68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Size

45KB
MD5

ba9361757c07738ecf5fd047e69fe5ad
SHA1

6a238bec38c6eb1f459df2d901b6f3dd7e222d60
SHA256

68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f
SHA512

7e043b9af75d9e4a85e0a6052a7d49ad72ea453408b8ba351951a37c9df1c68c5bbe826838389c9e08ea3127a696f927de3cd587f7487a13daa80e1ad4b3a511
SSDEEP

768:MDZ5BAB62EzA4vBcDhRXhI6EMZqyiHS6nTI6Nl7/1H53X:u6B62Es4W+PhbtF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efcfga32.exe

Executes dropped EXE 7 IoCs

pid	Process
2656	Eqgnokip.exe
2676	Ecejkf32.exe
2584	Efcfga32.exe
2596	Emnndlod.exe
2672	Eplkpgnh.exe
1160	Fidoim32.exe
592	Fkckeh32.exe

Loads dropped DLL 18 IoCs

pid	Process
2252	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
2252	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
2656	Eqgnokip.exe
2656	Eqgnokip.exe
2676	Ecejkf32.exe
2676	Ecejkf32.exe
2584	Efcfga32.exe
2584	Efcfga32.exe
2596	Emnndlod.exe
2596	Emnndlod.exe
2672	Eplkpgnh.exe
2672	Eplkpgnh.exe
1160	Fidoim32.exe
1160	Fidoim32.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Eqgnokip.exe
File opened for modification	C:\Windows\SysWOW64\Efcfga32.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Ecejkf32.exe
File opened for modification	C:\Windows\SysWOW64\Eplkpgnh.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Ahoanjcc.dll	Emnndlod.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ecejkf32.exe	Eqgnokip.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Ecejkf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	592	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecejkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2656	2252	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	30
PID 2252 wrote to memory of 2656	2252	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	30
PID 2252 wrote to memory of 2656	2252	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	30
PID 2252 wrote to memory of 2656	2252	68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe	30
PID 2656 wrote to memory of 2676	2656	Eqgnokip.exe	31
PID 2656 wrote to memory of 2676	2656	Eqgnokip.exe	31
PID 2656 wrote to memory of 2676	2656	Eqgnokip.exe	31
PID 2656 wrote to memory of 2676	2656	Eqgnokip.exe	31
PID 2676 wrote to memory of 2584	2676	Ecejkf32.exe	32
PID 2676 wrote to memory of 2584	2676	Ecejkf32.exe	32
PID 2676 wrote to memory of 2584	2676	Ecejkf32.exe	32
PID 2676 wrote to memory of 2584	2676	Ecejkf32.exe	32
PID 2584 wrote to memory of 2596	2584	Efcfga32.exe	33
PID 2584 wrote to memory of 2596	2584	Efcfga32.exe	33
PID 2584 wrote to memory of 2596	2584	Efcfga32.exe	33
PID 2584 wrote to memory of 2596	2584	Efcfga32.exe	33
PID 2596 wrote to memory of 2672	2596	Emnndlod.exe	34
PID 2596 wrote to memory of 2672	2596	Emnndlod.exe	34
PID 2596 wrote to memory of 2672	2596	Emnndlod.exe	34
PID 2596 wrote to memory of 2672	2596	Emnndlod.exe	34
PID 2672 wrote to memory of 1160	2672	Eplkpgnh.exe	35
PID 2672 wrote to memory of 1160	2672	Eplkpgnh.exe	35
PID 2672 wrote to memory of 1160	2672	Eplkpgnh.exe	35
PID 2672 wrote to memory of 1160	2672	Eplkpgnh.exe	35
PID 1160 wrote to memory of 592	1160	Fidoim32.exe	36
PID 1160 wrote to memory of 592	1160	Fidoim32.exe	36
PID 1160 wrote to memory of 592	1160	Fidoim32.exe	36
PID 1160 wrote to memory of 592	1160	Fidoim32.exe	36
PID 592 wrote to memory of 2992	592	Fkckeh32.exe	37
PID 592 wrote to memory of 2992	592	Fkckeh32.exe	37
PID 592 wrote to memory of 2992	592	Fkckeh32.exe	37
PID 592 wrote to memory of 2992	592	Fkckeh32.exe	37

C:\Users\Admin\AppData\Local\Temp\68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe
"C:\Users\Admin\AppData\Local\Temp\68fdaf88140ee5d381ad0097d545327be911079e0c7391e018a60d58eed3610f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Eqgnokip.exe
  C:\Windows\system32\Eqgnokip.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\Ecejkf32.exe
    C:\Windows\system32\Ecejkf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Efcfga32.exe
      C:\Windows\system32\Efcfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
45KB

MD5
8b35101d0d71fcfe9296862d322432f4

SHA1
930e19298623eab6a3e926a87e969f765f5a5ed2

SHA256
e1e17e502f12f4d5914a41adcb491f1042054ab42f5d2898965a0c4cec5c9425

SHA512
71f7e81f23f63292858c5d0c88126544a950b700e1b5161026580b8765ad5f01ce4609b93fff1cc0cfd959ab7b202423af2a9f1270ad8478f5b72d62c28f8ba1

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
45KB

MD5
fca17bf6ce4951715834076ec5ffccac

SHA1
31aed757085f330c9b1ce66caa42fd561e2e5702

SHA256
05aa8ceb25e74965e41576ddd23bf1438718099432b6f4b6fa978063fd903571

SHA512
c892a20e64a813cdd652bf570b40d4e464b1ddc019fbcbf0fb88620cd80af144b46748828e0cf6a450910560662537b4ab4aae4a0a99a957aa14c27afa095f0b

Download Submit
\Windows\SysWOW64\Efcfga32.exe

Filesize
45KB

MD5
8b6b149fe0be52e484634103a90b0e36

SHA1
d1649bcbe0e183a72ae5e9013bc178dbe1edce01

SHA256
f7d3fe7482b61415fbb64b86a94620018e797c819d326a53fc89357774a15417

SHA512
b706a6da3dbe5ce29aaf5e4c4308ba26d430cbf1d847522aa58b88d34e73f90a253b169f3aacc047e380694976a10b242fc1a4803ccdc372da33274c88f45ab9

Download Submit
\Windows\SysWOW64\Emnndlod.exe

Filesize
45KB

MD5
dbfaa270822c9624d0d3e77cf4af740a

SHA1
0b6871bc0ea6450db1c92f37de1f664169166a5f

SHA256
5baf2720a3889b14f4acaa3ab290b1740911828c14b4d4a51ad799cdff1ea157

SHA512
1b8b7af1050762429609259edcda54dca052b0cb8a8b71fb1205c16ddbfce7ed2cbd2ccaf4e48a5042ce7cdcf400a8ce58260994c0885979bbd1669de7f04ff0

Download Submit
\Windows\SysWOW64\Eplkpgnh.exe

Filesize
45KB

MD5
c8da8582a3288c739316522c70d5ac48

SHA1
a4419c08ad3c3e90d3a5ceb822e5b252066cfffd

SHA256
375589c8d499add5fc48234b729e001f86eb5a4a961a7b45fd31c6a733228a17

SHA512
4f5f48d354affe59618876937e774bd52c49da42cba4bc55a9d1ab9faeec6a2f11d4a0bd845cac9fb36e5183929a58eaa5b86e272c14002786ef88925156c79c

Download Submit
\Windows\SysWOW64\Fidoim32.exe

Filesize
45KB

MD5
d28bd50d845d71fb9e56cc78aa4bc2be

SHA1
48f34c9b6f5a8324a021a94893b12265f88d1651

SHA256
a408165cd2d750143178cf03c58c05e029f4f8b935f39e2d7933a0e6f833cdaa

SHA512
3b7aa2e0a76c09fef0f9a12ae396b411decd10370bbc892fbe53250363905d049d11bf75e053e82d778dc5d9b7a3b91ba8b57552d76cbcbb6c6aee602f568510

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
45KB

MD5
5c32f7732b53fade514538eb46d29287

SHA1
c2ca45ffda31baf15e96dca13303463a52eaecae

SHA256
7425bb86cf75340db57299342bc66baec600b251628f321d3f346d7b73640ecd

SHA512
83a23e4110e18b044cb2d42f07d4d300cbb7b9a85944b7860d2f79d7ed24c217a1115ff4d79c6f6c283b9c1efb5f7600787ddfe705eb1ce0bc0b55d60a5fcb60

Download Submit
memory/592-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-90-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1160-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-17-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2584-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-54-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2584-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-62-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2656-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-26-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2672-82-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2672-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-40-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2676-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads