e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Size

76KB
MD5

86b79a675687d3fe28f49c7615b5ae1e
SHA1

ca9b1d73b55d9fd2bbe8f70daa875593dbcd4f82
SHA256

e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92
SHA512

3d1f8e004c27a261c7694f84ec2c02bb15a7493dd2e9b01a33033f8b5264eef618e3566af643044c53ffbf773cae1457ea4b2a091a12aa040ecc8a88d8a85d30
SSDEEP

1536:Ke/mkXeVi9CY0L0PPJDHioQV+/eCeyvCQ:xXOLY0GDHrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe

Executes dropped EXE 9 IoCs

pid	Process
2348	Fklcgk32.exe
1128	Fqikob32.exe
4884	Gjaphgpl.exe
5020	Gbhhieao.exe
1604	Gdgdeppb.exe
760	Gjcmngnj.exe
624	Gdiakp32.exe
2944	Gkcigjel.exe
3080	Gbmadd32.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Gdgdeppb.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gkcigjel.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Jlkklm32.dll	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Bbjlpn32.dll	Gbhhieao.exe
File opened for modification	C:\Windows\SysWOW64\Gkcigjel.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Fqikob32.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Fqikob32.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Gjaphgpl.exe	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Fqikob32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Gbhhieao.exe	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
File created	C:\Windows\SysWOW64\Paifdeda.dll	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Oahhgi32.dll	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
File created	C:\Windows\SysWOW64\Kminigbj.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Gjcmngnj.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gkcigjel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	3080	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcigjel.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahhgi32.dll"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkklm32.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kminigbj.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdgdeppb.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2348	2012	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe	91
PID 2012 wrote to memory of 2348	2012	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe	91
PID 2012 wrote to memory of 2348	2012	e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe	91
PID 2348 wrote to memory of 1128	2348	Fklcgk32.exe	92
PID 2348 wrote to memory of 1128	2348	Fklcgk32.exe	92
PID 2348 wrote to memory of 1128	2348	Fklcgk32.exe	92
PID 1128 wrote to memory of 4884	1128	Fqikob32.exe	93
PID 1128 wrote to memory of 4884	1128	Fqikob32.exe	93
PID 1128 wrote to memory of 4884	1128	Fqikob32.exe	93
PID 4884 wrote to memory of 5020	4884	Gjaphgpl.exe	94
PID 4884 wrote to memory of 5020	4884	Gjaphgpl.exe	94
PID 4884 wrote to memory of 5020	4884	Gjaphgpl.exe	94
PID 5020 wrote to memory of 1604	5020	Gbhhieao.exe	95
PID 5020 wrote to memory of 1604	5020	Gbhhieao.exe	95
PID 5020 wrote to memory of 1604	5020	Gbhhieao.exe	95
PID 1604 wrote to memory of 760	1604	Gdgdeppb.exe	96
PID 1604 wrote to memory of 760	1604	Gdgdeppb.exe	96
PID 1604 wrote to memory of 760	1604	Gdgdeppb.exe	96
PID 760 wrote to memory of 624	760	Gjcmngnj.exe	97
PID 760 wrote to memory of 624	760	Gjcmngnj.exe	97
PID 760 wrote to memory of 624	760	Gjcmngnj.exe	97
PID 624 wrote to memory of 2944	624	Gdiakp32.exe	98
PID 624 wrote to memory of 2944	624	Gdiakp32.exe	98
PID 624 wrote to memory of 2944	624	Gdiakp32.exe	98
PID 2944 wrote to memory of 3080	2944	Gkcigjel.exe	99
PID 2944 wrote to memory of 3080	2944	Gkcigjel.exe	99
PID 2944 wrote to memory of 3080	2944	Gkcigjel.exe	99

C:\Users\Admin\AppData\Local\Temp\e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe
"C:\Users\Admin\AppData\Local\Temp\e69cef98fcfac7aa9592d38cc90762a7f959a3f1fcac4340093ff38d00f94a92.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\Fklcgk32.exe
  C:\Windows\system32\Fklcgk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Fqikob32.exe
    C:\Windows\system32\Fqikob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\Gjaphgpl.exe
      C:\Windows\system32\Gjaphgpl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 400
        11⤵
        Program crash
        
        PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3080 -ip 3080
1⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
76KB

MD5
83a9f4b50434d24ca29d787d6c173c42

SHA1
0bf3049e7b47b276bb91a37b2807a35a234c1990

SHA256
087341ef83feeca5852c2f8b25f6c0af3849184bebd8b3ef04ec05223d046600

SHA512
64cf9acffc0d30ada6e3e37f5a52cf4d25ce1d9b5a11e5a3b94cdc89eb828176eee49c7427bb2468a6d09fd1d8b0e61da295ca7415cf1857ecc65a2811f20227

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
76KB

MD5
6ad63080019cb4b20869fa0c83ef77ff

SHA1
3f620c16b4163da766328e371caa871abb4431f7

SHA256
3e2145d6019f512cd991bb2c895d22408946d54e19e5e1bee7776d9d2f72ae66

SHA512
9cfc6ee3f6bf696c149432b7db3d11a953bf0102688b79b5a6ca4b1b986023d52a014eee89ebf126ee51e8885f63ae1d250c4a12ce2f43a7e366aff7d34e6e55

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
76KB

MD5
870ab67705111fa5f85a062fb8a37601

SHA1
cb33bb3b0fc4fad7c76237272d89930d8e97ed5a

SHA256
93aad24c31781531f853d525d676de66cdc5cdfc19604b890b83284cdb7448ea

SHA512
d7ce73756743ee08acf3e84a62f33d9a2731b8509d756daa9b6e0b9f57c83cdc788f8dd8a5ad8229a2e176255419b8f618488da6d11b17a54c29d3ae104b7cfb

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
76KB

MD5
e937f0ff68e3dadf8cbb5c5f5d3bac39

SHA1
707ab25a1c4f1e7614ea03deba041e612cd75654

SHA256
c44b3370dfd3a15b90047b4d18a4193c01cb112d039d8159cf8378294bc73a41

SHA512
29c083ccdd1503c34bf2b1a978eb4df548ac83ac63f238ca6442771bd2a2d3a1b7a1da899655a6a331433ce36954e049ad2ebf2c4c42ab18fe164ad24cfc0abe

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
76KB

MD5
b6a10604c453f4352635f94b1f3fe928

SHA1
06fb067009817b6119ccb7b57ddea257d8f4af07

SHA256
a00d5add625fe34787c1f6b1e61bc3f789315cccb8cc341f4ba6a931c5f1335a

SHA512
2cf393ff352d341a15293fed06d06a9074241b947a073adda6e44f62bb96528c6dcb2b42a2f2e9cfd4250a501c228f163869481a02615855e4f24263a9c58cbc

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
76KB

MD5
fe40fe8eabffc623f4fccadcdfd1bbdb

SHA1
d2c0783d861ef8fe6c06a07e78a2d4fbc357fa47

SHA256
478beca8aea42b80a29adcbcbad5af855084660614f1694eb180c8f4e15bfaf7

SHA512
55f61db54ff8141ddd5508ea0b69d330864320d6275df833bf2aa1154d752b4c85cdf45585e8d57ac8248625bdc8e5884db9be57c30a432ffd9a42980f4856a4

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
76KB

MD5
680dcd9e7cd03aa44bd0ac7d89c0ab7c

SHA1
9d7ba7434fff9c785778d18e91763697240b4078

SHA256
6bb38491765067cddedb07e6cd1fddebe1f56374a920e0340843b79d7b1004c9

SHA512
891f84b2ea428701f98ecce717747a98b89adb1109d3f9947487342b8e4d679054b84ae2d13aced856fd41eaaa8491a5b54bff4115cc46fc852d5992da7d3ffb

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
76KB

MD5
659e03124a1e72f98dda566d75025d3b

SHA1
4a055a7f21dc469a7c0b30e353e8eb5d6a41a61d

SHA256
cbe47cd278390237631737dcf58eca3d1ea5b68d7bbebe0574f77905611b16b9

SHA512
a0ee7863beff5dbbc8531fcb2ecfc7a8d5e82e814bcc0cac7cb98a429e4097a25be131f84851aa8b7a0da9136630dbe9ec78073df211f7fb2275df7a9a525d77

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
76KB

MD5
50020063117438c470330310b5ed876c

SHA1
307779c35f9c557ad2b3f71c8839a85f5cc463b9

SHA256
bd22b5985fd0ed87ce6f2b49805330169b1445999111c720c33bf6b22780c8a2

SHA512
87988650cb52e22eef1e02f44f9d6824a035b9766773a8067d5ac0cead226fa5f09d99f67fbc8178a185f947d4791bd55f5f9f837cadda57e083aff3518029f6

Download Submit
memory/624-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2012-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-83-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads