acc42a2eb741696f780c6b6972f96f3c7d14d0e205d0f5e500509225985cbc18

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 09:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff9bd0357ec542f842118bd6c45f8600N.exe
Size

80KB
MD5

ff9bd0357ec542f842118bd6c45f8600
SHA1

4654b35163923cf41adb8b6fe596969ab5b1d4f1
SHA256

acc42a2eb741696f780c6b6972f96f3c7d14d0e205d0f5e500509225985cbc18
SHA512

05562a4768690ae5ccc5e95944c4691bd0e283251614ff8466954f37845fa4e7178a82d6f9effe142c8ca2d15a710fa1921b960fdb03f741c06b25d840d2a586
SSDEEP

768:oxDC9O91+UtK02op5qnDDmRE0qruk5GNfMeDtG4D8iGwB8Y2p/1H547XdnhgYZZH:G79XXIPQ9Bse/Ai2Lq5CYrum8SPG2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ff9bd0357ec542f842118bd6c45f8600N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ff9bd0357ec542f842118bd6c45f8600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe

Executes dropped EXE 20 IoCs

pid	Process
4800	Fgiaemic.exe
4688	Fkemfl32.exe
1312	Fncibg32.exe
1032	Fcpakn32.exe
2920	Fkgillpj.exe
3584	Fbaahf32.exe
1796	Fcbnpnme.exe
636	Fnhbmgmk.exe
4968	Fdbkja32.exe
1660	Fcekfnkb.exe
3992	Fnjocf32.exe
1688	Fbfkceca.exe
1964	Gcghkm32.exe
1832	Gjaphgpl.exe
3288	Gqkhda32.exe
4572	Gcjdam32.exe
536	Gnohnffc.exe
2680	Gdiakp32.exe
4244	Gggmgk32.exe
3004	Gbmadd32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	ff9bd0357ec542f842118bd6c45f8600N.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	ff9bd0357ec542f842118bd6c45f8600N.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fkgillpj.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Dmfbkh32.dll	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Bhnbgoib.dll	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Gjaphgpl.exe	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Gggmgk32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gggmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Gnohnffc.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Fnjocf32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Gnohnffc.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Ohgohiia.dll	Gcjdam32.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	ff9bd0357ec542f842118bd6c45f8600N.exe
File opened for modification	C:\Windows\SysWOW64\Gcjdam32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Gcjdam32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Gcghkm32.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Pqgpcnpb.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Gggmgk32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gjaphgpl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4200	3004	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gggmgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff9bd0357ec542f842118bd6c45f8600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgohiia.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ff9bd0357ec542f842118bd6c45f8600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ff9bd0357ec542f842118bd6c45f8600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	ff9bd0357ec542f842118bd6c45f8600N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ff9bd0357ec542f842118bd6c45f8600N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gggmgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ff9bd0357ec542f842118bd6c45f8600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnbgoib.dll"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ff9bd0357ec542f842118bd6c45f8600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcjdam32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4800	3104	ff9bd0357ec542f842118bd6c45f8600N.exe	91
PID 3104 wrote to memory of 4800	3104	ff9bd0357ec542f842118bd6c45f8600N.exe	91
PID 3104 wrote to memory of 4800	3104	ff9bd0357ec542f842118bd6c45f8600N.exe	91
PID 4800 wrote to memory of 4688	4800	Fgiaemic.exe	92
PID 4800 wrote to memory of 4688	4800	Fgiaemic.exe	92
PID 4800 wrote to memory of 4688	4800	Fgiaemic.exe	92
PID 4688 wrote to memory of 1312	4688	Fkemfl32.exe	93
PID 4688 wrote to memory of 1312	4688	Fkemfl32.exe	93
PID 4688 wrote to memory of 1312	4688	Fkemfl32.exe	93
PID 1312 wrote to memory of 1032	1312	Fncibg32.exe	94
PID 1312 wrote to memory of 1032	1312	Fncibg32.exe	94
PID 1312 wrote to memory of 1032	1312	Fncibg32.exe	94
PID 1032 wrote to memory of 2920	1032	Fcpakn32.exe	95
PID 1032 wrote to memory of 2920	1032	Fcpakn32.exe	95
PID 1032 wrote to memory of 2920	1032	Fcpakn32.exe	95
PID 2920 wrote to memory of 3584	2920	Fkgillpj.exe	96
PID 2920 wrote to memory of 3584	2920	Fkgillpj.exe	96
PID 2920 wrote to memory of 3584	2920	Fkgillpj.exe	96
PID 3584 wrote to memory of 1796	3584	Fbaahf32.exe	97
PID 3584 wrote to memory of 1796	3584	Fbaahf32.exe	97
PID 3584 wrote to memory of 1796	3584	Fbaahf32.exe	97
PID 1796 wrote to memory of 636	1796	Fcbnpnme.exe	98
PID 1796 wrote to memory of 636	1796	Fcbnpnme.exe	98
PID 1796 wrote to memory of 636	1796	Fcbnpnme.exe	98
PID 636 wrote to memory of 4968	636	Fnhbmgmk.exe	99
PID 636 wrote to memory of 4968	636	Fnhbmgmk.exe	99
PID 636 wrote to memory of 4968	636	Fnhbmgmk.exe	99
PID 4968 wrote to memory of 1660	4968	Fdbkja32.exe	100
PID 4968 wrote to memory of 1660	4968	Fdbkja32.exe	100
PID 4968 wrote to memory of 1660	4968	Fdbkja32.exe	100
PID 1660 wrote to memory of 3992	1660	Fcekfnkb.exe	101
PID 1660 wrote to memory of 3992	1660	Fcekfnkb.exe	101
PID 1660 wrote to memory of 3992	1660	Fcekfnkb.exe	101
PID 3992 wrote to memory of 1688	3992	Fnjocf32.exe	102
PID 3992 wrote to memory of 1688	3992	Fnjocf32.exe	102
PID 3992 wrote to memory of 1688	3992	Fnjocf32.exe	102
PID 1688 wrote to memory of 1964	1688	Fbfkceca.exe	104
PID 1688 wrote to memory of 1964	1688	Fbfkceca.exe	104
PID 1688 wrote to memory of 1964	1688	Fbfkceca.exe	104
PID 1964 wrote to memory of 1832	1964	Gcghkm32.exe	105
PID 1964 wrote to memory of 1832	1964	Gcghkm32.exe	105
PID 1964 wrote to memory of 1832	1964	Gcghkm32.exe	105
PID 1832 wrote to memory of 3288	1832	Gjaphgpl.exe	106
PID 1832 wrote to memory of 3288	1832	Gjaphgpl.exe	106
PID 1832 wrote to memory of 3288	1832	Gjaphgpl.exe	106
PID 3288 wrote to memory of 4572	3288	Gqkhda32.exe	107
PID 3288 wrote to memory of 4572	3288	Gqkhda32.exe	107
PID 3288 wrote to memory of 4572	3288	Gqkhda32.exe	107
PID 4572 wrote to memory of 536	4572	Gcjdam32.exe	108
PID 4572 wrote to memory of 536	4572	Gcjdam32.exe	108
PID 4572 wrote to memory of 536	4572	Gcjdam32.exe	108
PID 536 wrote to memory of 2680	536	Gnohnffc.exe	109
PID 536 wrote to memory of 2680	536	Gnohnffc.exe	109
PID 536 wrote to memory of 2680	536	Gnohnffc.exe	109
PID 2680 wrote to memory of 4244	2680	Gdiakp32.exe	111
PID 2680 wrote to memory of 4244	2680	Gdiakp32.exe	111
PID 2680 wrote to memory of 4244	2680	Gdiakp32.exe	111
PID 4244 wrote to memory of 3004	4244	Gggmgk32.exe	112
PID 4244 wrote to memory of 3004	4244	Gggmgk32.exe	112
PID 4244 wrote to memory of 3004	4244	Gggmgk32.exe	112

C:\Users\Admin\AppData\Local\Temp\ff9bd0357ec542f842118bd6c45f8600N.exe
"C:\Users\Admin\AppData\Local\Temp\ff9bd0357ec542f842118bd6c45f8600N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\Fgiaemic.exe
  C:\Windows\system32\Fgiaemic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\Fkemfl32.exe
    C:\Windows\system32\Fkemfl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\Fncibg32.exe
      C:\Windows\system32\Fncibg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 400
        22⤵
        Program crash
        
        PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 3004
1⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
80KB

MD5
f5163f4d84b91e907a0253b4d4311f91

SHA1
279c1e43a285c21a0b15b69246b41c9f44c8c2ea

SHA256
43c8c53f4d01b3d80967e4a1d14796103f1745a81d450a5785a96dadb2e8fc47

SHA512
d045b353d7db1d2a53f97f7d1a0465695e478724e17f96f9387fcda047b9ac77bc802017a48d9b47888bdefcb3da55d6fab42de095b4d82389bcc76e6a41ddd7

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
80KB

MD5
9dbd82cce3f5d21c48ef22c1fd94bed7

SHA1
386e90e42da2d33253d2f0313d6b781c3ab32501

SHA256
021eecdc3f041394ef8e4e6356b50dcd7c7ecfed64ee1519c775a86b6a82fd8c

SHA512
26b62ae4c1db77650f4f830fed4b34bd8407f141f09b10077e8054fb10c3737ed3f9e7167b5b3388207bb6906f913e05f12f99ad27c4f92b335fc42fa7982714

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
80KB

MD5
a2ca86ce23bda3b28645da8f9373ca8d

SHA1
24703cb8887bc70ee8b4cb954d9b442d3c508f70

SHA256
d6d3d7f8bb61b6b8bb9ec347bb951a276f1f77be314698b51288220942fd705e

SHA512
a57834650010284b15299976fd4c38bbd845c8a76fd72de90c9d5adac8412154f2ab6759036a97726450ce9acf95265c257b816ddb74164767d133da69a41ed9

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
80KB

MD5
3f213604236ece2510133fb993b8c8d8

SHA1
bf3344893fb6a4bf8f6e0d279bd0145a3c0d6153

SHA256
309b8edeb67b8ed061f61b8ac4a7d29bc32efff16dc59b51f28683036f1a61dd

SHA512
20714b28f982f6c7356f10bd5fb5a1e4388dca9e7662140d5efae5500fbb3204afae72584b42d8cf8ae41304f20599db9558e9dca419db97df58cb2946bca975

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
80KB

MD5
be554371779747d5f00085fcea61bf41

SHA1
f724d35838bc50704801fce9e8771649c58d351d

SHA256
bb2238264f99344f8f9fcaabf47072fe935f688d9e81b5bee018fb916bb5de8e

SHA512
c55b86f228e92e3863309d65aa1e59457244837b21e885b3ecdd4448bae9fa8bb2484b84f1bedbad2eee30dae84b027e664d76439dc90468bed930826ecfd138

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
80KB

MD5
e56af6ce4924a0e1f41f704590027b1f

SHA1
a2dc41506208007a512d52e59fdb73a59a655e85

SHA256
f4c23c6a88b3f0ceebb9743c9f58da7d37bd3497d653c4f7873396377efe77dd

SHA512
16765f4a8a688901f300723d63a163dfb1a56471684542a9046beb1c073d13fec9a5b0a676c0c4cf5e0c956fa0fbf27c6da9ae63567aba33ed5df55f224dcbb5

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
80KB

MD5
6e6ac110633a22a7cc1fafcc62052845

SHA1
adf3eb6d69ca5e52b76cab03201fa929883f8836

SHA256
87df2a8c9ed2432be3e528e24012fac942fa91b957e989ba447ef6d4b33a1639

SHA512
985f8afe40ec75039ba70edffb3df4c6090b23ae93722874f71c65816c7d11b2fb813f3e2ec7d21e5190ee8d362b39e9d670f618b0d2961e5c695608913ccbb7

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
80KB

MD5
01acef874b5cbc099a0febc122e0e7ee

SHA1
b7a4d95218963fe03a67a7d3cb9f8613bf24e87a

SHA256
200f4d6f60e9ca944826b7a3e1fe2e3499f03c1ec304b4a71c9c0d43b82c1bc9

SHA512
bd663d0d68207838be715b17581676c84c298169982aad8be5edd44dd805790bb19b8f0a71c059163284c81c7fb58c59abcbe421c70b62a6edf518989e0e65a6

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
80KB

MD5
fb6d9a50bb727870adb375a686c4b863

SHA1
6edf78bff5bea02239bed28cfbf2336321afc0cd

SHA256
d32f217fd26da482216954373c31758144b491f999cba469c4d8e1a1ea994422

SHA512
0f53a7e64b7dd29b9d1c9d5b12ab8b07906d02322390d7ff0b92f5eaf97626f1051098307c6dd4c539fe6341cdd5232f91f914f7785a447bd10a0f2de6618823

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
80KB

MD5
9708503d1d7eb90d81894b675e63062e

SHA1
139868ddb5832d9625f6f0c6fa5ea25602f4e9b7

SHA256
01966ee78ee5c49a6ef87b801acebe4f23ebd90ec1810d466bb960813c557188

SHA512
9ed617f3b1de073cf8ddb765829b799c0aa4dbdfcf9538afadd0c7af10e4591010d6f7a3ce7da8c67b607305d29dea961a4ce1958d728539c8366f252ff84bff

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
80KB

MD5
a911e2137872e5563ecaa68f924d137a

SHA1
9aea65ace1b4109a1fda80bdc86e955920493df0

SHA256
9f6320110be01e85ec532397c0a85f64c93a55128a0d95263a0184eacb19ad99

SHA512
e52f02f112ee670859512b3a7fbcbb066f43ab7999fa51839a357293c8fc401d2a54db3785c20ee8d64e44393dea01241ab9b41bc3b46617483f6826ef95eefc

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
80KB

MD5
631ccc84411b265134a08ed198895780

SHA1
65a357b7d54db0f2a94d011c8d460831ee9938f9

SHA256
a108f823974d16a581515dd49fc475a1c7ce63f6e5712311141bbf156feb11b5

SHA512
4f937351b07f9c103dfe045384791020e5b8958aab9d18cddfe182cfe90b97279c853ca5c7a20a937138cbcd40f8ed545c89b73c86cfe1956774f9d8b2697c0d

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
80KB

MD5
edae597bc6f8809e08b95fba85d18266

SHA1
446529f8c8494350e2129af0be96d6cc98418fe1

SHA256
3d57c3a2931074f87773c0d78055c6b983f681708b5ba2e957ef425b09ca731e

SHA512
dbb8b38674ae4fe454237f4ff1c91ee1977997235faac4a3e68d3a3a16d47ba24aabab855137d666a3900d824f9f10611ff90470b487b8516d61d6eb712db9b9

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
80KB

MD5
98262f94b69cf1dabd1182d45cd77f4c

SHA1
7804e359fed5db2d426d3f31c6170840f882af69

SHA256
350a4622bf42bf4d7883295ef3ee3635eb1b9073c2ca1918daebee9ddb76acea

SHA512
8f9261fe6e4009336e3069346ce47fdb998cc98e9f223dbdede354ec7156b3d88f96ec6fd002a653ef8e9dc8b1efb749ee8a16901e0cec672c6b69bd82e1e1ad

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
80KB

MD5
2b714940525b3d5d2cb89cc3a6974113

SHA1
a30a1b6a5317566a5385332c31f53571ee963bc2

SHA256
ed3f8cba8b1f8bcd88eef9a352c289798d80b3d70563f463bf22e837c9768bcc

SHA512
081bce4cfeea8b6975cee725bd23b177c59ea9f157a64b70e470b2516f3b9f2cc48fe64195a454ae8a2bae9de48a350751fd3368064606be96ddcb2493207fec

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
80KB

MD5
9d249c9741e6c6b739cbf15a6e03f068

SHA1
ba3b77dc1e3acccd2544d06c4c9c8307c8b74390

SHA256
a1d5c8703c366f697b671d1842f4a6c5d33c0ad253b00a4b18423c85ca7b5539

SHA512
eb1e79684080d87b7ea892bf90662a311df9ce993583c8c4f465c1e29e72009afe2085f25ba0ea3006b4e2048dfafe1d87d331eecc7744d34a321b9e268c4436

Download Submit
C:\Windows\SysWOW64\Gggmgk32.exe

Filesize
80KB

MD5
c57c412c8e6d8d0a3286c25ca3713a23

SHA1
7e9918b498b1a7e65cb0f841e990646bf8bbe007

SHA256
2ee68c24a265542c9561e65111e56132ef1ce3938f3b6a71c5ea2d3047225b2a

SHA512
6d0c995365622bb63620a6a168811f8d60d5a61607f047cb6fde096f85c5dbbb838ffad1460222b771b4d9ad3b06c3a643b388ab19ba55349a4abc22ba94496b

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
80KB

MD5
a068fac294b1b1820e3f83f75f8d6730

SHA1
b2feebfcdc36bc1ed08746290a90bdcf1457b120

SHA256
cced642109274b7aa4e17ba16897ce56f881e5d0e2421e10260e28e103e013c9

SHA512
e13d134fec761ad79bcfe3b00d9f02b340e7ab4d98d89c20f3b135f7e094cb19fe207ded04588684e4601a5c29e21e1f098302f9d546ea9089fe61a3a0bdf4b0

Download Submit
C:\Windows\SysWOW64\Gnohnffc.exe

Filesize
80KB

MD5
f35997d6e6ae5c7dbc91bcd07c6e7251

SHA1
32822fa2b637ba574a993d4be861c24b3be45076

SHA256
ab80bcb141ecb5c9555c2ca72a10805b92ced99777bd8ffbaed308c6843600ce

SHA512
61d8464a5accaa6872b301695060c2712fc2303167d7511b6a56cb44dba0275f3a44b9a51d25e1c0d281591cec4a39dd7bb247aef87cfc0543af479e2bbfcc49

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
80KB

MD5
643dd192da997197ed33776b569131db

SHA1
a830dadbf01f52b8843def7a4efdf1829469c26d

SHA256
43cb0c86ee0c296fdf9c167135ce5fc34437f9e8267632715f5612c8e260d600

SHA512
07ef71b469e4a60367167b7d34317257a6acc4e23d5090d592fd6e6685add9f864f34b1d9c7ad9a3a444f5074ef37ba995c214e6ee77c4bca97c7c8e676295ed

Download Submit
memory/536-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads