5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Size

80KB
MD5

b5cc406fd179ef34bc989a660f2d6355
SHA1

81bbdf432faeb13a04e587a5ab8cd07ed05aa83d
SHA256

5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf
SHA512

688e454083e6adc3a25b865b4d9962d9f0658c9de1dddf640a16ff6849c615c1df8c4dae604369724665d72b6432aca6e0b238bb82fd620e3099314384f3fa13
SSDEEP

1536:xY8QTriEXR/Qqifxiq2LGXaIZTJ+7LhkiB0:xY8QRR/cfxi3QaMU7ui

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgqennl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epdime32.exe

Executes dropped EXE 29 IoCs

pid	Process
216	Dkpjdo32.exe
4652	Dpmcmf32.exe
1948	Dggkipii.exe
1536	Dnqcfjae.exe
3448	Dcnlnaom.exe
3924	Dncpkjoc.exe
4440	Ddmhhd32.exe
4800	Ekgqennl.exe
3940	Enemaimp.exe
4900	Epdime32.exe
3608	Ejlnfjbd.exe
4656	Edaaccbj.exe
4040	Ekljpm32.exe
2856	Ecgodpgb.exe
1956	Enlcahgh.exe
2864	Edfknb32.exe
2152	Enopghee.exe
4932	Eqmlccdi.exe
4064	Fkcpql32.exe
208	Fnalmh32.exe
4216	Fqphic32.exe
4008	Fcneeo32.exe
4736	Fkgillpj.exe
4356	Fcbnpnme.exe
2804	Fnhbmgmk.exe
1980	Fqfojblo.exe
4032	Fnjocf32.exe
2212	Fqikob32.exe
1204	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Ekgqennl.exe
File created	C:\Windows\SysWOW64\Ejlnfjbd.exe	Epdime32.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Kminigbj.dll	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Epdime32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Ejlnfjbd.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Enopghee.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Epdime32.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Fqphic32.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Ekgqennl.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Dkpjdo32.exe	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Npgqep32.dll	Ekgqennl.exe
File opened for modification	C:\Windows\SysWOW64\Fqikob32.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Fqikob32.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	Ekgqennl.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpjdo32.exe	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fqikob32.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fqikob32.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dkpjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ljkgblln.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Enlcahgh.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Ddmhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Enopghee.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Enopghee.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fqikob32.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Ecgodpgb.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Mfikmmob.dll	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Enlcahgh.exe
File opened for modification	C:\Windows\SysWOW64\Fnalmh32.exe	Fkcpql32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5000	1204	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmcmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojkgebl.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kminigbj.dll"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoefe32.dll"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epdime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkgillpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 216	4608	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe	90
PID 4608 wrote to memory of 216	4608	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe	90
PID 4608 wrote to memory of 216	4608	5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe	90
PID 216 wrote to memory of 4652	216	Dkpjdo32.exe	91
PID 216 wrote to memory of 4652	216	Dkpjdo32.exe	91
PID 216 wrote to memory of 4652	216	Dkpjdo32.exe	91
PID 4652 wrote to memory of 1948	4652	Dpmcmf32.exe	92
PID 4652 wrote to memory of 1948	4652	Dpmcmf32.exe	92
PID 4652 wrote to memory of 1948	4652	Dpmcmf32.exe	92
PID 1948 wrote to memory of 1536	1948	Dggkipii.exe	93
PID 1948 wrote to memory of 1536	1948	Dggkipii.exe	93
PID 1948 wrote to memory of 1536	1948	Dggkipii.exe	93
PID 1536 wrote to memory of 3448	1536	Dnqcfjae.exe	94
PID 1536 wrote to memory of 3448	1536	Dnqcfjae.exe	94
PID 1536 wrote to memory of 3448	1536	Dnqcfjae.exe	94
PID 3448 wrote to memory of 3924	3448	Dcnlnaom.exe	95
PID 3448 wrote to memory of 3924	3448	Dcnlnaom.exe	95
PID 3448 wrote to memory of 3924	3448	Dcnlnaom.exe	95
PID 3924 wrote to memory of 4440	3924	Dncpkjoc.exe	96
PID 3924 wrote to memory of 4440	3924	Dncpkjoc.exe	96
PID 3924 wrote to memory of 4440	3924	Dncpkjoc.exe	96
PID 4440 wrote to memory of 4800	4440	Ddmhhd32.exe	97
PID 4440 wrote to memory of 4800	4440	Ddmhhd32.exe	97
PID 4440 wrote to memory of 4800	4440	Ddmhhd32.exe	97
PID 4800 wrote to memory of 3940	4800	Ekgqennl.exe	98
PID 4800 wrote to memory of 3940	4800	Ekgqennl.exe	98
PID 4800 wrote to memory of 3940	4800	Ekgqennl.exe	98
PID 3940 wrote to memory of 4900	3940	Enemaimp.exe	100
PID 3940 wrote to memory of 4900	3940	Enemaimp.exe	100
PID 3940 wrote to memory of 4900	3940	Enemaimp.exe	100
PID 4900 wrote to memory of 3608	4900	Epdime32.exe	101
PID 4900 wrote to memory of 3608	4900	Epdime32.exe	101
PID 4900 wrote to memory of 3608	4900	Epdime32.exe	101
PID 3608 wrote to memory of 4656	3608	Ejlnfjbd.exe	103
PID 3608 wrote to memory of 4656	3608	Ejlnfjbd.exe	103
PID 3608 wrote to memory of 4656	3608	Ejlnfjbd.exe	103
PID 4656 wrote to memory of 4040	4656	Edaaccbj.exe	104
PID 4656 wrote to memory of 4040	4656	Edaaccbj.exe	104
PID 4656 wrote to memory of 4040	4656	Edaaccbj.exe	104
PID 4040 wrote to memory of 2856	4040	Ekljpm32.exe	105
PID 4040 wrote to memory of 2856	4040	Ekljpm32.exe	105
PID 4040 wrote to memory of 2856	4040	Ekljpm32.exe	105
PID 2856 wrote to memory of 1956	2856	Ecgodpgb.exe	107
PID 2856 wrote to memory of 1956	2856	Ecgodpgb.exe	107
PID 2856 wrote to memory of 1956	2856	Ecgodpgb.exe	107
PID 1956 wrote to memory of 2864	1956	Enlcahgh.exe	108
PID 1956 wrote to memory of 2864	1956	Enlcahgh.exe	108
PID 1956 wrote to memory of 2864	1956	Enlcahgh.exe	108
PID 2864 wrote to memory of 2152	2864	Edfknb32.exe	109
PID 2864 wrote to memory of 2152	2864	Edfknb32.exe	109
PID 2864 wrote to memory of 2152	2864	Edfknb32.exe	109
PID 2152 wrote to memory of 4932	2152	Enopghee.exe	110
PID 2152 wrote to memory of 4932	2152	Enopghee.exe	110
PID 2152 wrote to memory of 4932	2152	Enopghee.exe	110
PID 4932 wrote to memory of 4064	4932	Eqmlccdi.exe	111
PID 4932 wrote to memory of 4064	4932	Eqmlccdi.exe	111
PID 4932 wrote to memory of 4064	4932	Eqmlccdi.exe	111
PID 4064 wrote to memory of 208	4064	Fkcpql32.exe	112
PID 4064 wrote to memory of 208	4064	Fkcpql32.exe	112
PID 4064 wrote to memory of 208	4064	Fkcpql32.exe	112
PID 208 wrote to memory of 4216	208	Fnalmh32.exe	113
PID 208 wrote to memory of 4216	208	Fnalmh32.exe	113
PID 208 wrote to memory of 4216	208	Fnalmh32.exe	113
PID 4216 wrote to memory of 4008	4216	Fqphic32.exe	114

C:\Users\Admin\AppData\Local\Temp\5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe
"C:\Users\Admin\AppData\Local\Temp\5f533ada71d83faee3155b8d01f4d03b56feae9938c9dbc6cd79b89e8aa3fbcf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\Dkpjdo32.exe
  C:\Windows\system32\Dkpjdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\Dpmcmf32.exe
    C:\Windows\system32\Dpmcmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\Dggkipii.exe
      C:\Windows\system32\Dggkipii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 408
        31⤵
        Program crash
        
        PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1204 -ip 1204
1⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=3872 /prefetch:8
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
80KB

MD5
38716133cef8d9f378b1702ed6e2fb2b

SHA1
2a58ae849bae78449d6161fcd8c203c11291cf8e

SHA256
3c05c14d179239faf2482cd4929cf32c0297a360e13126ef0ce19db10101a49e

SHA512
fde4aa2b6014439ce3c1e30a3814ba1cc7707121009d8678a7b5bb6eafefb93e4b0d7e787552c15c47fa94955ff1dc0aece41bd3174ef8bfd801fa7ae2f12f37

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
80KB

MD5
324991132e069b8a3a4754687575881e

SHA1
ac94633ef564fb33901e31b85968f0d328e0c03c

SHA256
9f34c23382ec254fd9af241a7031406e837ef87fd3995e2a5c951b3e1472cea6

SHA512
40031b75432c49697a74265dded26e3858bd420833235f57689d9bda0a830f43c89b7fb4ca960e7447a201631857c0e3988d66714d285190b46171ca91a15629

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
80KB

MD5
abedf823331fb6cd14b6813bc73563b1

SHA1
1bcd9b8f08839c73577bb9cb367ce959afe96f4c

SHA256
21be9d83c8a5a37e29fc0dba9489a7e8d98f9cb0d07934c32e2f2bdede89f2bf

SHA512
d3e7adba56abb22a45be11df223500f40837de8dddca60b38f91efb8af42d70ea1d6bd8f377c93ee7817c8df69f1f5bb31a8a5344bd77e04f5e76d09e982221c

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
80KB

MD5
a9cc72dfe9c79f5c5267805e7039e901

SHA1
b4e29c597d9cf19668304bd4257bcc09f787a9d0

SHA256
cc3ffc9dd76ccb167cc9e636d617d8ca0ccfcdb3e098c00d80dae9ff7d30df6a

SHA512
a4a00676b83b7a300ac05f6fb08f62bedc67772d6f7af7817dc469a0012696fee0fdcb94211526a2e798fd81a0c1d41a043a9c4c8b1bf01c81b369b1d73a3eb2

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
80KB

MD5
1aadcba9db084020652a10bd2f1c9bf6

SHA1
c1324c31d36a6562f34a9b9692c655db38799822

SHA256
c2f1140fd963b6a5650926f88eb04eb1c7721aaf7bd7442457ca8bec306f346c

SHA512
5f888d0bf55b002d156fc8bea70d979342c4b5009f9e4e14c9175410aea7221af9250aad8b20cdd37a454412f811f4b537714ae554d62ed33957c0a12701cff5

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
80KB

MD5
0a0f67c69853d60749bdc61106aff5aa

SHA1
20b1c1ceb6c306509b1969e389112d18a3a62bac

SHA256
eb3d883603199acb456443552b7fa754ba75a6e4c668baa32e4a9a36c7a6fdbf

SHA512
51b32122e7a0694377d3842e621707516581b951fdec6f6d22572dd698f20c3970b6ae3d12cffb012b47f878e825ba11d4607fd1a1de19414b2becf19547dcda

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
80KB

MD5
8af64ffce247511d710dd9e63ea2d936

SHA1
04b534a5b954b0fb19aa2a53b49c0fc902fcaaf2

SHA256
d5e22245d48b278f3e3ecf14ff4ee362cf033a0d67f3e1f1653d61424a25fb40

SHA512
3dff1437641bdbb11347dadaca059abe315f183b0feb2b5a66acc7eea4a614911a8c3a6e50ea5f3df89be8365cdcff72503c5dacbe4052262e7d05bab344356a

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
80KB

MD5
5074a7d296012a4d83d5bfe91eb41409

SHA1
b7ca8fec2840ef87af00357081fe295f2e7d3d6a

SHA256
3661dc5a0545089007da9c07a4421e5dcff6ade26bd0d54ac06b72b864465d6b

SHA512
74b74bb50c644dccff52b51d935690c159caf9d33363a81fde5ac71aa178ef36b35fe9ba3b119b6578074aa7840ad33aafa0ab714056aee94e71b35ae9ffa66b

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
80KB

MD5
84fd850e3f2666b925c5897661a939e6

SHA1
03e3381e1ea624dbeeface22cb96a729fdc2ef40

SHA256
68fc1c08ca4f76ae7e007a30c1040803868ecab6e9126f2e013ccd4cbbf8e4f6

SHA512
69140116fc626fef9bda0d2b77bde12293f272f5916bb5ca7b548e7b365acb63750205122889c0be2bc971991d4d23089dc01ebd5f9c48c80ddd2927242c4eff

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
80KB

MD5
a9c0aeeabaf7088768562a9907e1ba39

SHA1
958b3b5fa618e9fa1e6b051f1a50aa270e59d875

SHA256
0aa0831b8008c0806d74ec450f60ea0e6fdcb173d15c6098e97ccb6d5304a0d5

SHA512
14993e49da30458ca364d79f5b0b53295dd15926436f1965627461f94b036d04aceeaaa9f7138d8bd0c1c0504a31fb168bab2dcfd77df394d2a3763bc025e11c

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
80KB

MD5
80ae70156a5aaf2df2f773ee12ca8ccc

SHA1
5b468b7d56e8091273f06ca6580e526b0b3ccf48

SHA256
1f005e3db279c42a0c09dc64b34482590d94a7984928bdeb538ada13ba2caeab

SHA512
a6150b2d7aa6a3504403b081a2fe639147b971233446e504a81c37dfdbda66f0a4744b54c5d9490f1e28a4cf4dbb928e8a4d8e6e21ac479c69e203fb59ae9565

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
80KB

MD5
d80cd152d12f930b91d704595ed837f3

SHA1
1912a5a37de2b10da56a1c72a97408be8450b995

SHA256
b4c01e5ce9c37197aa8e483075b9fe1a154d056a124728aac853a81823f00bad

SHA512
fa7b5fc680f15c1235867ce6d1b42d0cadcf56a9e36a1d0af1996f59cdc4b6f4fd55832a1b9d39dd0342471e9ddb83f2922414dfd878017d0ad4d0441880fd0f

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
80KB

MD5
631f579d745a9227eae6a1f92b42cdbf

SHA1
81a2c77ff5265cb6f6f127d7ebb10f518d1ba8cf

SHA256
90c7214b84659a8c5199bd900fed566b0f8e761942940c8cb7f0bcf214a3be93

SHA512
8d5744bf26a6ac648e5743298cc797cef514c8c06749342a46425985588f217a9a9a0d206cf1e53dacd0ca90a60690981b97bf0463f651e19ddb75ac42163994

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
80KB

MD5
c6f9ca1c6062e3078df580d74724dfb7

SHA1
5143557d5447ab6477156288cbfc1c9b13967222

SHA256
1a57215b83227050013e3ddf167f6bfe1ea4741cceb101d18e2d84bc2336f688

SHA512
769b861143d672f852b2375e88ce78bdc60800ea49e006435751cc4cc87a5d1a2c47cee648144d72adeae3fa56d38fb409008510dc5a507744996b3e0c15050e

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe

Filesize
80KB

MD5
b35afce89323f3c125a63dd70265b647

SHA1
4cd4e2985b27c448f62626d252650342f6aeb3f7

SHA256
2fc2eb88173f314dba03e39afc7f22f1d918adc1e76c67d3edec513b68cf1282

SHA512
948a0e60903a8c34e15a8a5adbc6cb6431725d3a00e0f1254a17cb3bf983280e8ab6c292ce51bf25bd8807d81479e4bfdc9064c7a1a00828f039848cb4d150f3

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
80KB

MD5
5eacd1879a524120f33a50bbcea7f646

SHA1
16ccb6cee2336e6aa4886476ebd43fe9e75e2076

SHA256
1746afeeb8c18e41b0b887b47a6d45b3247d923bca8e7427c51f1b2a15a3aac2

SHA512
c0f9a2db00fb1161fce6cc2a20482cbd7b33ed7a72bfd993bcb3b01cdb686191b7987ec43b9b7eb5f9327bdb82eb721e14e4c0c446a6061c009b80f6f26e02e0

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
80KB

MD5
06fe1561a5aecb25f717307e8d50fe4e

SHA1
fda69d1694f4aa5f6f50456f1904fd163a0355eb

SHA256
abb0cbffb35eadf71c8bf937740b63b8ec15e728e65f3f0acdf117113085609e

SHA512
fa0b1b747356d18037e77b5885911b221976c40d61e7f8c455d55cdb2ef1116cc5b806b4e395fee124d4d509e58c5228282f6086f2cdc93b00cb2fe5cd79fb90

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
80KB

MD5
a03b17c90bf7d384b452e2bda10dcbb0

SHA1
07c802b0f9cdc4fe99d56ccc61c73171b8274999

SHA256
76b73cc9ee86022b1be4790462f71edf5ee9c645c5ab3a937570e4af7115a3af

SHA512
f3ddd360a4a55efc69c4440b832bce08c282d1a0d2e417fcd8c926bf5622c2785e9c18fc5a293052c33e83fa351c0830627b1ceddce7daa4c80227e963d14ef5

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
80KB

MD5
50aedccfba413e810fc8bf23a47529ee

SHA1
1502ede7e5d37dc31971e9aa05cfdf0cca8bbf83

SHA256
ccd9084367ff9f4d28e2bddd7f032c3fcdc26b3905e8b8f04557639f598a2976

SHA512
94f4e49c48a7a20970258dc0e671199fbadd6c726a9a670f94fa19f771ff1e4eef603ad37b61d88ee8be834ed5b7ce2ad1b4098276f2d0a33025dfcb99dcf0c8

Download Submit
C:\Windows\SysWOW64\Fcneeo32.exe

Filesize
80KB

MD5
6587d53fc51d681e4dda3d4c1d03af8d

SHA1
2ddb7e643dbde1632bd180b2be4c656d61690ec6

SHA256
1cf1d2a5fc4418aed09aeb614cb03e6d8e5304ae9d0712594acb6e2cb4153ea7

SHA512
2ee1fb624bf66b2ecf03a0097cba03f00ee08e62bf5b3d6f79da0e308b33819e3bc5c4164e8f7ea18c088b65cda18bf25b2299229efcbc263c473d9073d30a02

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
80KB

MD5
4b00498eb6ae07e9226cf89b2a767f4a

SHA1
733c689977f7a5dfa389273cb260d181ce602fe3

SHA256
963d5b3708259d78609c1bfe7d68f692f8b9b98116484fecc68770191cd9156d

SHA512
fd4e31e2e84f06f79f05c2e20b7352adbec4cb9e4bd217688d81f5a687452204d8bccfd1c4a6f5a11eb2a11cfce22e87d50a744ecc95e20201c0c1086ef04355

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
80KB

MD5
27a8307fb2c8e823353866dd27251855

SHA1
3f7945894d17d790a07de93dcd8dc6cd8d285fe9

SHA256
2e73716490f47462a7863709fdbf4e1dda5fb305cbbcd3e1037be332798ec984

SHA512
6c2901b5f56d70c037bfa2d499e6b5f8763453d54d9b70d7c029c1ca0056169d00b9842dfffaa10cf95d6a11d4233a13b7b3c358a31bde493530564a19de0963

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
80KB

MD5
28d8493b591d0191e9cd198b28716433

SHA1
91463c7b957d1d325052d5b88d986b1eeea0b74d

SHA256
5e5fbd234d4abf306a4e4ac67db6b9be280dff67c6c264813fdc29d68158fc0a

SHA512
3613eeac9bd625fa8499851c4626bf178c427a2923157faa09b05ff0cad9cedc6ad3d5cd8ed637276851d3ab9cc6e76670a8c16c870303878fcd0e16b4151eba

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
80KB

MD5
8398cbf75e201c8650a9c7aeb57a3a0b

SHA1
6e3c072da570a75bbf6e2fb5d195fb15d9a555af

SHA256
cb7a21c201ea3a0ef352466ec0ed633c7dc855e172adb97b13a11c9cb7b0b66b

SHA512
7a522e5b52b45863f487c212311700e7125154ede2ea77295a6210c290607729580cce6fda76e1ed7f063a93d430005ddfe69046f08165eb56072d3a26df9c1f

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
80KB

MD5
2319d6fb60e0f6635819e077fae6a41a

SHA1
7ae7395388d0cee6cea0047414d114105bed6515

SHA256
f56eadef040ce074c59415df6f4d4752025d1f52834c3632388addf57bf095bf

SHA512
5c46d10a5aca8144cf95abeff6d130092c5f5d5269feb3283c44b4f5a0b58329b3c937d87c744d0f69d892582f9eb2a47bd7fad166e5f42346e17905b10ca360

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
80KB

MD5
112543ef4b940f654de05558109dd99a

SHA1
3f0ef9203b7d8f648031605ea286c0d30a15eec7

SHA256
2c06adac907ee18ce41899490df797d3d9206b394f51d1e47d46e3760a0241e1

SHA512
6d3a422d86dcf4cdc486ffa4fd0cd417973a8ec6d587a1b51a4d94a8af27225a19667849727924114a29c901c55bd8ca4f718c52a29917a5ab54fba8f70291c0

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
80KB

MD5
a53d85072f44dfd4f6fa6a1c06b33637

SHA1
951234f6a2f71f508a3aa2b2fd5ae618d0be6359

SHA256
950886b8e976409ef58fc96a2d592d2505b7e449bc9c5a45e2b37da06f5e1b2c

SHA512
3a3dee7523f0db336c4582d1f5053bcb6b9f99789ac1f1a37dd3eacd826f428347438f73050b1896b03f0fdef61f8a39584502512914664a80a2a1c756ff0c43

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
80KB

MD5
7411df1ce15079667f3ee266b9cad1d4

SHA1
95ed9b5b7216c265befa8a7b91c76c12b04852b8

SHA256
6a4a26ed2a467dbd7a78f2d2579bedad830463edf8937e4690e61b9a0f66ed77

SHA512
078975b85ad775b8c610335b604aef262c9ac8f1edb3d5d8149223c4ca2b11c9472ea7dc1deff7fdbb56fe43887eea0db18b36d197e7ed9f3891f0ff059b4a5d

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
80KB

MD5
1308e00e8d396f5774fafdc810fe5a57

SHA1
f096fcacfcbce72b3ed6cc2952561418037cf032

SHA256
ff250008755076523b5234a5ef6c720a13c545cd59ee9f703115888100590de1

SHA512
87191745941163ea43e1595254870323afbe7ea4f2a41d0177ce192e4a2552311b443a3e689740b720212a0e17ccfc174b20b29f62e159d5d3f80e07aaa9cd0b

Download Submit
memory/208-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/216-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/216-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1536-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1536-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3608-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3608-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4356-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4356-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4608-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4656-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4656-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads