b5789d84729d8a4313f8aeb76136c9c3b17b378ba26e6a18e584bf3364aefbb4

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 16:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0beb1c1ef45f204446d634562d82d900N.exe
Size

93KB
MD5

0beb1c1ef45f204446d634562d82d900
SHA1

511e30ed244a39fed5fc6765d4be282cc4d22ee6
SHA256

b5789d84729d8a4313f8aeb76136c9c3b17b378ba26e6a18e584bf3364aefbb4
SHA512

29cf320d761866abd3162512807f9bb54bf601752bdf0f6a453afb858f0040ecd283c3e35a1061b1efe1cc000952a5af44cd5b686b5958a1117d0044b6bdc8ac
SSDEEP

1536:gnno1lZjSKQ6+qHKjbTHcQPv7TbQsRQBKRkRLJzeLD9N0iQGRNQR8RyV+32rR:gnsjEVDbPPeASJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0beb1c1ef45f204446d634562d82d900N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe

Executes dropped EXE 48 IoCs

pid	Process
4752	Dahfkimd.exe
4908	Ddfbgelh.exe
1084	Dgdncplk.exe
4072	Dickplko.exe
2100	Ddhomdje.exe
3536	Dkbgjo32.exe
1816	Dpopbepi.exe
552	Dcnlnaom.exe
5000	Daollh32.exe
3984	Dcphdqmj.exe
4320	Ejjaqk32.exe
1588	Edoencdm.exe
5080	Egnajocq.exe
5012	Edaaccbj.exe
2752	Enjfli32.exe
3520	Ekngemhd.exe
3560	Eqkondfl.exe
2988	Ecikjoep.exe
4740	Ekqckmfb.exe
3080	Enopghee.exe
2960	Eajlhg32.exe
1216	Edihdb32.exe
4260	Fkcpql32.exe
4412	Fjeplijj.exe
2776	Famhmfkl.exe
3452	Fqphic32.exe
4340	Fdkdibjp.exe
2764	Fgiaemic.exe
4584	Fkemfl32.exe
4944	Fncibg32.exe
1940	Fqbeoc32.exe
4628	Fdmaoahm.exe
3244	Fcpakn32.exe
2784	Fkgillpj.exe
2328	Fnffhgon.exe
3556	Fbaahf32.exe
3232	Fqdbdbna.exe
4524	Fcbnpnme.exe
1524	Fgnjqm32.exe
2472	Fkjfakng.exe
4216	Fnhbmgmk.exe
1400	Fbdnne32.exe
2420	Fdbkja32.exe
2452	Fgqgfl32.exe
2240	Fklcgk32.exe
1548	Fnjocf32.exe
440	Fbfkceca.exe
2216	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egnajocq.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Hdedgjno.dll	0beb1c1ef45f204446d634562d82d900N.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Ddhomdje.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Kkcghg32.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Dahfkimd.exe	0beb1c1ef45f204446d634562d82d900N.exe
File created	C:\Windows\SysWOW64\Dickplko.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Fbdnne32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Dkbgjo32.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Eqkondfl.exe
File opened for modification	C:\Windows\SysWOW64\Fdmaoahm.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Eqkondfl.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fkcpql32.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Fofobm32.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Edihdb32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Fhgmqghl.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Enopghee.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Kcpcgc32.dll	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Enjfli32.exe

Program crash 1 IoCs

pid	pid_target	Process
3724	2216	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0beb1c1ef45f204446d634562d82d900N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0beb1c1ef45f204446d634562d82d900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0beb1c1ef45f204446d634562d82d900N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egnajocq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dickplko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedgjno.dll"	0beb1c1ef45f204446d634562d82d900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fgiaemic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4752	4892	0beb1c1ef45f204446d634562d82d900N.exe	89
PID 4892 wrote to memory of 4752	4892	0beb1c1ef45f204446d634562d82d900N.exe	89
PID 4892 wrote to memory of 4752	4892	0beb1c1ef45f204446d634562d82d900N.exe	89
PID 4752 wrote to memory of 4908	4752	Dahfkimd.exe	90
PID 4752 wrote to memory of 4908	4752	Dahfkimd.exe	90
PID 4752 wrote to memory of 4908	4752	Dahfkimd.exe	90
PID 4908 wrote to memory of 1084	4908	Ddfbgelh.exe	91
PID 4908 wrote to memory of 1084	4908	Ddfbgelh.exe	91
PID 4908 wrote to memory of 1084	4908	Ddfbgelh.exe	91
PID 1084 wrote to memory of 4072	1084	Dgdncplk.exe	92
PID 1084 wrote to memory of 4072	1084	Dgdncplk.exe	92
PID 1084 wrote to memory of 4072	1084	Dgdncplk.exe	92
PID 4072 wrote to memory of 2100	4072	Dickplko.exe	93
PID 4072 wrote to memory of 2100	4072	Dickplko.exe	93
PID 4072 wrote to memory of 2100	4072	Dickplko.exe	93
PID 2100 wrote to memory of 3536	2100	Ddhomdje.exe	94
PID 2100 wrote to memory of 3536	2100	Ddhomdje.exe	94
PID 2100 wrote to memory of 3536	2100	Ddhomdje.exe	94
PID 3536 wrote to memory of 1816	3536	Dkbgjo32.exe	95
PID 3536 wrote to memory of 1816	3536	Dkbgjo32.exe	95
PID 3536 wrote to memory of 1816	3536	Dkbgjo32.exe	95
PID 1816 wrote to memory of 552	1816	Dpopbepi.exe	96
PID 1816 wrote to memory of 552	1816	Dpopbepi.exe	96
PID 1816 wrote to memory of 552	1816	Dpopbepi.exe	96
PID 552 wrote to memory of 5000	552	Dcnlnaom.exe	98
PID 552 wrote to memory of 5000	552	Dcnlnaom.exe	98
PID 552 wrote to memory of 5000	552	Dcnlnaom.exe	98
PID 5000 wrote to memory of 3984	5000	Daollh32.exe	99
PID 5000 wrote to memory of 3984	5000	Daollh32.exe	99
PID 5000 wrote to memory of 3984	5000	Daollh32.exe	99
PID 3984 wrote to memory of 4320	3984	Dcphdqmj.exe	100
PID 3984 wrote to memory of 4320	3984	Dcphdqmj.exe	100
PID 3984 wrote to memory of 4320	3984	Dcphdqmj.exe	100
PID 4320 wrote to memory of 1588	4320	Ejjaqk32.exe	101
PID 4320 wrote to memory of 1588	4320	Ejjaqk32.exe	101
PID 4320 wrote to memory of 1588	4320	Ejjaqk32.exe	101
PID 1588 wrote to memory of 5080	1588	Edoencdm.exe	103
PID 1588 wrote to memory of 5080	1588	Edoencdm.exe	103
PID 1588 wrote to memory of 5080	1588	Edoencdm.exe	103
PID 5080 wrote to memory of 5012	5080	Egnajocq.exe	104
PID 5080 wrote to memory of 5012	5080	Egnajocq.exe	104
PID 5080 wrote to memory of 5012	5080	Egnajocq.exe	104
PID 5012 wrote to memory of 2752	5012	Edaaccbj.exe	105
PID 5012 wrote to memory of 2752	5012	Edaaccbj.exe	105
PID 5012 wrote to memory of 2752	5012	Edaaccbj.exe	105
PID 2752 wrote to memory of 3520	2752	Enjfli32.exe	106
PID 2752 wrote to memory of 3520	2752	Enjfli32.exe	106
PID 2752 wrote to memory of 3520	2752	Enjfli32.exe	106
PID 3520 wrote to memory of 3560	3520	Ekngemhd.exe	107
PID 3520 wrote to memory of 3560	3520	Ekngemhd.exe	107
PID 3520 wrote to memory of 3560	3520	Ekngemhd.exe	107
PID 3560 wrote to memory of 2988	3560	Eqkondfl.exe	109
PID 3560 wrote to memory of 2988	3560	Eqkondfl.exe	109
PID 3560 wrote to memory of 2988	3560	Eqkondfl.exe	109
PID 2988 wrote to memory of 4740	2988	Ecikjoep.exe	110
PID 2988 wrote to memory of 4740	2988	Ecikjoep.exe	110
PID 2988 wrote to memory of 4740	2988	Ecikjoep.exe	110
PID 4740 wrote to memory of 3080	4740	Ekqckmfb.exe	111
PID 4740 wrote to memory of 3080	4740	Ekqckmfb.exe	111
PID 4740 wrote to memory of 3080	4740	Ekqckmfb.exe	111
PID 3080 wrote to memory of 2960	3080	Enopghee.exe	112
PID 3080 wrote to memory of 2960	3080	Enopghee.exe	112
PID 3080 wrote to memory of 2960	3080	Enopghee.exe	112
PID 2960 wrote to memory of 1216	2960	Eajlhg32.exe	113

C:\Users\Admin\AppData\Local\Temp\0beb1c1ef45f204446d634562d82d900N.exe
"C:\Users\Admin\AppData\Local\Temp\0beb1c1ef45f204446d634562d82d900N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\Dahfkimd.exe
  C:\Windows\system32\Dahfkimd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Ddfbgelh.exe
    C:\Windows\system32\Ddfbgelh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\Dgdncplk.exe
      C:\Windows\system32\Dgdncplk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 412
        50⤵
        Program crash
        
        PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2216 -ip 2216
1⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1020,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
93KB

MD5
385316950f40f8cdb5f0ed814e823189

SHA1
c96b8d7523db05ee051aec126bc8918fc72f7317

SHA256
a93c081f7bb0401a2a66d800f4a5dd54bf54436680dfa6f358cc3a417316f8e4

SHA512
ebaa47c5fd2116cfac8cc150ce0a074b5b0f24df29ac17475c709930880c9d09a1f8e9cb55effdd96ac95a92c271b4487ea060e521a0b1e89c0d3395e30b6da3

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
93KB

MD5
a11773b425d9be5a0e3a30e8a9cf5147

SHA1
6753f8d6459a96628e81aa9d395f8d5665ee666c

SHA256
c99636d767f9acdacc5edef626e88816da43e406fce83ef70c753a9845f8ad85

SHA512
4c1ab20bd44b4e5938b0e2240a8cbac8a9de76ff635d1fd7117bf3d01911320250d42a717c241e7b107c43cc09602c3ce55605618bcf13fefca87fd19e47f6d2

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
93KB

MD5
0101e72fdfcde24bfde979fc7e6a420c

SHA1
ef2599e2284057939437130c5425e0f5985af2b3

SHA256
f129c6be0eb52766fd112ad1cbe5071e99f524eb4aceacf376c65fee6621e202

SHA512
9ea9159618f80009815476ef9f56977494d60db222fb49e57f7db220cf1d89c184aa44424faf1cb1f078ccb51b75c94010597fdf7d9edbf6da0fa6e4a5e3e0ef

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
93KB

MD5
cb53120da80e9de699d43721b02484cc

SHA1
399ee84bbdd68ed9589a8cb8d41562060d3719e0

SHA256
adb37ae4d45022d35b452c819ff22a7e1190edcdfc2d9bb746b8e8e9bac1c8f4

SHA512
b0cf13e11df7b5eaf5d3362024b53478665ea00723a2d2c69bac32ef62371817fe29f4d3e088172fb3c1e2aa4f615d89b7bf67524b407621f9903ee071e8e4e7

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
93KB

MD5
f384fa9d2f119dbc5b07eace0a78f6e0

SHA1
8dc2452b564f266c0ca0fb5909602cb609bdb5ed

SHA256
2dcebeef44e993d6ec11956e4e98db3e8bc8dd82e07c1fc42a1089e494cd391a

SHA512
16ffcdf4aacf8863d0d50d2a60c9b50e312c6db1af9add4d9f1dddf0b7e1a2c39c9384755d9bef43201b2fbe4071cde5d84a0f21b3b845dca7ec96c0fac67fdb

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
93KB

MD5
7680068aea89e75d7fd15ac21713641d

SHA1
3e065a15e0482d2d98cff5b324d25d45a86127f2

SHA256
8e5e346c7fa1a0ded183f8f2b49865533ab7dd45df88621cd2418ee402973f52

SHA512
f0426386db45984bbf7814c91f036d31b6f3e87e0287fc7ff1584881890fad00dc496ab2efe0c22f977fdf394d433d24df49055e73c9b97c010380e6257ace0f

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
93KB

MD5
f6962277643b3c508ecb825202e3ee2f

SHA1
c96792cb8b2ae4a7f9c32485bf0a88d1655c326e

SHA256
7f0ec597b1def3eabbc3b572752b68841c761bbcbd29396dedffa78586d5e934

SHA512
b95c318506251e6f391273cc5357560ec20a26838ff1ae20bb930f58a692e23ba4b8a68103507656288ebfddf6e37dd430d7f83c1aa93104ae44bdd7b641813d

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
93KB

MD5
99b0b1c42215dc9ba3508b67463ed67c

SHA1
1d8799f345a0c95609d90f95f8d04a840a855bfd

SHA256
461d432e060047a73d3427fc928515d8e93c034e0214fd422a34fe3e4bb6ddcb

SHA512
89510987cecfd35dda090a8211d30d198b2ad41f1093be8c50f001ddc7a0521853e0b99f7d0e42d2906fb378f88f2031a9af9f09eba1aede845306fe27b02aba

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
93KB

MD5
4c58c4f6cea42195743328c21bb9fda4

SHA1
741bfee0f70bb387248f44108e8fc03ed844104e

SHA256
04f2abfbc488aa13930d2449c98c21b6164c1576fec4e94b1a0bca46e31a0d51

SHA512
f2d0dbc5da293aa1d3aa7e7c0ae158cf15ce68174ff2fb6fd0d9a1f28902269cb72cb2df8bf9511bcad27d7cd6651e279403fac56de051f3d2e36c7bf79a7450

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
93KB

MD5
90b5913b307747a22f2f06bbbc3682d3

SHA1
9a0cdef668b92857abb85de0d602260c17812609

SHA256
314efd97434df3aa9e6119d46ce73804aab4135a7e639e68ce014b5fb9b03a88

SHA512
97245bec688b6309fa6c2157a94a99c258e92ccc20f65d4db0fe7950e872cf7d4f415a9ab30439e3e6f2a6a2fbd009d96b79fc5d87447e7e25335cdfac45a0d7

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
93KB

MD5
0b04e1c7837f1349dff6a9915521d7d8

SHA1
c3f3089e2a69609800104b81941d7e2c29e4bb43

SHA256
f3e03bd89845a9eaae48e0bf4c2d9ba81a5e8bebdd2fb3528e56cbd003bdf906

SHA512
41e2ff6d97d3a8642196dd1db58aee3002c7b1df4addb6554f6406c7b0de274bb58dec3d3ae0c66e076eacd9ee8e6f1f52164e4b1398ad51d823489b42f77f79

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
93KB

MD5
81da1bf8a5fb032cd90044ec627e7d18

SHA1
5230f8a62a5c391b2ebe12b93dcb0cc1c51039fe

SHA256
8e6c98c48584acc10286bfc3df01e41a8e53ea05e0e906ec522eef5e5697bba8

SHA512
ff039ef78ae14e3599ec80f4ef2cedbe3102cab00d3bae2fa01dfe8e38016b65f5d18d29aa8f1a1eda262872eb4952a01479263704e3cceb513c1edc6fbc31e2

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
93KB

MD5
bb56049d76440993768795a60cc7bfe1

SHA1
93702496c5bee8930e4c057a2a6da7afb6e69332

SHA256
fc9e9c49ff47b0e5d55ed94e5cf2ac53d8521550c8e58dd3396abc1b581c49e9

SHA512
474cd8fca742db84637c939c6db90e6690be8daf02ab735ec3c7e8a46784b779722da1b91be9a1a26a1a5f59cea3690e61d7b849fa7c8ff8f8c5bc6e0ec5f118

Download Submit
C:\Windows\SysWOW64\Edihdb32.exe

Filesize
93KB

MD5
1362904d429c3a43fa03cf41e2a4e1f3

SHA1
487ce6c6ed74e8bcd2f0e08699569230c6f79e09

SHA256
4bced0e82445ce8eac01108356ea7f74c55e2f04461789a01d09d726caa2cd69

SHA512
9703aee8ae3351be2702517c49845cf50cff86029f70210a4e4c27da323be2bbc74f24a1bf1cd79450d9f59f25fb1ac76283adaff770df44c1e4890eead1a4fd

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
93KB

MD5
bc2005ec2f20f6fe3ddf4acc951da0e1

SHA1
7d316c28d56c5ac0dc6769b3c479c2a7b1aa7df1

SHA256
7e98193fc962c29e203d5f0e7d332ae613920d465036acac9ccc14ba2af042d1

SHA512
1616a7b3df8dc8474c49aaa9f7c1ccdeb68e2d53a737ee724ed7526178840f018e9e222f5038cb371302c38e81eb8076d5fdb6cf254731b0489224cd935a6719

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
93KB

MD5
051608994a2afde42894dd10bef98935

SHA1
a1eafcfa5cfe2617f7af46c4290c44432208aa7c

SHA256
8eb45e5c14ca154944df139690e9bf72d151854a5665adfd3d3301b1c9bfce65

SHA512
29388b66ed7446b97c758e338f5aedf677fc8ddddcb13d815c2bc982734e8eae83ce78438d2ac2292bd8f867797226a26a658419a342870d992513bcab6a9835

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
93KB

MD5
3743a54552de09192d97c1f1b7b61d2d

SHA1
ba6be774eceb9e71915bcd87b2242de9c37adac8

SHA256
a17c2f2c4d88fe1e3c5c87ea2555c7a4bffa855157a65126a774b6eaed75ff13

SHA512
992c3ab68f0b70e1258d2a44ad3930703d9d0c8576fc66b0eff32126f1a9ac16a0ba1cb65b7b239d6d058275aa3e75e492f9c3475b5bfed2696ec9f90f831841

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
93KB

MD5
5d9c810551abc644c12068f6e986df15

SHA1
26cd91af4876a66fc3ef9af6f1ae91c9076abcc1

SHA256
e8038826ac42b3e8e214c82051c34052a75bed7426682835be234e987f83b993

SHA512
01a3b9b47398d1ac04399d0823e794b4422172f641fc2c4dd11da0417bad9c37fca6f8920ee0af1a478a43418278f41dc7963ba624f3ce69841164f6b2fe26f9

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
93KB

MD5
cc00e1ed9c3a8c937e01c631a4cff717

SHA1
b32f9b28877632022e28dabaef8fd8323a5b1124

SHA256
3ffec463afd37564729a65a091d633311672cbc9fcb35df5799a1aabe5ce371f

SHA512
a28636e46790fda79b83b04ef3d8fbe09d5696bbc5d217f7d1d22a75bbca18f350a329973769124504d326f38662d3cb33f5915ab64f000c51faff6f3cee305b

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
93KB

MD5
cca11cc37fcd535df0109d4176596eb7

SHA1
aab6d515b6cb95e584023c721ec2205c8a13d4c9

SHA256
ebd8d2eaaf3949352a109b6045a11c81ccaecc012ebd4179065ec4f362f9196f

SHA512
88442ac007c84acccc7c568b8d18f5d0f898305a02981d2929bf7b1729c98bcb66353e9562eebdc17f1b2d476a728e72a399dfb8f02c4bcf903e4c4a9e76825b

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
93KB

MD5
7584ca1b4661750e6ccd0eb3d5bbe341

SHA1
e5c5ad7ef3108622e5fbd01a78bd0a74dbfee6f8

SHA256
0551c377a5b06b6a377183b495be619b3336c1e31e1d40b6062cb4f31725b45c

SHA512
ae4c9af9ac653907c56b99e26bd24791a441490907beb7cee7a4d50a83d9c70afa4580d12f69f8f23bc70301a1d742bb01521b0a14262e0851d3d22e146be0e0

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
93KB

MD5
3a4f759389ae5fdcd9754ea17642ac6e

SHA1
381ac0824eb1d66d5f9e2c191afc1946dd463c65

SHA256
8bf505b4ad108c04b7c2fb79c3072901d304ed38a9a148abb2ac4e0d2dc292d0

SHA512
1a1e5aabce7b5cdf6721ea9a290be067509285acacfed2a4d083e75feadcd62d01337600293c5a5b9fa3d34b8a3602ed86af0df3294b189bc4026a70e8da52d8

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
93KB

MD5
96b6a71ee281ebece0d3072c4840d7ab

SHA1
87a2aef1aa7c53a6ab182e48c7643f6d37634ad0

SHA256
4967f9784fa3be4b77bd7320eb8092a9cdccaf8218d050931dcb33c95b1cc1ac

SHA512
9a8644fe3a41ab5f7691d6bee71ab80e4dd13f8fe488e1b6131d60634832ba4603e9f39bd6e015481be79ac941f4c5ac6d2968003e9b02852817a4eb1feafd93

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
93KB

MD5
a4195d02268eea759d48de442076b2b7

SHA1
3ce3697f326051b1baca35eddfeaee7c1fcb9403

SHA256
2500cc77c346bdc5fe817ab7da586455304d9aac958f65ed128b9f0717c85966

SHA512
b47696e2c82aa1d74e2d7c3d3e6524dc7c9c25606ecd33aa4011ce58a53fc95a7ad7bcac5128e010e854b741f0819b4a1e5633c47a63cf12aa2196f6314f2147

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
93KB

MD5
2b7005d8eeb8a05e3bd0d51be0d60abe

SHA1
42b4aef5b573c71561bc7bfae0e6b6a4de78f6ca

SHA256
f397bb036a26da1077a92619b8a9b4771692d9223b136adea29cdd28120aac64

SHA512
0522d66d8a4f7d9418008f955ed8339cd40a1a2394d595d17256973d60ed30ed0785cad75dcaeb76ca3a5b266bb0542ddb94f66c706f4621f23a9e867e1fddcf

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
93KB

MD5
343e066204ef83d59c0b6c919d2e2ea9

SHA1
71f484233a74560b67a5f8b1377b9b3b8c810c9b

SHA256
6b8cead4428023a9fbac733da5959e6f2b08c5620085b22e528c56630275fef9

SHA512
11aaa813969ec4aacd5414411c831a066f95571a7de85705498fb5bcebcde6b5a179e26e9e07fe717c22381e16f34ca009a947795379a44258caed6a0eefa3d0

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
93KB

MD5
405619b8d496933475f952b83c47338a

SHA1
24927b080c54d2042468707daba0ede6030b660c

SHA256
a0553ce7e67d0e075df11521fd3e6434f04f9350ec352fa352b43fc3c57f1ac4

SHA512
5ee5e813700a38fb1a68ad23efef963fa34b4c08f47e435662bc4046dce6e38780a209a6f13320696cee08cd6bfffb05f6a718b09ae549d6e5c27fcc76ffda01

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
93KB

MD5
5ef6e624b4df46f929a5c623e8ba8aa3

SHA1
7be6a70fe14fcbbbcee7f4454701f7adafa8fa7d

SHA256
2a4bc56561ef0f0c3969d5433d37cac8aa17baee478704c0b77964627bbe4acd

SHA512
1c44496ed729cc4d420b4ce4b36a7605f5179999ade361ff4aa32bbfe60f951b1a58fca618bf77c2e5b38316cb9200e429bee36d4b9926fc78aa898c1456033e

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
93KB

MD5
9463807c86ce8af6cedea017f819f0f0

SHA1
12b0502a80d5b07436de90a8dd6ab6b2ab08ae7d

SHA256
ab6c4b835f1a6de44351b86f23daf772342d8bf38b35c262f893837f88c9da5a

SHA512
96e303d00993a2931560749642b0b40878f59fc3ba62d8a6225c46ee82fb004891600986f3af7059fb48fd8749b6bff841620cc998c6c50f4c6f130c24fa608d

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
93KB

MD5
fae4060e652a627630d67876706cb126

SHA1
9f5b5900ecef8364f3d1a026990ebe45ffd55507

SHA256
8d5668be859ee85851cd5b2c24142c0772483e481a008f8df351081a0a3765b3

SHA512
dc9ec768c53b8d054182afe4e2a9884e62b72c3f8d25b3b4c2149800abe82e95af3aaa730da50f1dbd8c5bbb6a11ce26e9dffeccf1b321f24ecfbbe00429101d

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
93KB

MD5
b46e9ae6051453b5dc1b93f7cdc2c6e5

SHA1
beb2eaa8f699aee1126be0b930719d6b6775c1df

SHA256
bbcf3c7a25a0134415fb4ea657a7bb8f3c4b887137c3b98d18da7c0d996cdfc2

SHA512
ac46a204d3ca8a2490efb659b0bda3851ca339b35db167435daa31b562e3f60ec995d949f59d6db53f90ec1b5f288d1b974514c8231f90f4ababafc8593addeb

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
93KB

MD5
5adc63dbfcfd66843b14cec451a22ce7

SHA1
c615233225df2152456305239bf83326cca21d89

SHA256
87cb91ddad4a3e81df22f6131199188ebdb7b958e56a0e4587c4f9d68fc98de3

SHA512
45aec2643295865e45be3542274b367f7aad46f9c59f20cb2f10cf5f62f8274c841bc8ea9cf3e08a4747281df0b682c92347656c8550f750cc8ec567b45f1186

Download Submit
C:\Windows\SysWOW64\Pjcblekh.dll

Filesize
7KB

MD5
d3b90767bc937e3a20e84a365ddccf57

SHA1
1403dde5c74e6fecee72c824ae830ca7896d1a77

SHA256
49881444cf45597b91f8628707aaf98799f89497ae961dfd34d2eff699dce5ea

SHA512
40099ad90d94664ca31d2455ddf8187313590c6b62eed5216b34a2ed6d28ab2ff24abac6457a0fa97ecf173697fc6c14dfa7b465e0075e0382ce7a39ad940cb6

Download Submit
memory/440-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads