a76d6ae428614b7a2a5b8

Download Submit
\Windows\SysWOW64\Emnndlod.exe

Filesize
95KB

MD5
497631b5f46cee2abf70a8c9d69d7cae

SHA1
afc9ee9b9a2b3eb75b2044b9ca1760fca96af8bc

SHA256
9717ab7ac52ad496bbf04ff8c14eb1e2cbb702e507cd2746ecddbf39e033daa3

SHA512
6dd4baefbc7ea5fc95467264e9076f6f65e1bc95f9e48d6ccb68490c56a3fe9dac98c91de215166900290fb258dc8a956986b3ecb39a76d6ae428614b7a2a5b8

Download Submit
\Windows\SysWOW64\Enfenplo.exe

Filesize
95KB

MD5
a5c2a086ca5b0b40af875c8b8acd86a5

SHA1
5097d05e1c5948929d40e835adc53406ab48f782

SHA256
a177b65e99f5fe5fb86ad1a0c56c33a8a791d50317d0528d9912fe45d51f2881

SHA512
b3b1c58b90511634727c03fa1ae8d1ed471d171da9313f62069f453a3b64471dbbd5c433e2864ead8c29ce32aa4cafa4c07691cec4ddb247ee1e3fc56dcaa36d

Download Submit
\Windows\SysWOW64\Enfenplo.exe

Filesize
95KB

MD5
a5c2a086ca5b0b40af875c8b8acd86a5

SHA1
5097d05e1c5948929d40e835adc53406ab48f782

SHA256
a177b65e99f5fe5fb86ad1a0c56c33a8a791d50317d0528d9912fe45d51f2881

SHA512
b3b1c58b90511634727c03fa1ae8d1ed471d171da9313f62069f453a3b64471dbbd5c433e2864ead8c29ce32aa4cafa4c07691cec4ddb247ee1e3fc56dcaa36d

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
95KB

MD5
f660bdd2e4bc467d0237d788d2919fa4

SHA1
f302acb44381da46043c5830df377fad2e1936db

SHA256
c801f79dcf7513e1fae7731837444755a5dce2440164101e39aa0686678eb62f

SHA512
353f5152367b393283e3a789d71feb9f7785778b40bac2f0ef0f53e3063da5f4cfc6b713676d06ce5a5648deced7bdbbc1d39336fa75036e37157546a0899f89

Download Submit
memory/284-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/528-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/528-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-16-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2260-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-6-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2560-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-88-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2620-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-64-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2628-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-86-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2684-78-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2772-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-108-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2920-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads