d0df6da81bfa6aeb10ec5ffc1664b4d7542956b5ef2c98e939494532b1c05924

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c0a37e1fbbd0db554cc3d2912c59830N.exe
Size

128KB
MD5

2c0a37e1fbbd0db554cc3d2912c59830
SHA1

70f703d798da3bb32e708cf9f969e41986a79c5e
SHA256

d0df6da81bfa6aeb10ec5ffc1664b4d7542956b5ef2c98e939494532b1c05924
SHA512

0ebd6d11dcf082639686459eb66ef83db0d3aa29b6b1b3fc6239a78a701bf6d879945012e075da90919a14d8f0aae179d83a3925f6a9b105465d08a28b90cfef
SSDEEP

3072:/v9wpN+VdLL9khkWt6ejYVnfoX1mW2wS7IrHrYj:uKGtc5oFmHwMOHm

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2c0a37e1fbbd0db554cc3d2912c59830N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2c0a37e1fbbd0db554cc3d2912c59830N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe

Executes dropped EXE 30 IoCs

pid	Process
340	Dkpjdo32.exe
4112	Ddhomdje.exe
2932	Dggkipii.exe
1008	Dpopbepi.exe
820	Dcnlnaom.exe
2564	Daollh32.exe
2016	Ejjaqk32.exe
2776	Ecbeip32.exe
692	Eaceghcg.exe
5064	Ecdbop32.exe
3444	Enjfli32.exe
2220	Eddnic32.exe
3912	Enlcahgh.exe
2460	Ecikjoep.exe
1552	Ejccgi32.exe
5040	Eqmlccdi.exe
456	Fclhpo32.exe
3592	Fqphic32.exe
4428	Fkemfl32.exe
3068	Fncibg32.exe
872	Fdmaoahm.exe
4760	Fkgillpj.exe
4420	Fbaahf32.exe
5004	Fcbnpnme.exe
4816	Fjmfmh32.exe
4956	Fqfojblo.exe
4532	Fdbkja32.exe
2732	Fgqgfl32.exe
1524	Fbfkceca.exe
1004	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ahkdgl32.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Kcpcgc32.dll	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Eaceghcg.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Enlcahgh.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpjdo32.exe	2c0a37e1fbbd0db554cc3d2912c59830N.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Fdaleh32.dll	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Dkpjdo32.exe	2c0a37e1fbbd0db554cc3d2912c59830N.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fqphic32.exe
File opened for modification	C:\Windows\SysWOW64\Fdmaoahm.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Daollh32.exe	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Enlcahgh.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Ddhomdje.exe	Dkpjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Dpopbepi.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Daollh32.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Mfikmmob.dll	Eddnic32.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Enjfli32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2536	1004	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c0a37e1fbbd0db554cc3d2912c59830N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daollh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daollh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2c0a37e1fbbd0db554cc3d2912c59830N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	2c0a37e1fbbd0db554cc3d2912c59830N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2c0a37e1fbbd0db554cc3d2912c59830N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 340	2680	2c0a37e1fbbd0db554cc3d2912c59830N.exe	91
PID 2680 wrote to memory of 340	2680	2c0a37e1fbbd0db554cc3d2912c59830N.exe	91
PID 2680 wrote to memory of 340	2680	2c0a37e1fbbd0db554cc3d2912c59830N.exe	91
PID 340 wrote to memory of 4112	340	Dkpjdo32.exe	93
PID 340 wrote to memory of 4112	340	Dkpjdo32.exe	93
PID 340 wrote to memory of 4112	340	Dkpjdo32.exe	93
PID 4112 wrote to memory of 2932	4112	Ddhomdje.exe	94
PID 4112 wrote to memory of 2932	4112	Ddhomdje.exe	94
PID 4112 wrote to memory of 2932	4112	Ddhomdje.exe	94
PID 2932 wrote to memory of 1008	2932	Dggkipii.exe	95
PID 2932 wrote to memory of 1008	2932	Dggkipii.exe	95
PID 2932 wrote to memory of 1008	2932	Dggkipii.exe	95
PID 1008 wrote to memory of 820	1008	Dpopbepi.exe	96
PID 1008 wrote to memory of 820	1008	Dpopbepi.exe	96
PID 1008 wrote to memory of 820	1008	Dpopbepi.exe	96
PID 820 wrote to memory of 2564	820	Dcnlnaom.exe	97
PID 820 wrote to memory of 2564	820	Dcnlnaom.exe	97
PID 820 wrote to memory of 2564	820	Dcnlnaom.exe	97
PID 2564 wrote to memory of 2016	2564	Daollh32.exe	99
PID 2564 wrote to memory of 2016	2564	Daollh32.exe	99
PID 2564 wrote to memory of 2016	2564	Daollh32.exe	99
PID 2016 wrote to memory of 2776	2016	Ejjaqk32.exe	100
PID 2016 wrote to memory of 2776	2016	Ejjaqk32.exe	100
PID 2016 wrote to memory of 2776	2016	Ejjaqk32.exe	100
PID 2776 wrote to memory of 692	2776	Ecbeip32.exe	101
PID 2776 wrote to memory of 692	2776	Ecbeip32.exe	101
PID 2776 wrote to memory of 692	2776	Ecbeip32.exe	101
PID 692 wrote to memory of 5064	692	Eaceghcg.exe	102
PID 692 wrote to memory of 5064	692	Eaceghcg.exe	102
PID 692 wrote to memory of 5064	692	Eaceghcg.exe	102
PID 5064 wrote to memory of 3444	5064	Ecdbop32.exe	103
PID 5064 wrote to memory of 3444	5064	Ecdbop32.exe	103
PID 5064 wrote to memory of 3444	5064	Ecdbop32.exe	103
PID 3444 wrote to memory of 2220	3444	Enjfli32.exe	104
PID 3444 wrote to memory of 2220	3444	Enjfli32.exe	104
PID 3444 wrote to memory of 2220	3444	Enjfli32.exe	104
PID 2220 wrote to memory of 3912	2220	Eddnic32.exe	105
PID 2220 wrote to memory of 3912	2220	Eddnic32.exe	105
PID 2220 wrote to memory of 3912	2220	Eddnic32.exe	105
PID 3912 wrote to memory of 2460	3912	Enlcahgh.exe	106
PID 3912 wrote to memory of 2460	3912	Enlcahgh.exe	106
PID 3912 wrote to memory of 2460	3912	Enlcahgh.exe	106
PID 2460 wrote to memory of 1552	2460	Ecikjoep.exe	107
PID 2460 wrote to memory of 1552	2460	Ecikjoep.exe	107
PID 2460 wrote to memory of 1552	2460	Ecikjoep.exe	107
PID 1552 wrote to memory of 5040	1552	Ejccgi32.exe	108
PID 1552 wrote to memory of 5040	1552	Ejccgi32.exe	108
PID 1552 wrote to memory of 5040	1552	Ejccgi32.exe	108
PID 5040 wrote to memory of 456	5040	Eqmlccdi.exe	109
PID 5040 wrote to memory of 456	5040	Eqmlccdi.exe	109
PID 5040 wrote to memory of 456	5040	Eqmlccdi.exe	109
PID 456 wrote to memory of 3592	456	Fclhpo32.exe	110
PID 456 wrote to memory of 3592	456	Fclhpo32.exe	110
PID 456 wrote to memory of 3592	456	Fclhpo32.exe	110
PID 3592 wrote to memory of 4428	3592	Fqphic32.exe	111
PID 3592 wrote to memory of 4428	3592	Fqphic32.exe	111
PID 3592 wrote to memory of 4428	3592	Fqphic32.exe	111
PID 4428 wrote to memory of 3068	4428	Fkemfl32.exe	112
PID 4428 wrote to memory of 3068	4428	Fkemfl32.exe	112
PID 4428 wrote to memory of 3068	4428	Fkemfl32.exe	112
PID 3068 wrote to memory of 872	3068	Fncibg32.exe	113
PID 3068 wrote to memory of 872	3068	Fncibg32.exe	113
PID 3068 wrote to memory of 872	3068	Fncibg32.exe	113
PID 872 wrote to memory of 4760	872	Fdmaoahm.exe	114

C:\Users\Admin\AppData\Local\Temp\2c0a37e1fbbd0db554cc3d2912c59830N.exe
"C:\Users\Admin\AppData\Local\Temp\2c0a37e1fbbd0db554cc3d2912c59830N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\Dkpjdo32.exe
  C:\Windows\system32\Dkpjdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\SysWOW64\Ddhomdje.exe
    C:\Windows\system32\Ddhomdje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Dggkipii.exe
      C:\Windows\system32\Dggkipii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 412
        32⤵
        Program crash
        
        PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1004 -ip 1004
1⤵
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daollh32.exe

Filesize
128KB

MD5
74d11f4346f21b2f5b64a4435b741956

SHA1
efd645691cfdfbaafb3ab9bace5d09383041e784

SHA256
0aebc1b350423aca15cbeb03f74189f251a09e704271e219d65f323da82e72f2

SHA512
833492564da63717392fe4adaa5b3c7e2d75886e0761f323d2eddc46b5ba8a4032e951f18ad929dfe2909a5112213de783fbaea78ac8df2cce14a4ca0f868dbd

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
128KB

MD5
92cf40a37c2615776cc84e5c308b5f99

SHA1
3af6ed794f9e1c9ac9f9aa74e4f0ee4e483f944e

SHA256
153e0e7598d103bf251e344b626ce1189b1732f6d158f0757f6ac4dd72930bae

SHA512
a853299f89faca2207e661093048871195b4e9eb030e388a35c5b71d25c0e32bec4d8c4a510fccc51454d1ac0b317ae08a1fc3435a1a1ffdee58b16e04ec407a

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
128KB

MD5
a428f19389e9e19e3e18fd2ac35d4137

SHA1
49d90340debed909c17c8433fad7fe8f568fa716

SHA256
76a31b2631551a20aa0ed49591cb20a2877ec0d3f9ce5c85192b4536c27fcdf2

SHA512
8d5807d41a797cf63b10672c9204e43c0761578dd4a62f3f93b6da2247a2c2bcaa669b30ab3cfcc6fc03f61e3f5380826ec04d9b0d607dabac2ab57aa9209ab0

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
128KB

MD5
7ca6fa2fbe9a1d04682fcd90d277d0cd

SHA1
8220805aa29f15c19bf9abc5ea484b455782ae0c

SHA256
a3a29baba14e7ac97304256e8ca2c9e1803a2152b3977437a0ba8fd9023d30b7

SHA512
a5a1dd273b7015ef10a57ff77292b6e519ca8c792564588ead5dbee058284c3156134dad536d244f997e6c734c5508d2441477e8ef200467a4c25b28501996a5

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
128KB

MD5
9030f9473b9357538f553169f953b28f

SHA1
a9694ecd74b0d8586113d24eed99284827946641

SHA256
94fe1bb7c8d7b65f2423f0afbda51fca8538715e7ce2939056abb8c0db5193d2

SHA512
a81a0916bd0657fedcf721dd9dcca9d1b68521f47167f4619510ef4cae66b76755cac61f86d4635f6b7328d6c9d058076a9ef52d2e2f23769c40e7de08b261a8

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
128KB

MD5
3ae0c64734780bd1fd4e252c6577570b

SHA1
ef8da74c7312dd61f93c020c29da3cc823ffdac6

SHA256
2a5980a25c0680f15968d0c4e4c81eec7d7eed6c1270150f46e67916956c6eff

SHA512
05606c9595d33328ba23864055c10a4af66973ec49e642862d3206c9b12521c71a6b2fd99ee19c408d15fd95114a138e1981df66292df757f07f418ba7b353e2

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
128KB

MD5
3209944cd332654a39d108b52ac1b2c0

SHA1
0cb42c97464703d5550a0b9541f11be7a5ccef72

SHA256
6eba7f111d9a46dffe5d0b9ff1af83582f6db132afb71f5cae575a673192ac31

SHA512
89fd3db3025773b93f49f8b892ac550a799c3d35eae631e7e9f01ed9c5b276a9202408ac144a917ad1a8462553fded2e913472c5d4ab1c1ba4eb9c306c21cc29

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
128KB

MD5
acd5ab2c28238a378fb0ef3a24288056

SHA1
017fa3239fe2e02c17674832fddd5bf871db0420

SHA256
e3ac0efb75fad8fd0ecd67be8010332ca3570170e8b55852b299116974a7b207

SHA512
492f8f14fa0741810aea4781929982f2b1d13e0bba5e3f537627ba7e749b26674ba6d05765a65bd1c20cd75000270634794753f4f3255fa1bf0291ab6f71ccfb

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
128KB

MD5
cc2a36e78e982b4213106f44f99e5c55

SHA1
ebda2dd1d15d49e9cc8e5a4cce8921a0c24e399b

SHA256
d6156256beebee6b849a39da4ca7cb87a6fddf2bbdbb5270d56264c55787b3df

SHA512
d2f8b52b4545799590c9ef93b1b582f6e4972589a0322df60db8571a2a6fa09c5d49c07d8382b833f2532cbf35c6c45f207137d7f68f3b4b327743b65b5b081c

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
128KB

MD5
883c163e91386660f367c6773ebd2aa1

SHA1
b230315e2e6ad95cde6cc4167101831043caff27

SHA256
c974f1ed6ed262101b6532aa0748260b3ac5402280a4c1bf648f6a942fc3479b

SHA512
4983c772e0bfb1597cf6d56483c3258a797cad4d5d098874bfbbf0183e0285cb05ac2399c9ea68841cadefbf25491e8313cf383bc5fb41065a69c554108f525b

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
128KB

MD5
ea907b699e610341429fd804f9c95390

SHA1
b477b8c31a8daa7c64b845f2b85aca7e80082ec2

SHA256
1789d5197da25e9d5fced141d019e99eb8431d75e252cab9bedc01535c497ebf

SHA512
7b060f468663cc9761da55c99c41319728b5c5c46d61dee01faad4b911a74fb63cec783c9c21f37d5973cdb8ecc4dc42e8b8f14888f3cea6d2b548cdc33d0afc

Download Submit
C:\Windows\SysWOW64\Ejccgi32.exe

Filesize
128KB

MD5
47b30430ee071e2a59419985f50d87c4

SHA1
bc3159639c44ee12b6cc9a7b78a44021dcc67bda

SHA256
7bb0a7a900dd02778ea4949df80f287c4e3aca1f2b64e1f76fd198a2666dd01e

SHA512
f64282c8ef9f4ef9ba08eac5a998db64e440e7e4401fb3a5eca2da20fd60b69bcbdd141b061c9a6233b2767f6f7cb7cbd0e150fcfbf0fb555e6ef069fdc39913

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
128KB

MD5
2e783bc18e4d70df7509c6551b03df0b

SHA1
f5e4a88daee300e75e701981188b8227d5f83354

SHA256
25e5574d93a2fb98e2c493b837cfa9d92ca2c1e7dbfd93da62ddf8a2666dd81c

SHA512
08e336fc329cde9e8c5dba53b74349677aac3a73640f1882577170107337d478ebcf71482580a8d40158c747c22e694031ef4b60c9b5e0ac573de64de5d26a37

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
128KB

MD5
bd8d874de119b4c0b8b1292d94207934

SHA1
920a80b1fc47130b519898313dd01f2d79dc1868

SHA256
073074ec89623f4877d80ac997e352253daafa25c74d75df332513d8f66d6dae

SHA512
0eeb09511f53ce50ab2430a2b0dba51bfd72d27c9bffbbab9ef085d7d2d47d624ecd73c8f3c049793935a149e150f382a5e1ef7ba9039d17d006f86a95d5aa56

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe

Filesize
128KB

MD5
8855a0dfd9b6462accd3f1605473a8b9

SHA1
4ff0c38b59a2e9d6b5b5fdc4ac9e0ca7aaa2519f

SHA256
2183b55ac0bd5f248048c1c3447cdd97cdedc248b2572a759750b4526c2ccc2a

SHA512
b183334a8810e978b8544fdf5b3c55220899a2437dfc7c44526815d79d2e9ee387521c1bceeb8fa051ce3ccb5f725b24c3d50fdaf49aca77533e1828de0a26d5

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
128KB

MD5
75662e7cb583711527b9bc546e770959

SHA1
190fbd6adecf4b42c8f7e3dc989cc845d68092cc

SHA256
9f794f5ab09ef399d9cb61958da5953435b0f50bf2867c128ba23a44a1ce0cf5

SHA512
b1c49bb3c79d6511290c90871d929cce4efb354fee629c188ec2856ee4d7f87d16bcc5179803fd93553baafd25574136c015e9c64e4eb9739e283901ebe3e8cc

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
128KB

MD5
aa9bff3abfec194f7a58bd47b896de4a

SHA1
b4379c85afeaabc01c06d911e460d7dc694323f0

SHA256
254c3998f32987b1b50c9134c71a80f7fd7d8da3be815e188da7dcd482759ba5

SHA512
051ab959778d51cf22fc620dad232ac63ef887f574d01b29f47addccfefae5d61f7e02a9320136a0bf60b93eec9a8975ddecacb3aa40c41746b942a5b8353f93

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
128KB

MD5
05d2b9c3002c817d47f550f24bef521c

SHA1
c8eafc63b48aceead4747d719c541bed9e397158

SHA256
78dd40ab8a8b755c4f651c9888f7f6585a8f4bbe404a16d3a8f028398d0bed64

SHA512
54e7e356eba089362b8e121bfdf801d94d47ea77e38031f5f390d785201813d38d759958db174636f28691d3a0205401c0da3e198acd7c15e26aae76aac87e68

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
128KB

MD5
63c020a091d5a137404e33848f347a06

SHA1
76387f9249f9a5b8a4911c228a6de3b4d1015dc7

SHA256
381153630595e060e3e9c7b42fdda1bcdd6bd1d1422d207e5fbd47c3377ee25d

SHA512
de55bd38a261c14436e36440f8521907b84e32e4136e21f08352c23729ae74bd52d48cc18336eb95e93798bb32c1493b69dafa8c83187e827757c4338b09c92f

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
128KB

MD5
4715f126933e57ee05c5b408e2f45b96

SHA1
5ac4903975424de6350a51f2cbbb8f0833f2e904

SHA256
5d122df9ee815159107e7ec5e949d87640bbcd92a1d01164d221a35bed39e331

SHA512
a454c514a7be1e988ee2fd0bce88c1093ec2a15570e87519dfcfa9bd3c5e40ca0f3166348361feb8d6b404b3ad5db2b622e36c48d2821475b1fd2b7832a4990d

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
128KB

MD5
f614e322b0fa6e7e62e0fc555f67a96b

SHA1
841d6d3ce031ca32bdbbaf2cfaf5d672e8fcb46b

SHA256
a1802b75125188c44d4084a16b63d862dbf1f27e608748e883851361bfeee143

SHA512
e8ae2bdb1c23b020552302c2b008885e8a90b4b0a787f42a2e26229de45c92f371dc689a37f3a7e01e4d92c43eecb67bfa315b37ac40e3e0103ca76ecdd93c42

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
128KB

MD5
0c6d3931a9c69a76a235cf9571ba202d

SHA1
2a4ca35b4a1a4bf0358e3f0e18249ddfc7e07903

SHA256
66fb5170fcf32f1c5e74f9c1e7adbd9ce6e39c68657662110786816acf8531ce

SHA512
18717d1196a07557890ce9dd089d12074a7c0b32efa787afedaa25441c4d38ad37554471c316bb298556348562545a587b2df2c59047e9d525fa1f4d463dfc67

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
128KB

MD5
77abbbcdc2e06efdd714170a682f8ec2

SHA1
b4dd6eb47400b1c1b8414f11e94d6d0d750456a5

SHA256
d1a55b10a1cfe75cd28ff2d7caa54da20df0e09d9121eb8df14a8f6fc078b7e7

SHA512
a5bdd521dce334a21e17e6db08e60a278ba14ca54fc0a059e207163cfc45762d9886d5982fbcd95958437c55347caad20ac9ac19596f27100c7caed044a12fbb

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
128KB

MD5
9f38b5684cf776c4e864a5f26f8f3048

SHA1
040fe2d9fa7e87d6837b39407de2f016b31601fe

SHA256
8cc5b21e402aa065b0b4eafdf07188cc0c98d27229bdb7a826087ac3642aea8d

SHA512
5860e7dc9905135fb1cd84ea1fd04c65315e7731a83ffb359672a1524081e7bee2ba47285f47c3bdda74c2300787349e287373dc9cd02fb9a0ecd7528f4d6d91

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
128KB

MD5
677d08e2e0f93686f80e879e94c86978

SHA1
aa7bf9e25e44ddca3dff012f198d0f7bec0e2e28

SHA256
5e5130921ca23e2a6d52f36e771568f5b4125a245e115a41e970cbff8453a2a9

SHA512
f1c854c5ed0d2aad963af41a82ad8d0b593b7c0ac67ba95ca26dd8c01d6e78d8104e2aeff0daa8123a4a4051caa481c20d3593fed45d0d90736e7d7f05747d7a

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
128KB

MD5
092881558943310bc864ae58401c7187

SHA1
0a135cc4c836604e634e7c98d8c0be74945b19b3

SHA256
39411d3b8499246989c6d619953916542335dfa96eedd518f63127e8f43ac654

SHA512
542e319a455c0e0ab125863483e6580ab18027af81492ebd29aa50f979b5b7c16783e32442f815b5fa76a7e563d8dac0d7891adafbac0b51393d936f33a7af43

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
128KB

MD5
3371f0e276f224d71d5bef13b4372b69

SHA1
42490a3684a449500ad198184716b8a17bb90a51

SHA256
a2d350e7f5512b87a7ba4ce9b564a60b8a4475c7458ae05a60aa876cadde0d8a

SHA512
122a16a805771bd57d0997190a066bc680ce17d52afcec10d1d24e6f5c9d0d17c55e5973dce2f45fcad8833de2dde78921acc0a9d22c6e21761a7fd51b0ec2d8

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
128KB

MD5
527645f500e2155192a1930657db045a

SHA1
ef3b37eea6f271cacf82873cc108912d548fac9d

SHA256
911b0aea652afc5cf52d5357b937b22257e445d1650e6596a921b2b2b8c70f19

SHA512
bbecfaf06fdaf49c9226b00f9d76c39008daef4bd3b616211fe1603308033ecedc177f666d79bbe5ca976c77a2341bfacc806e27e7644d91e12d005efad3ebf2

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
128KB

MD5
68b556cced5ffade59e89f81d5860739

SHA1
39a519f6ffeeaa9445ec9f462b1d968f7ec56d08

SHA256
121012bcc311f2781d66c260e1ac5a203a7693b910343f58166ab2d59f41fba5

SHA512
5c83324aaee1906e0c37158acde28cbc4af9c52f7a74c5bb9248fa76ee51192b67ba2a27fb0db405229260191a2443379fac5e328e829c5a6b3bdba54dc9e1a4

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
128KB

MD5
9e83c14e2e1eefcba2b3bf8b716b583d

SHA1
5b4824596fcfe0bd5387ccc2dc75d18168ea9800

SHA256
1c75c7e92bf99dce1caef8d2046eceb53a1b09fd88a2a144ffccdef74a9a03aa

SHA512
1bbc7f457329863c1c52ac08b1a239cf0f0b47541a7209bfe29cbec5c35b18604f58dc37a8c0f5a2f1eb3756f48c6bb775f7360b58e5fa3c32ae4b888fe500a6

Download Submit
C:\Windows\SysWOW64\Kcpcgc32.dll

Filesize
7KB

MD5
63fde29e0fe933af9b4e17a2eab31ae3

SHA1
df43e6af87671176b281e02f0889de9a80f42657

SHA256
9f201437a89e25e4ffe23d4af19ea1a1ae1661da3e9f439f7858c3c8f7df0b75

SHA512
d4e40b805216dc7fa0eb23fdeda675a38ede30695fc282815867bf6bb14160e0e5722b9f04da5378b6a3041493ec407cbbd75796aef9879867ee6ca136902862

Download Submit
memory/340-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/340-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads