f52f07ce4615c64d152a898fad0a502f8144c484e58f14c1332d14b6d9499aa6

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb964d9e6901be7b449dc5cb56f6110N.exe
Size

56KB
MD5

1fb964d9e6901be7b449dc5cb56f6110
SHA1

7bf6d7576cd605f89e18ee6e193de7fe9a957c67
SHA256

f52f07ce4615c64d152a898fad0a502f8144c484e58f14c1332d14b6d9499aa6
SHA512

16efd1c536c64c8c0c11a3cb41abfe4a65c163c40384cd574e31321a9ab6134a77553737d44f35b5c58e0a2afbae182823b7a20a64663bc226f36cc2ae513e3e
SSDEEP

768:l3k6Idc4uk20Pj100E+INqSQ30DGDNICOyB2I3Dx54BcvHFioQxO/1H5GQXdnh:l3+dVZ20P60E1yHFiI3Dx545ici

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1fb964d9e6901be7b449dc5cb56f6110N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1fb964d9e6901be7b449dc5cb56f6110N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe

Executes dropped EXE 17 IoCs

pid	Process
3060	Eahobg32.exe
4112	Ecikjoep.exe
2492	Ekqckmfb.exe
1472	Eajlhg32.exe
712	Edihdb32.exe
3344	Fggdpnkf.exe
3584	Fqphic32.exe
3916	Fcneeo32.exe
844	Fncibg32.exe
4828	Fdmaoahm.exe
2700	Fjjjgh32.exe
764	Fqdbdbna.exe
2816	Fcbnpnme.exe
1512	Fdbkja32.exe
1496	Fjocbhbo.exe
4540	Fbfkceca.exe
220	Gddgpqbe.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Edihdb32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fggdpnkf.exe	Edihdb32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Edihdb32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Eahobg32.exe	1fb964d9e6901be7b449dc5cb56f6110N.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	1fb964d9e6901be7b449dc5cb56f6110N.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Ecikjoep.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Fggdpnkf.exe	Edihdb32.exe
File opened for modification	C:\Windows\SysWOW64\Fdmaoahm.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Fjjjgh32.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Djojepof.dll	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Blghiiea.dll	Edihdb32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Ekqckmfb.exe	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Eahobg32.exe	1fb964d9e6901be7b449dc5cb56f6110N.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Eahobg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3560	220	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fb964d9e6901be7b449dc5cb56f6110N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1fb964d9e6901be7b449dc5cb56f6110N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghiiea.dll"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1fb964d9e6901be7b449dc5cb56f6110N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	1fb964d9e6901be7b449dc5cb56f6110N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1fb964d9e6901be7b449dc5cb56f6110N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1fb964d9e6901be7b449dc5cb56f6110N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1fb964d9e6901be7b449dc5cb56f6110N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll"	Fdmaoahm.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3060	1708	1fb964d9e6901be7b449dc5cb56f6110N.exe	90
PID 1708 wrote to memory of 3060	1708	1fb964d9e6901be7b449dc5cb56f6110N.exe	90
PID 1708 wrote to memory of 3060	1708	1fb964d9e6901be7b449dc5cb56f6110N.exe	90
PID 3060 wrote to memory of 4112	3060	Eahobg32.exe	91
PID 3060 wrote to memory of 4112	3060	Eahobg32.exe	91
PID 3060 wrote to memory of 4112	3060	Eahobg32.exe	91
PID 4112 wrote to memory of 2492	4112	Ecikjoep.exe	92
PID 4112 wrote to memory of 2492	4112	Ecikjoep.exe	92
PID 4112 wrote to memory of 2492	4112	Ecikjoep.exe	92
PID 2492 wrote to memory of 1472	2492	Ekqckmfb.exe	93
PID 2492 wrote to memory of 1472	2492	Ekqckmfb.exe	93
PID 2492 wrote to memory of 1472	2492	Ekqckmfb.exe	93
PID 1472 wrote to memory of 712	1472	Eajlhg32.exe	94
PID 1472 wrote to memory of 712	1472	Eajlhg32.exe	94
PID 1472 wrote to memory of 712	1472	Eajlhg32.exe	94
PID 712 wrote to memory of 3344	712	Edihdb32.exe	96
PID 712 wrote to memory of 3344	712	Edihdb32.exe	96
PID 712 wrote to memory of 3344	712	Edihdb32.exe	96
PID 3344 wrote to memory of 3584	3344	Fggdpnkf.exe	97
PID 3344 wrote to memory of 3584	3344	Fggdpnkf.exe	97
PID 3344 wrote to memory of 3584	3344	Fggdpnkf.exe	97
PID 3584 wrote to memory of 3916	3584	Fqphic32.exe	98
PID 3584 wrote to memory of 3916	3584	Fqphic32.exe	98
PID 3584 wrote to memory of 3916	3584	Fqphic32.exe	98
PID 3916 wrote to memory of 844	3916	Fcneeo32.exe	99
PID 3916 wrote to memory of 844	3916	Fcneeo32.exe	99
PID 3916 wrote to memory of 844	3916	Fcneeo32.exe	99
PID 844 wrote to memory of 4828	844	Fncibg32.exe	100
PID 844 wrote to memory of 4828	844	Fncibg32.exe	100
PID 844 wrote to memory of 4828	844	Fncibg32.exe	100
PID 4828 wrote to memory of 2700	4828	Fdmaoahm.exe	102
PID 4828 wrote to memory of 2700	4828	Fdmaoahm.exe	102
PID 4828 wrote to memory of 2700	4828	Fdmaoahm.exe	102
PID 2700 wrote to memory of 764	2700	Fjjjgh32.exe	103
PID 2700 wrote to memory of 764	2700	Fjjjgh32.exe	103
PID 2700 wrote to memory of 764	2700	Fjjjgh32.exe	103
PID 764 wrote to memory of 2816	764	Fqdbdbna.exe	104
PID 764 wrote to memory of 2816	764	Fqdbdbna.exe	104
PID 764 wrote to memory of 2816	764	Fqdbdbna.exe	104
PID 2816 wrote to memory of 1512	2816	Fcbnpnme.exe	105
PID 2816 wrote to memory of 1512	2816	Fcbnpnme.exe	105
PID 2816 wrote to memory of 1512	2816	Fcbnpnme.exe	105
PID 1512 wrote to memory of 1496	1512	Fdbkja32.exe	106
PID 1512 wrote to memory of 1496	1512	Fdbkja32.exe	106
PID 1512 wrote to memory of 1496	1512	Fdbkja32.exe	106
PID 1496 wrote to memory of 4540	1496	Fjocbhbo.exe	108
PID 1496 wrote to memory of 4540	1496	Fjocbhbo.exe	108
PID 1496 wrote to memory of 4540	1496	Fjocbhbo.exe	108
PID 4540 wrote to memory of 220	4540	Fbfkceca.exe	109
PID 4540 wrote to memory of 220	4540	Fbfkceca.exe	109
PID 4540 wrote to memory of 220	4540	Fbfkceca.exe	109

C:\Users\Admin\AppData\Local\Temp\1fb964d9e6901be7b449dc5cb56f6110N.exe
"C:\Users\Admin\AppData\Local\Temp\1fb964d9e6901be7b449dc5cb56f6110N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Eahobg32.exe
  C:\Windows\system32\Eahobg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Ecikjoep.exe
    C:\Windows\system32\Ecikjoep.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Ekqckmfb.exe
      C:\Windows\system32\Ekqckmfb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 400
        19⤵
        Program crash
        
        PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 220 -ip 220
1⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eahobg32.exe

Filesize
56KB

MD5
395d2772288fb71dfd0ef5b156b75d25

SHA1
cf8b07c85c9db12a6aa104a859cfb34a90489ad1

SHA256
1a70468048b7a1cdf5964d6c07f9359776fc0050bc7f42f2bc8604803924274f

SHA512
32fe43b63f6acd959b5b9832348192169a34890f85422eb665e25b0caa4806cfa7f80e90afeee0e2769777109571e42dc59ccd88f43f5be0c57895e68a074def

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
56KB

MD5
0fe7ddfd2870d8c57121361295858999

SHA1
b98b56f4501873ccb7591dca7d04ccef3ee86f05

SHA256
ae46045bf83d634f5a263a83f66dfdd0c027c9d6b3dea96747111612444c099f

SHA512
a9439d616469c5750216558bd832c1f0ac9778f1f2c50776678610d3a097a63bdf8b09ebf0301fe223bed3a34eb4618cc45876eddf818503ea3197235d07bde7

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
56KB

MD5
3c5e39e822e41bd8ce7cb3f4257dab7e

SHA1
520b2eb242716e38351aee77947ae3a3754cb9bf

SHA256
c2d871c118593c4b6cead4a66ca096d936d9e703b8253def184145953c8623b2

SHA512
d2a617d481bf1cc74171d981bd1d978d9eec049487f1dfa32a3073901e768f437f78300b4e4b4408541962211710b27fb9773bb5db423ae4cd6b3761fd551093

Download Submit
C:\Windows\SysWOW64\Edihdb32.exe

Filesize
56KB

MD5
7c1e1a8ce42e6049adf7d6d037e29ab4

SHA1
eb11a56e535e8794cb41a88f7840b672fc945625

SHA256
7d7ba1b2f64addb4790afc93f31d89e524a638b564ab8e90e4038fc65e187510

SHA512
984e804f737a3673b49f93af783347a854bfa0f7da7096a56284fc198c3811969531581d8a8bb8a8e8c7c46ec51906a5c21964ba9564063475146d8a1a315942

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
56KB

MD5
d78ab1159cf9bdb84d5e5a370967e69f

SHA1
24bfa54abd4bbfeb65c9da7d76258dac94811d3d

SHA256
284619c8ecbdd7f92d6ed43592eedb95636bf0df6873938e708d347f8b442cb7

SHA512
10b958b10ac3d6a7532fdcb3a14efbb9a81cbeb2ee0ef0c5ccef6673effc83c0f4339c2a19f4ac5a44014edcbc5e06f937606f3559953ea5bc61bc150e03130d

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
56KB

MD5
371cd09c7e5d9aed9ce0fb265d5eaf48

SHA1
28867786d81ef0cf70897d8247b197cab29bcf8f

SHA256
289bb0207c1d9bb0aa9d200107f41bdff3fa5d50fe7a0960d1b06cba8b1de907

SHA512
fd28da3472bfe5d94334b73d0fbddc39dc138c51bb9902be93e54293f23d74651f5e2e9b27b29af139c96c192637721c5da43e05a12638107e67e47a69df6585

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
56KB

MD5
1b44ff0a1fbd202c9f967e1af08cf728

SHA1
67060588bc2e0723b382ec7e329765578c19772d

SHA256
203de973ebb025f0e4a0f6303ce99175f1ab2c529378efe71b02998a0f754922

SHA512
7f3449f15ae3e9490d27b5bfd23350fb0d72b985457e5b75ec8a15cd2e92b65bbf25f424b788618c82569f9a589f1192cdf8efb005fecda0df27e4cdc0375341

Download Submit
C:\Windows\SysWOW64\Fcneeo32.exe

Filesize
56KB

MD5
a65d1b17c99567798a018c63a346c4b7

SHA1
a14768694c028436d6a6fbc8ac6f015c50a86e9d

SHA256
c05b47474df8bdf7138caf8cde14891d6a15741f098b5240b23942109ad045a8

SHA512
01e369516ec61deba66012f3fc58ba25a9013f4c1b82a579a6acc7ee30c6fe4c91b4c8ff13b413c9065c362bce5127a5e2bec6223fe7140362c2883e262dc7d0

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
56KB

MD5
f8a1853bdccd563d0b37a946f1259ce0

SHA1
73075b13f1192dc2a3c4972b40cbbfa2e8290040

SHA256
db0d88d085b730e60a5c47c744706d4cb9c2f45830e8e73d0860f7d0a4ab3bc4

SHA512
3f44d594eef740464bb2a0e71c7e5dcd7ba960d064f80cfba8a02e0faaace524622b4e437af47daa8b847aaf727838c4d37901d23644ae26e17350f896eff5d4

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
56KB

MD5
ed26b93bdc3d934a4a1eb74e762668a7

SHA1
ab5237f06a6c4953d779d666acae0a7e687f2f02

SHA256
f3275f1030d681cdaf0118f59624da8a8bf364b048635ba7002291af3310a61d

SHA512
e6381fdafbd6d2699b184d8aea7c4870f5a3715fdf4ec559c56c95d15a4be561fa021ae7643d409a1dd0f042074110803d7345cde373bdd0579981fb5ca467f8

Download Submit
C:\Windows\SysWOW64\Fggdpnkf.exe

Filesize
56KB

MD5
9e4b6c4aa7227fb031627fbd10224fa0

SHA1
6cabe45c31bb162c72b144d6fe75732d1b6e0842

SHA256
58c3efae00b247962a0f8ad1bc5d75c686b943462019bb13184ffd02e441da1d

SHA512
2e0e065f21077fc603c366c74f82a5815bae71e225c2826b438f0a1a89e47bc2ec95fd97628de03506e54fd1d66c3127fbface733704ab739fbaf15362317854

Download Submit
C:\Windows\SysWOW64\Fjjjgh32.exe

Filesize
56KB

MD5
959e75cea6838883ceeddd9984773e8e

SHA1
621bd1bd58dec0c3310d13d259ab5abe15e68af0

SHA256
ed46ffdfced8a36bbfd6a49eb2a2f130f0b9636e2d6e0606e87da6cbe90bd1be

SHA512
c972e8ce3fd46a15fcc51bdc22a16b19ace5f859c80741351450baac6e20dc269741a75551619d460a4be0cc05127a71b159083f82128d5a03e58502c28c4ea8

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
56KB

MD5
7ca90a7a87aa094c16ca94af65592573

SHA1
7359a1de64849512724004887a9942c4454d4892

SHA256
cd48a5759b8e46ac0d12b16b5f3a81bc952996065b4c50206a8da52c7c646062

SHA512
8ceb60f0636d4f28934f777fb7b4f6faee62f60bb914e3775124bc5512d01756b1634d04cfa23385d020c3046d4a7ed2d6ee387d732c33fb1907bc9cfb431bbd

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
56KB

MD5
b5f7a291a4edf9803eed16891c674d28

SHA1
82a54278cdd2fe94802222e98bcb368b4202539c

SHA256
06aa30246a8265299e77ec67c53e2b220fd51a0849e94eb3bf54d73a065fc3e9

SHA512
300b1d98176f6daf3b1a64fd4372c1650dfba0906778af67ac7987379cb2dd551c824914f69135f74656f57b2c1b06ef9c39de2090ffc95dfca72ebb4306caf4

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
56KB

MD5
95efa745b68d692e4bfe862c5121c16a

SHA1
a7eae703782e208589d65e19d07a85e4a1be3aa5

SHA256
4350e21d8309e69dd449ff9d6c165881304827064c884af4f2f9e88fd3602534

SHA512
033d5344776f487b05f8a09bfe8bb0c94211959285ad5239fbff8d859dfe4f8cdd9ac364ae60ab2ba4a2bf179da69ad16486f2a049ffc920f64343d294afb570

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
56KB

MD5
9b397cc8709a965bb620a73a9d4b8299

SHA1
1320e38263a3d6f22f859559fadaa2033f3be8d1

SHA256
4b599f432091beacebc06a78b7062ae408d0364b1dd3dab3dd8fef7d527ec717

SHA512
8d4bd17d9a5f6b0134fae8a240f421e870ea9c75be28512b6622bbf1bb919c11bd3b64e432137a9474d2c8252c8d4e42d1225ef8deda1c66282e99d5bad437aa

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
56KB

MD5
9a5a5def8abd82f98c53f68a9db65ee0

SHA1
267d66818fde1e0deb6ffd02d9ee168b933af85e

SHA256
f4c6546ef1c957618b38cc8cf5b6588ed03c99fa16d3111ec719c0cce9454d87

SHA512
8b13c0412b411c032857fb4838c2dcccb0fd5c4cecbc79ce8cf0eb3a7b4ddf4780dc507c71a50c0527a8f5708e2cdaf9f55c822540d3a7e23a9fe0372d826ee0

Download Submit
memory/220-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1708-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads