fee236c923b0e3ec22a97b664ea9be251a2c7736715d70e234c24cde9b64ea39

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
Size

379KB
MD5

8e5eb727de9b0ca6cd19f1b0ccca6470
SHA1

814f2a227db3fbe82c34422c3a750fcaa2c672e1
SHA256

fee236c923b0e3ec22a97b664ea9be251a2c7736715d70e234c24cde9b64ea39
SHA512

1fc1a61a72278446bd6c9ad857242cbae078fcae91aba6b22862b431f455455dfe69e105e8907e6b032585774275708637e8ee3e6c190961e0cf7d9e100d9fe0
SSDEEP

6144:fV8UBli7O/0xLxli7O//yb1c3ccU0S6GyTgfiEkrE:N8U6vxr6lGHaXyTg6EkrE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe

Executes dropped EXE 42 IoCs

pid	Process
4752	Dickplko.exe
3344	Dggkipii.exe
1632	Dpopbepi.exe
3448	Dcnlnaom.exe
3924	Dpalgenf.exe
4440	Dcphdqmj.exe
968	Edaaccbj.exe
4868	Ekljpm32.exe
3824	Eddnic32.exe
2452	Ekngemhd.exe
4328	Enlcahgh.exe
212	Eqkondfl.exe
2336	Ecikjoep.exe
972	Egegjn32.exe
468	Ekqckmfb.exe
1760	Enopghee.exe
2752	Eajlhg32.exe
1200	Fggdpnkf.exe
3556	Fkcpql32.exe
4932	Famhmfkl.exe
5044	Fqphic32.exe
3208	Fcneeo32.exe
5052	Fgiaemic.exe
2872	Fjhmbihg.exe
2952	Fncibg32.exe
2920	Fboecfii.exe
3492	Fqbeoc32.exe
32	Fcpakn32.exe
1812	Fkgillpj.exe
4888	Fnffhgon.exe
2568	Fbaahf32.exe
3780	Fqdbdbna.exe
1732	Fcbnpnme.exe
3008	Fgnjqm32.exe
1500	Fjmfmh32.exe
4520	Fnhbmgmk.exe
3000	Fqfojblo.exe
3840	Fcekfnkb.exe
3416	Fklcgk32.exe
4740	Fjocbhbo.exe
3420	Fbfkceca.exe
2472	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Ekqckmfb.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Enopghee.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dickplko.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmbihg.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fboecfii.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Dpalgenf.exe	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Blghiiea.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Fnffhgon.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Kcpcgc32.dll	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Dcphdqmj.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Dcphdqmj.exe

Program crash 1 IoCs

pid	pid_target	Process
384	2472	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Enlcahgh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 4752	792	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe	89
PID 792 wrote to memory of 4752	792	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe	89
PID 792 wrote to memory of 4752	792	8e5eb727de9b0ca6cd19f1b0ccca6470N.exe	89
PID 4752 wrote to memory of 3344	4752	Dickplko.exe	90
PID 4752 wrote to memory of 3344	4752	Dickplko.exe	90
PID 4752 wrote to memory of 3344	4752	Dickplko.exe	90
PID 3344 wrote to memory of 1632	3344	Dggkipii.exe	91
PID 3344 wrote to memory of 1632	3344	Dggkipii.exe	91
PID 3344 wrote to memory of 1632	3344	Dggkipii.exe	91
PID 1632 wrote to memory of 3448	1632	Dpopbepi.exe	92
PID 1632 wrote to memory of 3448	1632	Dpopbepi.exe	92
PID 1632 wrote to memory of 3448	1632	Dpopbepi.exe	92
PID 3448 wrote to memory of 3924	3448	Dcnlnaom.exe	93
PID 3448 wrote to memory of 3924	3448	Dcnlnaom.exe	93
PID 3448 wrote to memory of 3924	3448	Dcnlnaom.exe	93
PID 3924 wrote to memory of 4440	3924	Dpalgenf.exe	94
PID 3924 wrote to memory of 4440	3924	Dpalgenf.exe	94
PID 3924 wrote to memory of 4440	3924	Dpalgenf.exe	94
PID 4440 wrote to memory of 968	4440	Dcphdqmj.exe	95
PID 4440 wrote to memory of 968	4440	Dcphdqmj.exe	95
PID 4440 wrote to memory of 968	4440	Dcphdqmj.exe	95
PID 968 wrote to memory of 4868	968	Edaaccbj.exe	96
PID 968 wrote to memory of 4868	968	Edaaccbj.exe	96
PID 968 wrote to memory of 4868	968	Edaaccbj.exe	96
PID 4868 wrote to memory of 3824	4868	Ekljpm32.exe	97
PID 4868 wrote to memory of 3824	4868	Ekljpm32.exe	97
PID 4868 wrote to memory of 3824	4868	Ekljpm32.exe	97
PID 3824 wrote to memory of 2452	3824	Eddnic32.exe	98
PID 3824 wrote to memory of 2452	3824	Eddnic32.exe	98
PID 3824 wrote to memory of 2452	3824	Eddnic32.exe	98
PID 2452 wrote to memory of 4328	2452	Ekngemhd.exe	99
PID 2452 wrote to memory of 4328	2452	Ekngemhd.exe	99
PID 2452 wrote to memory of 4328	2452	Ekngemhd.exe	99
PID 4328 wrote to memory of 212	4328	Enlcahgh.exe	100
PID 4328 wrote to memory of 212	4328	Enlcahgh.exe	100
PID 4328 wrote to memory of 212	4328	Enlcahgh.exe	100
PID 212 wrote to memory of 2336	212	Eqkondfl.exe	101
PID 212 wrote to memory of 2336	212	Eqkondfl.exe	101
PID 212 wrote to memory of 2336	212	Eqkondfl.exe	101
PID 2336 wrote to memory of 972	2336	Ecikjoep.exe	102
PID 2336 wrote to memory of 972	2336	Ecikjoep.exe	102
PID 2336 wrote to memory of 972	2336	Ecikjoep.exe	102
PID 972 wrote to memory of 468	972	Egegjn32.exe	103
PID 972 wrote to memory of 468	972	Egegjn32.exe	103
PID 972 wrote to memory of 468	972	Egegjn32.exe	103
PID 468 wrote to memory of 1760	468	Ekqckmfb.exe	104
PID 468 wrote to memory of 1760	468	Ekqckmfb.exe	104
PID 468 wrote to memory of 1760	468	Ekqckmfb.exe	104
PID 1760 wrote to memory of 2752	1760	Enopghee.exe	105
PID 1760 wrote to memory of 2752	1760	Enopghee.exe	105
PID 1760 wrote to memory of 2752	1760	Enopghee.exe	105
PID 2752 wrote to memory of 1200	2752	Eajlhg32.exe	106
PID 2752 wrote to memory of 1200	2752	Eajlhg32.exe	106
PID 2752 wrote to memory of 1200	2752	Eajlhg32.exe	106
PID 1200 wrote to memory of 3556	1200	Fggdpnkf.exe	107
PID 1200 wrote to memory of 3556	1200	Fggdpnkf.exe	107
PID 1200 wrote to memory of 3556	1200	Fggdpnkf.exe	107
PID 3556 wrote to memory of 4932	3556	Fkcpql32.exe	108
PID 3556 wrote to memory of 4932	3556	Fkcpql32.exe	108
PID 3556 wrote to memory of 4932	3556	Fkcpql32.exe	108
PID 4932 wrote to memory of 5044	4932	Famhmfkl.exe	109
PID 4932 wrote to memory of 5044	4932	Famhmfkl.exe	109
PID 4932 wrote to memory of 5044	4932	Famhmfkl.exe	109
PID 5044 wrote to memory of 3208	5044	Fqphic32.exe	110

C:\Users\Admin\AppData\Local\Temp\8e5eb727de9b0ca6cd19f1b0ccca6470N.exe
"C:\Users\Admin\AppData\Local\Temp\8e5eb727de9b0ca6cd19f1b0ccca6470N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\Dickplko.exe
  C:\Windows\system32\Dickplko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Dggkipii.exe
    C:\Windows\system32\Dggkipii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Dpopbepi.exe
      C:\Windows\system32\Dpopbepi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 400
        44⤵
        Program crash
        
        PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 2472
1⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1020,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
379KB

MD5
52e980b6b80b0262af649c03f816332c

SHA1
a15ec9285684164152bcd34659fc76fddf92b916

SHA256
3b701dfa96db77477f3a282e080255b33cfd5c2e0ef021e50e37b083cc4dfccf

SHA512
bf9d2f5d9b68b7219f92a9997fc2d79721099b19584f75b8a3bcf64c184551e37894ffa9aa11502af45061aa51bb46f3fe5d0558b5a8e6e3ce5265b98f2a0fc8

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
379KB

MD5
91781d92b15af8412e4ccfc520e30abe

SHA1
eee684c1c6c813a1ed37f01cbd20241da234d71c

SHA256
41c6af0e3725b091d8f748f2f6c6a18c5996351f4de3d56eb501bfe67eb90a89

SHA512
771f975c35fba815c6c9041aaf184e61f0ef90875c5913930b44a3fe59bd033ca15879ec677661b3618ce79901ede3f3ba9ea6a785d3fffa9a3b3a5f66015643

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
379KB

MD5
fc4c430c5f8de6956f3c39c656024b7b

SHA1
83f0971cdf3f09044c99ff551394c04737a7f9aa

SHA256
da1de8b7f6fce9b74308f6764f2008bd915eb8d23166a3ccf4a4c0eab1258138

SHA512
b2db4ffcd07db2c56f62e3a664b281d6adc8b31d7aeec8024cb29ccfdeb98691c7333cc4411802cfe71b696e0247deef5fe19f7b8c903c6518269b75436f28df

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
379KB

MD5
2de38e5305d0c66ec2442371d2251f0c

SHA1
de04d5ec27dba5d4378a27956b1cc315a81892b8

SHA256
0948eadf4f129fc600ec139617702bcf7eea59d247b28c9f9fd05c0c450d085e

SHA512
0996767057306c2d55aecb1f345f8026280cf4dbc812e4ab296d6f07b452d4fdcc5e8d3cb90995b55951bb1c4048713d36034089486e9a21f9007a6b8bcd6404

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
379KB

MD5
3834efe5b891a8c873827f7f4a6e3073

SHA1
098c89e3c5a4a022a3a30093f59bcc2c678049ef

SHA256
f82311ac9c8574bfc0ceef729be474e199ae1ece99e531f93bcbdbc658e4368c

SHA512
8193cd9b02a45c7aa1cfa0cb4355d6472f8d48cec5783871817855eb10211d10fb3720c6e1afe56ca9e53366c47996797d1eb5d38ebfca37575877fe13a8223c

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
379KB

MD5
41b427685a8f90b3dafd28d9a36c6350

SHA1
18dace8f8230a037b5ff43d09beba7bc263b58f9

SHA256
fec5e0f24e8de6cc64cf4d7faf000b571791103199f8ac6721de3b4545cbb338

SHA512
34c40ef5e0eb8f39f0183ac80580b6f42dffba1970ed4669631d60dff7591a39d1085f96812b4a59b6ba9333574916d69524bdb8b1d0909b9fbf3bd10398468c

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
379KB

MD5
d06c021e57326bbc660f5ce56d7cd40a

SHA1
2978ace977e90934086d40acd8b3a460eabaed84

SHA256
545b282908f46826fafccc4df7d3abe3ebfd1a2eefb923072cf9f358e806d89d

SHA512
ff9205b4a19486e9f7611043d5d8b90b8279ef306e37670d3dbfa584593e7462de0d568c19042240c8c1cc9c636fe1a1c00239e13cedf31c7cca772f13a0aa64

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
379KB

MD5
2ba0018d130b35a22ee8421a1360608e

SHA1
7993c9505e4b33d8f9120315aaad23e2d1cfb35f

SHA256
3f58561383f56a47eac31785e5502cf026e1f7133061b69164117d507d1b6c2a

SHA512
158e9b60301f6a77bf64527ca2aa0e648ddf8ed25722306cb3b63c6e76d3698c0f182af543a16e464500e75949838a7866c037076767762f3c6dfdd061d1ed75

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
379KB

MD5
01202c7593a1571404cf243847759fd0

SHA1
fb2e92794ec0da500a06b7e50d5fe450a0c1acc8

SHA256
21fe017e3ce689adb36d06668f212f16499dd694809aa3c145093e888d280ea5

SHA512
c8383917105298c0062ba1fc54540b9ce9179330bfb3f3d3016ef0bde1b9e3f3b72fc44b48d35859e65fa0bc84516df67827b1d00b4d6256b9654b1a734f33af

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
379KB

MD5
190d73e02055714ba2ebf19df61cd712

SHA1
bba9792cc661667967b135f804ced6534a8c51b2

SHA256
2744ac61153543e9260acadcbfed441b6c152f43245acbb8ee98973618177f13

SHA512
baad3de3360e36d15f6c4111c0c31cbf6f6aec477349fb5ed0a82169278d91d15c85b18d4fd27efaeda072fc6bd7ee1830ff09b736bd9b2cfed72f94465335b5

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
379KB

MD5
49badb914288609c9d385d71f7cd1e46

SHA1
29f4d590c211569fc5cfab83979f3a50bc8821b7

SHA256
5874c09e03eb13d429eb3322bf1ccf8df277dcb63efdc34c22684606ebba878f

SHA512
2d69ff4ab01cc468cd4f6f85ff22f13f0a8851276ff44bd5f6cf12d9c8673a5d9fcdbbe7ca9e48d629373b18750222c7aeedd3fc9db3f5e18afa285bdcb49f10

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
379KB

MD5
33063d0fe2b2c19c1cfb45320d4020f1

SHA1
6d0fb5206b229429f787aa402474082ae6887dc8

SHA256
675654804e58486febb4b453a6e4b0bcba9359b3ad50f95c8e0347ffa12c1bcf

SHA512
85d784e226616ab8875b91cbb3fca2f3bc544dbab156f9cdd500aa099611a52f5347b760be5ca89eee186790883386de853171f2f6701802f5d8f986af2a4b28

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
379KB

MD5
a5508d74ebe4999aa3ce106e50633ac3

SHA1
6d59dd7d8066de00c685586d9fbf92a72dbfe911

SHA256
0e1fa9ce9d5f094cfcd969c6d51b54aefd24e0a77b5b9552c7db4adef402c6e3

SHA512
60aecf728436d501131be2b54f512e9d38566739cbdb16f875b8add3fb34641d6b67e8168e25fb9b9cf4da3f3a978654d354513636e91672a6ea3c12bab4c14c

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
379KB

MD5
352eb046c357404a2cfa9dbb0a0a46f5

SHA1
0541c86764324b5206127ecaa303aad489e6309b

SHA256
a170ab0e478cd1165447e36dcf19566917efa57099b580409efdaea881fd7015

SHA512
1e198cfb2db383c4c9944008a36b1d416814013bb4daecda6280485d25defc3d77d7210d88c37a3fbe78065acec1f3349c7bda2a6d19ff2a73b841bd712b2c24

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe

Filesize
379KB

MD5
62c7fc1873c0ffb3abc702535eea7654

SHA1
93f0d6ab2eaef282a32ee07812213f47e2dc8d09

SHA256
31c79c504b65a8c47355f3518caeb7c615d2ea6dc39c8622be391334af988fe1

SHA512
a0d968ef5f6e37f3d8a1e82aeac603c7377337c717e94016f794ca9faf4b617f9da7aecbd18b02f849f6d5b011a88886f4d1363c11484538610d2bbb60b69c31

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
379KB

MD5
06f6ca261fdc7d7813f209afb61e64b9

SHA1
20136eddd3377f3100787a18794aee881acb8d38

SHA256
7bc90485e297a5c040860b0ab5a805c995114edc14335f4fa0f9de2af9653975

SHA512
96ac8d50841b82bb5f3f2951f996bc4be304e523173526bf9d63f30d78a98b01490a0ff6d6c392166f939d85dcedf861c24bbbb3167df0681e11f8cb2532de27

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
379KB

MD5
3d772113bc961ca01248deee2919fd00

SHA1
516f54efd2a4112d73b80354d9e772a88a47ca86

SHA256
043f2147f14375262be68a70b83ce1f04999cdcc1e2d01d0b73f1f112d01b4c0

SHA512
b242c367e799738fdcc487c0b6c685b54a06397a19ea299eece9dc9b56edf01f1366d94db673368c6b0787143f26bab8ec8c505ccba9b105ba2f73b5e6116036

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
379KB

MD5
8cd538c2a33a0a5a5f1172162ee93fc9

SHA1
86fd42f5161b2649fbf24e22af5333cfbc310499

SHA256
d52b7e3d8788e719279a72004b6b123175b748c7b680e242a15904252fb2795b

SHA512
d94c05bf0e208dab7b521301b75eb97032cdc5a76994160273284633c7283c22ee5ca53722ca5e0b3e51fd8a914e75edb6700771874bf4c133b3a37133fcb33b

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
379KB

MD5
147b147917c45966cc4eb0353345c266

SHA1
bc0abdd1c76c073d551d1b0fe5b403dcb7d481cd

SHA256
1f151c7a7774389201e7b2be7859339abadcaf11275fb6eb694aa7adb00b5c22

SHA512
e0c029eca3fb9503abefd83948589fac337ee0e99b0457b1dd9b3cde17de1447ca2cbd21585e6da4c673e0d958fe534cb9166fa20389a9e19cf54e5aade78db2

Download Submit
C:\Windows\SysWOW64\Fboecfii.exe

Filesize
379KB

MD5
f1bfe2f7dccdc9729307ea25bfb9c720

SHA1
899685515d9375e3bdb8404bf69883de3da9a201

SHA256
08deeda7e6c0f6742af35a28ecac6e2598a77628c1a62178e2bbe65a0cca85a7

SHA512
4460cef785a44a0cf61b65a95ce9b63748a9ed713f53f9b8545e112eecc63429b3c341aeee116562b59419f133b6776610e575d634218f41accb7fcabb553c08

Download Submit
C:\Windows\SysWOW64\Fcneeo32.exe

Filesize
379KB

MD5
a47d482fec90da716054fc22757f186f

SHA1
e24d0d96458fc97e3d1f9cbaf2e76ecf2d1a8459

SHA256
8d00031e965a67c3d4eb313bc3e4cb6537420fa5245dcaa5a97067c5d54a021c

SHA512
13a2ad2dcfde80751f471f14f59e262f7086739909acd52f945e16a57e3847facd7b03d03870a38ee18bb53f01004850ed5879c1a685a9a32df529de73af2184

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
379KB

MD5
39ccaa660593d921412a883da004d8f8

SHA1
9cf097ab8a3ba8f27a9d2eb95418970899257f32

SHA256
dffc13f888bc17d201ef18f87f191d6b778165c96ae8659fc2e4969f60bd548b

SHA512
7d6e8804f7143d8d444d6ef105aa87db62d0bda9c44eac57400f07292b9e2a99e162071faf213fce10ba07252b1e23ef9f5a633a97902a2aac91047410ae6251

Download Submit
C:\Windows\SysWOW64\Fggdpnkf.exe

Filesize
379KB

MD5
74cd9e2ca2b9b88e3b89dd2f2f5bfc9b

SHA1
ae3492c93dc8cba8de6c833a030d9f53b4fccd57

SHA256
cf131e7f2bf2f24149274ef9df931f3d4965c319adca3c5cc97cb1dc5900519a

SHA512
b998725bac5a26d2d8f34c1f0154ff9dcc1ea97323453ca9c32ff3f9620a746bc27eae633bc64e42bf4800f1bdcb6fd2d6406567c3a5a6bb1978cc600548c0a9

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
379KB

MD5
838b87a8fa7119085c7839df27e9175f

SHA1
903a91d7963ab67202c3863a9d8cc6e9ec2a4480

SHA256
bfd4ecef199310373449331227ef69aaf354db5140d6f0ffc469645202dd95f9

SHA512
bd01e9cd3325bf1bd80bb922f6b715a25d6c1b52154a7b92852298da3002b0015fc4ec061ff0381a7180aa168a3b71fbbfa677c92fc3bbb865e6a85db1c67a59

Download Submit
C:\Windows\SysWOW64\Fjhmbihg.exe

Filesize
379KB

MD5
48859379d06d459c6c95ac93c4212cfc

SHA1
4cb6914394273b8f372d0fa22fdcf79958649ad5

SHA256
24e98c14d7c88be90a063ff40b03e0a11d37b25c53e7910f243a898cc5e74b0f

SHA512
8912be56e97940a4ea4b48cfcc757186584b6d28dac62b41bc6ae8fb2b79c7f47858ff2ac358af26bdea142f10ccf792eb3c994c187fa96138400f47f3d3a702

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
379KB

MD5
b203f8c952e02378ab2e62993c84141d

SHA1
c42e57521532d75bc42937945dc3b7810c5ec2c3

SHA256
19088ac48d9d9c353cc5b60490e64f928f927eba534c9684ab7352ca356bafa1

SHA512
a0c3372f8278952dceee2a94bf7fcba0ecea25ba3c6b2f899420a8935d907690f09fec33629c617ade460bc77b030c9cdfc8c295243d82b35209476fd8045a7b

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
379KB

MD5
e86bfb4c3b07f37988af76d3d7f6a501

SHA1
e54e4ca69dd5dd27e4d78144bc2070bbc9718efd

SHA256
3b0c928ccefc659cb722ee9448c643182cc24d815887fa6639522672453d9def

SHA512
fb90b9c5caa4fd39db8069f75dc365d51a49850ba7475ec9ede7a2d7add6c2042503822012386c7e878a92554c7f1059e5c686d9c8c3402b1b9992d0dd96f233

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
379KB

MD5
58f51061baa83bed869e1fad6213d0f2

SHA1
72a8ce20713795a56d447377a6c73e686a3c32f1

SHA256
b2208d3030803fff9528d0e644583e85e7436bceadca2e56ac295ba9d072fb2c

SHA512
9e51671131ab9ac5f6fb7b86431c016c27c70042385833a8f3518c0728607e0d3750db91e739efc044f77ddec9c2fc8b555df8b7e71d809dc6d442e073ce400f

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
379KB

MD5
13b4a0580ef83dd8bcaa2978da61c5ee

SHA1
1c96b50aefdf1fc24f50dc112bce802e7ee25231

SHA256
ff6c1a27a80de993e4f079c30ba93a854b8c57aff75499808ecf9423f1e8b9c5

SHA512
b445cbec7660827b806c99bb2cc9ba6481d5313eb2c581df09de79fb6879a46cea497daf753121a650d8db27079951a596ee0d3ac55a1fb11d11cb116c70256e

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
379KB

MD5
082dfd90193823da33bf631614b31b1d

SHA1
fdff86b87329dfe78aa7a76ab51bc87eb09ade75

SHA256
377a3bc8826d79cb91fd0abc727a230b804f91a68d64557e7db0ce0de4ceccab

SHA512
f562eec0176c5a18a4286ef910628a9cf4bce89b52fdea5eadd5c52f91605c7db54c0e83171e7f49827832665db8e20f09d129840b31e5d8b3bb86bbc0eae915

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
379KB

MD5
b731e99d7bbcd13e1b20457e4851fff3

SHA1
f3c4005d0ae5d887eae1fc65e62b8c63bd1c8ab8

SHA256
48b092ad149ca411fa2560d08ca05289b5120f4fcc10731f2c54eeb68b20b08e

SHA512
78b46e48305657403e8382e5adf68e4e146f0112ebe7912da2e8b6251b58599cca7ca9519bb614ba5de1df069d4f067e5fa92045695c6ad297a7b1ce380bc2a1

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
379KB

MD5
842412aad089f85f5e2497cc6eaed160

SHA1
d33ceb105685ef4f1381dd1f71f79db1f3b24708

SHA256
18e7391430a2062ff021b9485903e0defd3be140052c6544ae77812388da55be

SHA512
035b2ea6e454c20c8532425c721f419c44c60d4d745c43fd93b25ff98a98b2f4ed6f844ed05a5a5b14b6e2323fbc29e017f9fe900836ad5895157c8de2cdcd3b

Download Submit
memory/32-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3780-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads