6f3facc60c9062047f3a7c4f39fa45f4e4b4e178d4beb68d8d46c67948d1f92b

Analysis

max time kernel
83s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8331a899c04717aeab645ab735877490N.exe
Size

73KB
MD5

8331a899c04717aeab645ab735877490
SHA1

f23e402efb4064d22ec2db49854b7646b590a758
SHA256

6f3facc60c9062047f3a7c4f39fa45f4e4b4e178d4beb68d8d46c67948d1f92b
SHA512

e112c64e72f506ba41c5ec3abd04250fba3cc78698827881d585a1c59c5dbeaa627bd5c54078f167f1d6dc4495b68a7b791e29a8cc8c83f91a05d1da5ebf6b04
SSDEEP

768:qj0uM0t5qcY/9v0yHa+YlsKO/9Rz7Sd3LvUSEcZ2xhWb/1H5rnB8W44jzo1MkEJo:6S0GcMTR/r7m3LsSEcfpj5YMkhohBM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecnpgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgoaiml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gepeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpkll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gepeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlaod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaamobdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlaod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdefgimi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faopib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgoaiml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggqamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggqamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flpkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flbgak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gledgkfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gledgkfn.exe

Executes dropped EXE 16 IoCs

pid	Process
2936	Ehgoaiml.exe
2788	Ecnpgj32.exe
2956	Fpgmak32.exe
2740	Fjlaod32.exe
2808	Fdefgimi.exe
2712	Flpkll32.exe
1712	Ffeoid32.exe
1516	Flbgak32.exe
1708	Faopib32.exe
2980	Gledgkfn.exe
2004	Gaamobdf.exe
2696	Gkjahg32.exe
2416	Gepeep32.exe
1124	Ggqamh32.exe
2412	Gmkjjbhg.exe
2168	Gmmgobfd.exe

Loads dropped DLL 36 IoCs

pid	Process
1652	8331a899c04717aeab645ab735877490N.exe
1652	8331a899c04717aeab645ab735877490N.exe
2936	Ehgoaiml.exe
2936	Ehgoaiml.exe
2788	Ecnpgj32.exe
2788	Ecnpgj32.exe
2956	Fpgmak32.exe
2956	Fpgmak32.exe
2740	Fjlaod32.exe
2740	Fjlaod32.exe
2808	Fdefgimi.exe
2808	Fdefgimi.exe
2712	Flpkll32.exe
2712	Flpkll32.exe
1712	Ffeoid32.exe
1712	Ffeoid32.exe
1516	Flbgak32.exe
1516	Flbgak32.exe
1708	Faopib32.exe
1708	Faopib32.exe
2980	Gledgkfn.exe
2980	Gledgkfn.exe
2004	Gaamobdf.exe
2004	Gaamobdf.exe
2696	Gkjahg32.exe
2696	Gkjahg32.exe
2416	Gepeep32.exe
2416	Gepeep32.exe
1124	Ggqamh32.exe
1124	Ggqamh32.exe
2412	Gmkjjbhg.exe
2412	Gmkjjbhg.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nokabf32.dll	8331a899c04717aeab645ab735877490N.exe
File created	C:\Windows\SysWOW64\Fdefgimi.exe	Fjlaod32.exe
File created	C:\Windows\SysWOW64\Gepeep32.exe	Gkjahg32.exe
File opened for modification	C:\Windows\SysWOW64\Flbgak32.exe	Ffeoid32.exe
File opened for modification	C:\Windows\SysWOW64\Gaamobdf.exe	Gledgkfn.exe
File created	C:\Windows\SysWOW64\Odjoeplp.dll	Gledgkfn.exe
File opened for modification	C:\Windows\SysWOW64\Ggqamh32.exe	Gepeep32.exe
File opened for modification	C:\Windows\SysWOW64\Gkjahg32.exe	Gaamobdf.exe
File created	C:\Windows\SysWOW64\Dlgind32.dll	Gaamobdf.exe
File created	C:\Windows\SysWOW64\Ggqamh32.exe	Gepeep32.exe
File opened for modification	C:\Windows\SysWOW64\Ehgoaiml.exe	8331a899c04717aeab645ab735877490N.exe
File opened for modification	C:\Windows\SysWOW64\Ecnpgj32.exe	Ehgoaiml.exe
File opened for modification	C:\Windows\SysWOW64\Fdefgimi.exe	Fjlaod32.exe
File created	C:\Windows\SysWOW64\Flbgak32.exe	Ffeoid32.exe
File created	C:\Windows\SysWOW64\Fpgmak32.exe	Ecnpgj32.exe
File opened for modification	C:\Windows\SysWOW64\Fjlaod32.exe	Fpgmak32.exe
File opened for modification	C:\Windows\SysWOW64\Gledgkfn.exe	Faopib32.exe
File created	C:\Windows\SysWOW64\Iociomhg.dll	Faopib32.exe
File created	C:\Windows\SysWOW64\Gledgkfn.exe	Faopib32.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	Gmkjjbhg.exe
File created	C:\Windows\SysWOW64\Ehgoaiml.exe	8331a899c04717aeab645ab735877490N.exe
File created	C:\Windows\SysWOW64\Fjlaod32.exe	Fpgmak32.exe
File created	C:\Windows\SysWOW64\Pefone32.dll	Fjlaod32.exe
File opened for modification	C:\Windows\SysWOW64\Faopib32.exe	Flbgak32.exe
File created	C:\Windows\SysWOW64\Gkjahg32.exe	Gaamobdf.exe
File created	C:\Windows\SysWOW64\Ifgpnf32.dll	Ffeoid32.exe
File created	C:\Windows\SysWOW64\Faopib32.exe	Flbgak32.exe
File created	C:\Windows\SysWOW64\Pgjlbh32.dll	Flbgak32.exe
File opened for modification	C:\Windows\SysWOW64\Gepeep32.exe	Gkjahg32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgmak32.exe	Ecnpgj32.exe
File created	C:\Windows\SysWOW64\Flpkll32.exe	Fdefgimi.exe
File opened for modification	C:\Windows\SysWOW64\Flpkll32.exe	Fdefgimi.exe
File created	C:\Windows\SysWOW64\Akinoefk.dll	Flpkll32.exe
File created	C:\Windows\SysWOW64\Bjnbiqik.dll	Gepeep32.exe
File created	C:\Windows\SysWOW64\Gmkjjbhg.exe	Ggqamh32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkjjbhg.exe	Ggqamh32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	Gmkjjbhg.exe
File created	C:\Windows\SysWOW64\Hjgefg32.dll	Fdefgimi.exe
File created	C:\Windows\SysWOW64\Ffeoid32.exe	Flpkll32.exe
File opened for modification	C:\Windows\SysWOW64\Ffeoid32.exe	Flpkll32.exe
File created	C:\Windows\SysWOW64\Gaamobdf.exe	Gledgkfn.exe
File created	C:\Windows\SysWOW64\Ecnpgj32.exe	Ehgoaiml.exe
File created	C:\Windows\SysWOW64\Heccqa32.dll	Ehgoaiml.exe
File created	C:\Windows\SysWOW64\Ppmlkl32.dll	Ecnpgj32.exe
File created	C:\Windows\SysWOW64\Iijlqlam.dll	Fpgmak32.exe
File created	C:\Windows\SysWOW64\Hmalaioi.dll	Gkjahg32.exe
File created	C:\Windows\SysWOW64\Gkiiie32.dll	Ggqamh32.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Gmkjjbhg.exe

Program crash 1 IoCs

pid	pid_target	Process
2444	2168	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjlaod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffeoid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmkjjbhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8331a899c04717aeab645ab735877490N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaamobdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faopib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gledgkfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkjahg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gepeep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdefgimi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flpkll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flbgak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggqamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgoaiml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgmak32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecnpgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjlbh32.dll"	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggqamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heccqa32.dll"	Ehgoaiml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmlkl32.dll"	Ecnpgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkiiie32.dll"	Ggqamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjlaod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnbiqik.dll"	Gepeep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gepeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gepeep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefone32.dll"	Fjlaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgpnf32.dll"	Ffeoid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgefg32.dll"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalaioi.dll"	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgoaiml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgind32.dll"	Gaamobdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaamobdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggqamh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjlaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akinoefk.dll"	Flpkll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gledgkfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gledgkfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokabf32.dll"	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iociomhg.dll"	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flpkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flpkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgoaiml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faopib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijlqlam.dll"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffeoid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoeplp.dll"	Gledgkfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecnpgj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2936	1652	8331a899c04717aeab645ab735877490N.exe	29
PID 1652 wrote to memory of 2936	1652	8331a899c04717aeab645ab735877490N.exe	29
PID 1652 wrote to memory of 2936	1652	8331a899c04717aeab645ab735877490N.exe	29
PID 1652 wrote to memory of 2936	1652	8331a899c04717aeab645ab735877490N.exe	29
PID 2936 wrote to memory of 2788	2936	Ehgoaiml.exe	30
PID 2936 wrote to memory of 2788	2936	Ehgoaiml.exe	30
PID 2936 wrote to memory of 2788	2936	Ehgoaiml.exe	30
PID 2936 wrote to memory of 2788	2936	Ehgoaiml.exe	30
PID 2788 wrote to memory of 2956	2788	Ecnpgj32.exe	31
PID 2788 wrote to memory of 2956	2788	Ecnpgj32.exe	31
PID 2788 wrote to memory of 2956	2788	Ecnpgj32.exe	31
PID 2788 wrote to memory of 2956	2788	Ecnpgj32.exe	31
PID 2956 wrote to memory of 2740	2956	Fpgmak32.exe	32
PID 2956 wrote to memory of 2740	2956	Fpgmak32.exe	32
PID 2956 wrote to memory of 2740	2956	Fpgmak32.exe	32
PID 2956 wrote to memory of 2740	2956	Fpgmak32.exe	32
PID 2740 wrote to memory of 2808	2740	Fjlaod32.exe	33
PID 2740 wrote to memory of 2808	2740	Fjlaod32.exe	33
PID 2740 wrote to memory of 2808	2740	Fjlaod32.exe	33
PID 2740 wrote to memory of 2808	2740	Fjlaod32.exe	33
PID 2808 wrote to memory of 2712	2808	Fdefgimi.exe	34
PID 2808 wrote to memory of 2712	2808	Fdefgimi.exe	34
PID 2808 wrote to memory of 2712	2808	Fdefgimi.exe	34
PID 2808 wrote to memory of 2712	2808	Fdefgimi.exe	34
PID 2712 wrote to memory of 1712	2712	Flpkll32.exe	35
PID 2712 wrote to memory of 1712	2712	Flpkll32.exe	35
PID 2712 wrote to memory of 1712	2712	Flpkll32.exe	35
PID 2712 wrote to memory of 1712	2712	Flpkll32.exe	35
PID 1712 wrote to memory of 1516	1712	Ffeoid32.exe	36
PID 1712 wrote to memory of 1516	1712	Ffeoid32.exe	36
PID 1712 wrote to memory of 1516	1712	Ffeoid32.exe	36
PID 1712 wrote to memory of 1516	1712	Ffeoid32.exe	36
PID 1516 wrote to memory of 1708	1516	Flbgak32.exe	37
PID 1516 wrote to memory of 1708	1516	Flbgak32.exe	37
PID 1516 wrote to memory of 1708	1516	Flbgak32.exe	37
PID 1516 wrote to memory of 1708	1516	Flbgak32.exe	37
PID 1708 wrote to memory of 2980	1708	Faopib32.exe	38
PID 1708 wrote to memory of 2980	1708	Faopib32.exe	38
PID 1708 wrote to memory of 2980	1708	Faopib32.exe	38
PID 1708 wrote to memory of 2980	1708	Faopib32.exe	38
PID 2980 wrote to memory of 2004	2980	Gledgkfn.exe	39
PID 2980 wrote to memory of 2004	2980	Gledgkfn.exe	39
PID 2980 wrote to memory of 2004	2980	Gledgkfn.exe	39
PID 2980 wrote to memory of 2004	2980	Gledgkfn.exe	39
PID 2004 wrote to memory of 2696	2004	Gaamobdf.exe	40
PID 2004 wrote to memory of 2696	2004	Gaamobdf.exe	40
PID 2004 wrote to memory of 2696	2004	Gaamobdf.exe	40
PID 2004 wrote to memory of 2696	2004	Gaamobdf.exe	40
PID 2696 wrote to memory of 2416	2696	Gkjahg32.exe	41
PID 2696 wrote to memory of 2416	2696	Gkjahg32.exe	41
PID 2696 wrote to memory of 2416	2696	Gkjahg32.exe	41
PID 2696 wrote to memory of 2416	2696	Gkjahg32.exe	41
PID 2416 wrote to memory of 1124	2416	Gepeep32.exe	42
PID 2416 wrote to memory of 1124	2416	Gepeep32.exe	42
PID 2416 wrote to memory of 1124	2416	Gepeep32.exe	42
PID 2416 wrote to memory of 1124	2416	Gepeep32.exe	42
PID 1124 wrote to memory of 2412	1124	Ggqamh32.exe	43
PID 1124 wrote to memory of 2412	1124	Ggqamh32.exe	43
PID 1124 wrote to memory of 2412	1124	Ggqamh32.exe	43
PID 1124 wrote to memory of 2412	1124	Ggqamh32.exe	43
PID 2412 wrote to memory of 2168	2412	Gmkjjbhg.exe	44
PID 2412 wrote to memory of 2168	2412	Gmkjjbhg.exe	44
PID 2412 wrote to memory of 2168	2412	Gmkjjbhg.exe	44
PID 2412 wrote to memory of 2168	2412	Gmkjjbhg.exe	44

C:\Users\Admin\AppData\Local\Temp\8331a899c04717aeab645ab735877490N.exe
"C:\Users\Admin\AppData\Local\Temp\8331a899c04717aeab645ab735877490N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Ehgoaiml.exe
  C:\Windows\system32\Ehgoaiml.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Ecnpgj32.exe
    C:\Windows\system32\Ecnpgj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Fpgmak32.exe
      C:\Windows\system32\Fpgmak32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\Fjlaod32.exe
        
        C:\Windows\system32\Fjlaod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Fdefgimi.exe
        
        C:\Windows\system32\Fdefgimi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Flpkll32.exe
        
        C:\Windows\system32\Flpkll32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ffeoid32.exe
        
        C:\Windows\system32\Ffeoid32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Flbgak32.exe
        
        C:\Windows\system32\Flbgak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Faopib32.exe
        
        C:\Windows\system32\Faopib32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Gledgkfn.exe
        
        C:\Windows\system32\Gledgkfn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Gaamobdf.exe
        
        C:\Windows\system32\Gaamobdf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Gkjahg32.exe
        
        C:\Windows\system32\Gkjahg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Gepeep32.exe
        
        C:\Windows\system32\Gepeep32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ggqamh32.exe
        
        C:\Windows\system32\Ggqamh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Gmkjjbhg.exe
        
        C:\Windows\system32\Gmkjjbhg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fdefgimi.exe

Filesize
73KB

MD5
d973867196ae971b4982a6a6453abc9e

SHA1
89bac2e54cd630f6a2b06d91a6707d0e163c2715

SHA256
6a50cabd5f11baaaa8b2f5e50cd9fa388bef68b93326237713987c66fc4e5c81

SHA512
540da606e4f81dc7121e3f1bdee3064e87ab6b145ac846a896727f63477ff7b535577e0c3091e847990a9812eaa21db589f4483e9cdd1695e7666cb421ee326f

Download Submit
C:\Windows\SysWOW64\Flbgak32.exe

Filesize
73KB

MD5
dd5aeedc28eb8ed18743432cbfb26aab

SHA1
4d009c14bddc4c1b0b31859a75482f578aead385

SHA256
839639da7d5c9884ff3139fc6b07cfb5c5afcb9ae144a31dbf3e84cd694abbf2

SHA512
42d7315d1e9386fffe6c3a1c1b6ae5741e9d7463099fe81da7ce768163374b3c25b4224227dd53fc8469943de47a75ad417c7e4b3933050bbdb794ae62ef2ce8

Download Submit
C:\Windows\SysWOW64\Flpkll32.exe

Filesize
73KB

MD5
55f6dedd13d9597237d3af7b8a487ee7

SHA1
f188d2b962500886c8e4652f1df0c8b23b3c34aa

SHA256
61870deeb15cf6ffa8ab2d95388443453f61dea6c60a72f7466261f13557740d

SHA512
a8e6086f7837e00ac58db311afe69d4adfcd98fc38fbc87e7c26eefe2e8816d7373498f2736dcb4124b3bdd09e8597ad6303a542aa8c7d5df46120e8a445b590

Download Submit
C:\Windows\SysWOW64\Fpgmak32.exe

Filesize
73KB

MD5
da2b3d80fa6f867d988fea9015b7f20c

SHA1
eb59880ea5174df57b4036054716c05d209f4aea

SHA256
c117123204cf3a0981b18240921306ca20de95616f74b4769a8985faefa1f607

SHA512
0279e8a477ddba11099aaef4943a0fd493b9031f11a4114f0bfa9012905c8bb9991bdfe32622d74d947e7cf35fa7269b65173f3f4431ee1385bb19746aeb4d40

Download Submit
C:\Windows\SysWOW64\Gepeep32.exe

Filesize
73KB

MD5
1bb76b396952a35f7db4dd122baa430c

SHA1
176d3511e5a2868b94da73afdba4a4ba44737854

SHA256
ff9656f39d096d37a28b84542caabbea3df0d24e348e756f05967f2cdab82914

SHA512
aaa97e86f9efe9d47e8266809a240480f3f96495b8bad7dade50d4cd50b179ee4de85cf806cdfe9cf9be91dc299216d3ead970b3ac0c6104c0a3f6668c2bdbf3

Download Submit
C:\Windows\SysWOW64\Ggqamh32.exe

Filesize
73KB

MD5
380cf349ff77247737f221e6092b42fd

SHA1
57b016f2493a2023056e72c8a9b8d6f6a6b49237

SHA256
c1dae769c814541b2edbc8d2a47176f42c166c52c97b0a296d04a5380c37c7c1

SHA512
ccbaa307a12fdc9f7c54f7af704eae1222437a356c019ff9d66e9c1fa2e855992ce9aef1dd771a27cf060227520746f37d4c5f8dbc4e7104085a60d11ff3d77e

Download Submit
C:\Windows\SysWOW64\Gkjahg32.exe

Filesize
73KB

MD5
9c0bf4682f9adb242be582581d3700ed

SHA1
e796b2b57e6367778ff0182ee5f25fe7fa955f96

SHA256
ff093b3d2ab560a1748de71f8aa99da406c79a0b86e63e9189ff2b8c8eb17ee2

SHA512
be437fcb8a0d37e74d695170fc8b7d4327eed1994b63e8b6dbc00a1a070b60e3d78eabc5114e42c466c7a255174b8c3be34416d23a369a60180a3a25e8e1e77a

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
73KB

MD5
d1583a9531b092666c97bf2efb79c13a

SHA1
3affa55d340c43102f7dd699df0082c053f3654b

SHA256
2da78ac22bb625886aa17f0b350f3779043ed1635e49e0034b36fac7da098e9b

SHA512
41db0baa1f028f3ade752a5d305b9e4689413551bb61e5a1aa26c2bd195f5adc2b7f46630f2f82db16f83836a05a441e88220f368e6223ca18ae7627f5072b7e

Download Submit
\Windows\SysWOW64\Ecnpgj32.exe

Filesize
73KB

MD5
8c714dabef064690c5872b0dd0c77cb4

SHA1
2af319a81d4c835d3d52000d8cd2f0e06ecedacc

SHA256
c21d63ac1cca695602dd5538f12618bdfc110dd129540a06a3b64d2fc11bffa5

SHA512
2d466b96fde9b5e283686e2dff22109ec34cf5abf9e965424fd4c9ec3326209c985205c0cbeabc5f405ca474cbc90d9b1bcc3dce0dff3b543b8caa81e22cba25

Download Submit
\Windows\SysWOW64\Ehgoaiml.exe

Filesize
73KB

MD5
72ba92160f26f28f73f22523fdde586e

SHA1
a77097564c3072b7b2eb735ad7af27788706bd2e

SHA256
20f24d7548089348d3ab708db18fdf8bf800468beb3119ff4fc86ce2b5ccaa03

SHA512
524caaf5e4cb690452041dedc1435f59aa3a6d4a82ca8e29f90488cc22af4a4af3cb0f915365c8a5a9fda0b281cd2765a036e7da88ed63ef82d558bd1792db35

Download Submit
\Windows\SysWOW64\Faopib32.exe

Filesize
73KB

MD5
d31a9c1fd1f55d5bc9ba258ae51d90b4

SHA1
2c68374c9c758223196d08e20cb560cee7666ac8

SHA256
89245207cbb332f8a1932c15201f852b82bea2824c3211ad5f9e04720be7e79a

SHA512
c92d4516985deb24fc78d15f10f143e92d3cc6f9bf18bae6ef2c83930be36d8de8230d283769d982776cd949d914b60f5a42d047297912cb203f7a0030c838bb

Download Submit
\Windows\SysWOW64\Ffeoid32.exe

Filesize
73KB

MD5
c86f72d2f1fba051cf3ff24187470cdd

SHA1
867ea407ada08ee9821f50660a9a83d8b9ca2462

SHA256
cb32e77d0738d0fb7531643ff1e49fda6d6bca3d926866702f746468f89e5747

SHA512
20de3e908b6ae2c27589f89c362253da8147df51b8088f0ce7c17d6330dd63946c2ffed47fd77dca9bcd17ea66790a45af28bb3c5c302aa19652aea0939ada40

Download Submit
\Windows\SysWOW64\Fjlaod32.exe

Filesize
73KB

MD5
ceb356f6f6a786125a25455e605c23bd

SHA1
b9d5bcda5a7c381a18a6614fd44b72a6497592a7

SHA256
b7047aff7be36297fe02f745097fd3d8b8497377563f4cbd1f162a34f8d3f9a1

SHA512
8adcc8d058af3270b1548e5b88ecfffa64437e3be6b2091f7bddc9c827dc645e78f0d37b4368b66a3da168188aa6fac0238571ab0a3cb521aaff3edeb178386a

Download Submit
\Windows\SysWOW64\Gaamobdf.exe

Filesize
73KB

MD5
5a7360b4ff57c0275faa995f795219df

SHA1
aa5e42ed3cf873f3702f4cbdb6c5a2901a35a68f

SHA256
4c3c397db2f76d1291b61be04566c14ffb5e6b4309e69fd0a106cf2e70f4b108

SHA512
7a98879af33812c200dfe37e470573be23e8c510f0dd58280a2fc183ad98d3ba8f2d169794fb85c442351b45dec75c7e3e3b05c4bb017f42a87de0b74eaa9e34

Download Submit
\Windows\SysWOW64\Gledgkfn.exe

Filesize
73KB

MD5
c20aa522642c70476c83c911ba2e28f0

SHA1
202fd1ba64bc30106aa02102c596db83a2668cb0

SHA256
9626246f2d58e99e84eb7d74781e84b74d7c01c96b734cf1e80eb514a5a4765f

SHA512
9208f8dd3e810c0e15421be7bd0c9439a619174437f90a218d0222873fb956b95fe4748e9d366c1575937e898247f74992eee0761cc1781df66bc3757e925bbe

Download Submit
\Windows\SysWOW64\Gmkjjbhg.exe

Filesize
73KB

MD5
0f266bce2b50c26a146e19a053660efe

SHA1
f44d2bacbe30b2444d39c87a8fa8b8dcdd46827d

SHA256
60e1400b6d128cf0ad5612c93f9fcba3b36a2ba51ad575b4966f48f78d025f0d

SHA512
c1f8b866e01ab78463d26e87384b1cc1029a62ebcc476ea12c09a07f53b16c963271eb1c0fbd833645e7063caef4ecd0eb756b9beaea8c0b53f02bf6cd0cdaa4

Download Submit
memory/1124-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-198-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1124-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-118-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1652-11-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1652-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-128-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1708-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-222-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-104-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2004-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-152-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2168-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-207-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2412-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-183-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2416-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-170-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2696-227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-92-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2712-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-61-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2740-219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-35-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2808-220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-74-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2936-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-26-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2936-25-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2936-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-48-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2980-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2980-143-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads