8f0b7417d35d3f0b9b7ab960a7cae9a2d0353d4c74b07c6768ad8a1ea3366c52

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Size

59KB
MD5

952a9ab6cb5bc99a3b31c51f3f38d680
SHA1

91533f62a6acf54e96eaa6e23a1cb1308adb6bac
SHA256

8f0b7417d35d3f0b9b7ab960a7cae9a2d0353d4c74b07c6768ad8a1ea3366c52
SHA512

b0481989868c972536808589661a3681f82ea81d266b9bdbaa199cd7834ac82f788f845b5aba01025b20e834be7dd8bbb7ce57e1c70acc5bae88e52942a0d9fb
SSDEEP

768:ZlsYCtR6yUhPsnNfIGSEBMtzZb6SgNKvyX2kJxp/w8ldWJZ/1H5yC5nf1fZMEBFN:wYCtSPkVizgSgNV2kJb4rU+NCyVso

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddklbd32.exe

Executes dropped EXE 33 IoCs

pid	Process
2680	Dnljkk32.exe
4356	Dgdncplk.exe
668	Dickplko.exe
3308	Dpmcmf32.exe
1436	Dggkipii.exe
1780	Dnqcfjae.exe
2796	Ddklbd32.exe
4800	Dkedonpo.exe
3940	Dpalgenf.exe
4900	Dcphdqmj.exe
1732	Enemaimp.exe
4252	Edoencdm.exe
2800	Egnajocq.exe
5020	Eaceghcg.exe
1048	Ecdbop32.exe
3464	Ekljpm32.exe
3036	Enjfli32.exe
2152	Ecgodpgb.exe
3232	Ejagaj32.exe
5032	Eqkondfl.exe
1124	Ecikjoep.exe
3084	Eajlhg32.exe
4788	Eqmlccdi.exe
4564	Fclhpo32.exe
5084	Famhmfkl.exe
2052	Fdkdibjp.exe
1244	Fkemfl32.exe
3924	Fncibg32.exe
3952	Fqbeoc32.exe
3392	Fglnkm32.exe
4444	Fkgillpj.exe
4056	Fdpnda32.exe
2208	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eclbio32.dll	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fdpnda32.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Enemaimp.exe
File created	C:\Windows\SysWOW64\Binfdh32.dll	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dkedonpo.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Fglnkm32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Fdkdibjp.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Egnajocq.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Ecdbop32.exe	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Egnajocq.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Enjfli32.exe	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Jjjfeo32.dll	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Ecdbop32.exe
File opened for modification	C:\Windows\SysWOW64\Fglnkm32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Enjfli32.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Ekljpm32.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Eqkondfl.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Ddklbd32.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3932	2208	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmcmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgqep32.dll"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojkgebl.dll"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	952a9ab6cb5bc99a3b31c51f3f38d680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dggkipii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 2680	3624	952a9ab6cb5bc99a3b31c51f3f38d680N.exe	88
PID 3624 wrote to memory of 2680	3624	952a9ab6cb5bc99a3b31c51f3f38d680N.exe	88
PID 3624 wrote to memory of 2680	3624	952a9ab6cb5bc99a3b31c51f3f38d680N.exe	88
PID 2680 wrote to memory of 4356	2680	Dnljkk32.exe	89
PID 2680 wrote to memory of 4356	2680	Dnljkk32.exe	89
PID 2680 wrote to memory of 4356	2680	Dnljkk32.exe	89
PID 4356 wrote to memory of 668	4356	Dgdncplk.exe	90
PID 4356 wrote to memory of 668	4356	Dgdncplk.exe	90
PID 4356 wrote to memory of 668	4356	Dgdncplk.exe	90
PID 668 wrote to memory of 3308	668	Dickplko.exe	91
PID 668 wrote to memory of 3308	668	Dickplko.exe	91
PID 668 wrote to memory of 3308	668	Dickplko.exe	91
PID 3308 wrote to memory of 1436	3308	Dpmcmf32.exe	92
PID 3308 wrote to memory of 1436	3308	Dpmcmf32.exe	92
PID 3308 wrote to memory of 1436	3308	Dpmcmf32.exe	92
PID 1436 wrote to memory of 1780	1436	Dggkipii.exe	93
PID 1436 wrote to memory of 1780	1436	Dggkipii.exe	93
PID 1436 wrote to memory of 1780	1436	Dggkipii.exe	93
PID 1780 wrote to memory of 2796	1780	Dnqcfjae.exe	94
PID 1780 wrote to memory of 2796	1780	Dnqcfjae.exe	94
PID 1780 wrote to memory of 2796	1780	Dnqcfjae.exe	94
PID 2796 wrote to memory of 4800	2796	Ddklbd32.exe	95
PID 2796 wrote to memory of 4800	2796	Ddklbd32.exe	95
PID 2796 wrote to memory of 4800	2796	Ddklbd32.exe	95
PID 4800 wrote to memory of 3940	4800	Dkedonpo.exe	96
PID 4800 wrote to memory of 3940	4800	Dkedonpo.exe	96
PID 4800 wrote to memory of 3940	4800	Dkedonpo.exe	96
PID 3940 wrote to memory of 4900	3940	Dpalgenf.exe	98
PID 3940 wrote to memory of 4900	3940	Dpalgenf.exe	98
PID 3940 wrote to memory of 4900	3940	Dpalgenf.exe	98
PID 4900 wrote to memory of 1732	4900	Dcphdqmj.exe	99
PID 4900 wrote to memory of 1732	4900	Dcphdqmj.exe	99
PID 4900 wrote to memory of 1732	4900	Dcphdqmj.exe	99
PID 1732 wrote to memory of 4252	1732	Enemaimp.exe	100
PID 1732 wrote to memory of 4252	1732	Enemaimp.exe	100
PID 1732 wrote to memory of 4252	1732	Enemaimp.exe	100
PID 4252 wrote to memory of 2800	4252	Edoencdm.exe	101
PID 4252 wrote to memory of 2800	4252	Edoencdm.exe	101
PID 4252 wrote to memory of 2800	4252	Edoencdm.exe	101
PID 2800 wrote to memory of 5020	2800	Egnajocq.exe	102
PID 2800 wrote to memory of 5020	2800	Egnajocq.exe	102
PID 2800 wrote to memory of 5020	2800	Egnajocq.exe	102
PID 5020 wrote to memory of 1048	5020	Eaceghcg.exe	104
PID 5020 wrote to memory of 1048	5020	Eaceghcg.exe	104
PID 5020 wrote to memory of 1048	5020	Eaceghcg.exe	104
PID 1048 wrote to memory of 3464	1048	Ecdbop32.exe	105
PID 1048 wrote to memory of 3464	1048	Ecdbop32.exe	105
PID 1048 wrote to memory of 3464	1048	Ecdbop32.exe	105
PID 3464 wrote to memory of 3036	3464	Ekljpm32.exe	106
PID 3464 wrote to memory of 3036	3464	Ekljpm32.exe	106
PID 3464 wrote to memory of 3036	3464	Ekljpm32.exe	106
PID 3036 wrote to memory of 2152	3036	Enjfli32.exe	107
PID 3036 wrote to memory of 2152	3036	Enjfli32.exe	107
PID 3036 wrote to memory of 2152	3036	Enjfli32.exe	107
PID 2152 wrote to memory of 3232	2152	Ecgodpgb.exe	108
PID 2152 wrote to memory of 3232	2152	Ecgodpgb.exe	108
PID 2152 wrote to memory of 3232	2152	Ecgodpgb.exe	108
PID 3232 wrote to memory of 5032	3232	Ejagaj32.exe	109
PID 3232 wrote to memory of 5032	3232	Ejagaj32.exe	109
PID 3232 wrote to memory of 5032	3232	Ejagaj32.exe	109
PID 5032 wrote to memory of 1124	5032	Eqkondfl.exe	110
PID 5032 wrote to memory of 1124	5032	Eqkondfl.exe	110
PID 5032 wrote to memory of 1124	5032	Eqkondfl.exe	110
PID 1124 wrote to memory of 3084	1124	Ecikjoep.exe	111

C:\Users\Admin\AppData\Local\Temp\952a9ab6cb5bc99a3b31c51f3f38d680N.exe
"C:\Users\Admin\AppData\Local\Temp\952a9ab6cb5bc99a3b31c51f3f38d680N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\Dnljkk32.exe
  C:\Windows\system32\Dnljkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Dgdncplk.exe
    C:\Windows\system32\Dgdncplk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\Dickplko.exe
      C:\Windows\system32\Dickplko.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 400
        35⤵
        Program crash
        
        PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 2208
1⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1432 /prefetch:8
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
59KB

MD5
3aded59aa62e723f286b564867364a46

SHA1
8069e08ccad203ec3341785dbeb8222d135f2e75

SHA256
afa6d843940b530374ebadd13dd60281971ba10c0ee114d0b05742e411dd1117

SHA512
f7268ce1d8c1647cf514fffaca5e53f1cbd094783a6343ec471daacfe3a027ff99185f9a46491435104584313b94b69bd0598bf445987bd22753e1a231562568

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
59KB

MD5
720afdb291b88e43e4936c70588baece

SHA1
772226a26c15f54bbe2c1fbf170bba8cdbd8b8bc

SHA256
1e234462c7f9e2595cf84d7e2172479349cdab38d53f2d9de8dac486b7b37115

SHA512
42f1a6a7c949358847345d4102c0afed77ac6be39da5aacb9515a25a50698e0afff3e76fe1de2bc4aa4997874802ef0ee2313ed1c9ead50ec8dd5233265fc9c3

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
59KB

MD5
181bc90d686785b737d4b38123dae38e

SHA1
c80c178f69ad417395783803b8cab313d9b89116

SHA256
757475047f25d5159c8758a8013e18580cd6824e1c221696bf6605046ad15ebd

SHA512
5ef37ebe63d89f7d043f7a2e76db38f34d0d08a126c6db0852e670dff7f1c9cfec1cbd64f03320520349f2de67c5e3ae81de7a1e7603db2b142a59934fb1a78c

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
59KB

MD5
fb623b829b9f6e3b4ed52153c6c60d49

SHA1
1bc9ef6413cc98a53e071319aa813a2e8042feb4

SHA256
2e94e97f67a0e8038524443406eaba213e9648c82050dbbc344a8e46c2084e20

SHA512
01c04de5b283a504359c5c8fecb947721d43a50f5e141c33edead113fad6b08864771c1cbb266c6de5243c0fa053a8b961871e24ac2d9cc37396ceaed5f27146

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
59KB

MD5
b91f58de38fcd9a54a2246241117385f

SHA1
d680a22c4a89ab710b627eb3b54224bc1f386734

SHA256
6a6814d11b0176d0c681564246deedf13249af7c79c92b7c00daaeac779873e9

SHA512
6e2be9ea68f6c8358c09e47100d1b621303ceb3c5016bbccd71062b205bb4f5d857c3164a8dcd0b9dbe64aa7cb1a6f8aa8a085a7bc63db7b8457d82e7acc2b83

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
59KB

MD5
9b792007a676db980273e6f93dbd0c48

SHA1
1a20dbe8d859b528a37f8483db37f8e476821dbd

SHA256
e3e3a73228cf67d258367043f29d34ad59853138d0b0d880748f3b6eb51ebf62

SHA512
77138f6f6ca3c7009a4e88f5aed6797a16b32f3e35537fdefb486c5574b439ed0133557c829585b4f5cfa83b8ceff08d3913508d9f98cffb1efa540e151ec13e

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
59KB

MD5
eb107758239a3ddcef3d6c345ae0e771

SHA1
490daeb38153136f636751c35182da8aa7ff351c

SHA256
4e4c89c75401de6f43d70bc459eac97bcc95a30f3694d563eaa16ab2b2a340f0

SHA512
ccc763fad19e84eaf93373409acf39261f47aade6c746d5aad44b52a615f92b572f505ffd7a8f159f207df1b9f3f7e0e8caf328b01e6a21c66e4d6b2e28c3cc4

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
59KB

MD5
dea5d8ff652200c4419ac67d19dd79a4

SHA1
d71bbc1a626c1156776a48fbd3f9aa5970168a32

SHA256
7aefd57712320201214edca64906f057cc1d2b68f2f4040df2135231a0217eca

SHA512
01fc9def8f2a9cd438be00ac79cae79bf18177d0774800b9b9d7227b85d9f1d5df2430aaa14356456bccda14b8ecd971ce9b0e14b35976e0ac36da046590539f

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
59KB

MD5
3c709e66a2a7b40f5a3e4471ea56d153

SHA1
fda01cc48591d3dde1215ef048cff0805d36c9ca

SHA256
c63d2764e5f7f2b0492b631b7afa78d7235617a00f1eb79fd38c33d07de87362

SHA512
05971303c981f50b4372016abcec68fa78073b9e2bd92e4a444b537a7b79d191845d1a9acbbcdd3d793ff21d4e2f0df3e83274b645ce036bf1b978481b7dafb0

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
59KB

MD5
b174838e875ee508b6da7ad5fcb714e5

SHA1
5578357bdfe5f6512a5130a8eb12af0509da63e1

SHA256
1e96e392442c9ab7d8ad2c53261cf8bda19f27dbe8a021f5264aae5eaf2bfc0c

SHA512
6681a5a9629027ffee952efcde964b58a2e2bdf74a06992a29f55446bc405c927fde3c550c2e09b8f661e31029e59f5c117148ec29b48b6ec7ee0c4a0380154f

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
59KB

MD5
a0af51461c93432d3e30bb676116d841

SHA1
e94d2cb114414653fd463759092d35ea88dc9696

SHA256
56875feb851506b0f863074663919fa54a2d145a6c8ce52c4131e35c88d831f4

SHA512
407716a3adc1cfdffbd63437aff2bb6ac46f869aaac8fe0211a49dd374b59a58db9d5132e5d44ed863fdc25c477bc9179a6df3ede7cabf8b1dedab652de23aef

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
59KB

MD5
73a751c78b0d070622776dc89886e283

SHA1
be3453917c63c2d175c7bfdd00abab6b1002b0c7

SHA256
b9731a80a3828efa95259183a6ccf0427fb5a08c977ad41be2a0d429791f3616

SHA512
c6875fa7632a94406b7a0f9f0e741ba15d0da4d9a98302f21d6b98e34f63c9e47d84132586d07b5a842f650460b49b7e26b8c48d6ed01bb4700e3ec3c02f4938

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
59KB

MD5
c8057716bdb44c620d495b26dc17d750

SHA1
68b66fee49364c68309deea108552a0b5a2bb558

SHA256
ded2a81eaa36c85d62f8db11ba12d8b07a53a33d2fa1b21fcd7ee188e6af89f3

SHA512
e7a2e222b1e1e7d4085d7902f770060b3d03c17058f94ea3de27570233feeffd1acd500374ad56f83f19c0620b38dbfd12c7cb3736d84668e42d11d74f8844cf

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
59KB

MD5
7b129aa4ec5821708a82cb803dd3f2d1

SHA1
50bdab504935f1c1e5667c88ef30980adb2885a8

SHA256
c2bd365e9f2b41c42140b1a38ae1a5373ca40b996c0a2a33997b397925f88e4f

SHA512
02ea7329a87f8df81ca48870624945602bb1a7cce7adc25af7f4e2cea29e0130e05e781fd8689493e9308db2e295eb316fbb32cd302a14e03b36ae06c5675225

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
59KB

MD5
3926afd2a3c5cab4ba70a44a02b4e835

SHA1
be144a02685d9b16924a487b04dc5534e6621e90

SHA256
376a93e0a20b835ed38dd44c397633a68f7cb98833246eaf6aec0a8e96cdd9e2

SHA512
541e1aee2343ab931d3b580def17c1e415af54d985d8baccf5203b890eae34dffef35fb060916d16d64af7f91bc6a78478380cd227cb476fe67742585b6b110f

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
59KB

MD5
587018ee6e47c3c7a729c86d5c04341f

SHA1
132dbeb066817b627464bd57829e9ab57e19aa39

SHA256
629938c438776a5b905b79474c73e65d61af50daa677e55b81d9142354acd24a

SHA512
fd51a9ab66db77da365caa1f4690f625ca000ae846faa9bbae753468191c1404d2b81894d9da658160b647e9444e266543dd679b25179a24e0c7d7d5f6449dc1

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
59KB

MD5
9e143ace818fcfa54788cf3c527bfc81

SHA1
ccc34796e02d28b0dcb474c16b1ae3e10e25fdd1

SHA256
f291fed06a7c2329e9999919617d6d4020b643bb7a7b02912d241b8511cabccf

SHA512
3597e3ff3e8f7f8d48b4c3f127a4b4b552fbf58ad2fd1fd1a1a8bc4909ca98e71acb379bb8d8a50d506c443fef0275295c7c210f894c4acb963cf32559c7e310

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
59KB

MD5
01dd919682cc2e27b8386fefb50584ec

SHA1
3df6c2109ed030c5c66bea324bc3e8f96610a517

SHA256
869a473e696431c1b430097dd5f9e9effafbde28b7377dae1cee5eb2b9261cc8

SHA512
a75e110bd3e4d591c1837054f531bdddb71ee0590a76638e7494be59b54fff69cf5c90373418b0711897441138072e1fa80a582a5d9c13e9a71dd90774c0c88e

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
59KB

MD5
5c7f0935c034ae5b28e80b12f12c63e4

SHA1
9b531a3e73e8a86570d2674a2640c912b2c4ec18

SHA256
1a4563261863ec5295d3caeb070f02e1939efd3b7cfb19f92a493398ffbe9e44

SHA512
1c4503aa50b7604297b31f783a2d3040e4ad0ccd853dcf907d4ad2656bc7983a4572150327674ca120a1784057cc72ac9953baf190930528945fa83d299839ee

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
59KB

MD5
3c2533ac390f4aafb47a5691899a4a17

SHA1
b42f13dd95ba740098e82941592826f5faf26a87

SHA256
3f150366602b6d7e12766fdf5a62d12b0cf38e9889d10569c3b6e49c4cd05af0

SHA512
1f09263919d4e88f9701c8919aa71243551445ba360e0e888e0b118304afabbe726b471e0aafb989f1bee60bb002f4c9ea72f05d582fe1de988ac82bd2f6040a

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
59KB

MD5
f1e733e7de00663930a75a860881aea3

SHA1
afc740cd7458f654dc6caf6c50f498258202b465

SHA256
e5e500516618e602e1b27b90dccd2e9f5632e94e986f525bdcbad800dd071e33

SHA512
9da0a2dd913815207c465c973c5983c94a79fffbfb5e546b7d1abb78f02d6de12cc4d54143e8233a56d4221e8d4fbceba739a8b4a563924b3c63840c4b8b6eb8

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
59KB

MD5
370ce2823c30816635edab58a285b953

SHA1
78837038b544915725a276bca0a88906969ec68d

SHA256
d826a2ee9a3972edabf9f6c6dbf534ac1cb9844d5381039e413f60e464cc883d

SHA512
88edb351a684df993f3d36e9e5ac5b071f7d1f6e7af7357dc3d25942fa2847ac7726e48c0962adfb124b743d2739f565ee9f2c6211b49fdf69b17156bae77fb3

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
59KB

MD5
e9b577cb57b68ba225e57223ac36069a

SHA1
90b7d2c0c815f31d28c34c75edc60443c9a0a84b

SHA256
04b2748a1f23d47edd298309b38c900f0709c618ff111067c70545d6037ced6f

SHA512
5270da427f863491a01339d817d47ebc4f811c43f4c738b8b73e99d5a13fc927db118571280b73a93bd19ea17279483b94315be5170eacc999cff6b1111f5a7c

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
59KB

MD5
c0ceb3fea6e5d04ba02dcc66e623b59b

SHA1
d1744878bd9b95f04fe17266d0300637aa08ac56

SHA256
33e7917a6f2e480ee11efa8aca3e5c2bfc4c1b2540cea6d4b4b132ef6080ef7e

SHA512
d4ead34ac3235f64dcdcf1859045fadd4e74fa9b88e33d48eaf47e14e026732f54cfb9f1cf21155b15bba3cee03e1df19dcd0517977e4a52d31c415ebeeaa0f5

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
59KB

MD5
064a88156741e231f1c035ad91194069

SHA1
3d279240a84ce94042ac8e8768f5a539e141aabe

SHA256
2be8fa4830097bbadf25f1121b8114cd5d5b5d63dacf425c09734a968d196b45

SHA512
3617c1fb83ad2e41e75008ec9e532a6d81a3b486ded897194a625145a56dc57b8d181b97cc4fa6c0e784bfcb01df93e12cc8d9c9205dbff30e90a728c14bc745

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
59KB

MD5
725a887d23ebdcce2871c25dace66a35

SHA1
4f363731aa480fd51d5ce04c9229b1ab9b4cb755

SHA256
7f10939d4e26e62936585bd5ec06e33a89e3adb7cc25d61ffd4738dffa79d545

SHA512
fcd8677eb51b12983b18aea0dd2ce2f9e9370b1f43613ea1723b08a8ffde8afd69c277041c619836f03d393bf3937f7a834e83504a26c7ad3c857150f982db59

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
59KB

MD5
c427aeb6f56b448256f1eb3c8e925ceb

SHA1
c753b9d34876c13636046b14d62b764c6dce9131

SHA256
50ab3a18f159d761a87ff949d059d6904f501f3f8e31d9af8ab0f1aedefafa7d

SHA512
6eb5a3683a48bcacc0c1a5dc197ce677d910d9bbac0c6db54c7ac5bfd432cb1a2044144d1c0691dee95e10860fca5bb2b7ef3d679ad9b09d101b6105f7db9a00

Download Submit
C:\Windows\SysWOW64\Fglnkm32.exe

Filesize
59KB

MD5
25fbb939dedb1a286f1a23da1ab3cc79

SHA1
1a1e023fc18b1c7ed816d022556bc2ec918de8e3

SHA256
1ffe140e182d46f7e8b65475013c84b598236cbc0ec130e9afcddbc8e2c54413

SHA512
dd47a67339d61524011d82ad4674e6ab071d56a99ba3bad69adf1070806bb5ff7c3745f3460794e0fb86adaf6ae3b34768be93bd05f018fe8f4c482960ede8eb

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
59KB

MD5
a9f5ead4a958e60cde2448c2220528ac

SHA1
e59524104f668c79f7e6b413944e44cb45f21b31

SHA256
28509d8e415ef262ba3f1647595fb6c4df4cca0c19298ad25c51e7d09259c34a

SHA512
ba61436cc08e23a83b7efdaa3764941289c50818d9afaf82c4b2bf2dd34fba5ee1d37f8e0013a7cffc26e09448e518eb444d20855d80bc46c08a4eda7b98e13c

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
59KB

MD5
3accfcb1285a40956d5d6d1967b9e769

SHA1
4f9443798986b535fe2bf20bfd86b09fcfe3692a

SHA256
2f4642a300790089cd693f885a22d218784f2f50a937b597536657ee47c356f5

SHA512
6e518b1bfa93d14f8d3471d150b5e95568619f258067d37eda6eaa6c536bc4079287b165f6294c21774d2a8dda87f951cd8e9ed83ded05a6cf7055bd126517e5

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
59KB

MD5
334b693702fbaa7cc1ef884301e1b252

SHA1
ff15b6ac42a6fb9b3f661f88237188b37f6d0ad3

SHA256
c3615c316f01382e73e4b417bc499a594d5a01bda718aff7718e9e742c2cada3

SHA512
4ddd158922b2bfee653f5d542128bd45e99f3677526ffcc2a7f269877de66fd1fed726afd9a0c359e919754183a4f808a95aa9ef49c6b19c0ceb0229a7ce6025

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
59KB

MD5
e1582a5f8908554aad2ae6d4516b77ff

SHA1
6c4c2105c1c8d352e735b158cd1e2fb34eaab71a

SHA256
39533593a96034e9cdd61ce19aed72741e2e05dd832589013076d060aaa74163

SHA512
b6a76e4c2ac4fd6d731d53ed80d3093a8b4c9688a13dc1a49a8010d92be73999b15316ed274d68c10b757ca028ace876ab46851c0fa48b9e4a141eb8c5816620

Download Submit
memory/668-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/668-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1048-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1048-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1124-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1124-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1244-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1244-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1732-284-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1732-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2796-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2796-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3036-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3036-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3308-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3308-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3392-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3392-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3624-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3624-295-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3924-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3924-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3940-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3940-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3952-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3952-236-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4056-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4056-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4252-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4252-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4356-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4356-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-265-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4564-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4564-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4800-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4800-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4900-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4900-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5020-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5020-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5032-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5032-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5084-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5084-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads