ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 05:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Size

364KB
MD5

dafd9d5d5aaad1055913e7e91cd60bbe
SHA1

d396b23c3ca0915e9d2993ec385281fcda8f204b
SHA256

ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2
SHA512

c0d2443aa31ba4e326d66099ff47e71087d508974f8ef14154031d13374d4b9d76200d7955673aefe64c3eef07c76d18ed875288f86318f25b59043da4e47c8c
SSDEEP

3072:4+8hH61yFBmfiLL0MNlijGkHl9adPyFBmfiLfacWcsEU4yFBmfiLL0MNlijGkHlb:coMCqL02SgdaCqf1trUfCqL02SgdaCq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjfakng.exe

Executes dropped EXE 19 IoCs

pid	Process
4836	Ejagaj32.exe
1508	Ecikjoep.exe
1716	Ejccgi32.exe
1128	Eajlhg32.exe
2408	Fgiaemic.exe
2348	Fdmaoahm.exe
2568	Fbaahf32.exe
680	Fcbnpnme.exe
2528	Fkjfakng.exe
4792	Fgqgfl32.exe
2576	Fqikob32.exe
1592	Ggccllai.exe
4680	Gnmlhf32.exe
2788	Gdgdeppb.exe
2856	Gnohnffc.exe
2288	Gdiakp32.exe
880	Gclafmej.exe
4784	Gnaecedp.exe
3528	Gbmadd32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qmofmb32.dll	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Ohgohiia.dll	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Mcqelbcc.dll	Ggccllai.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Gnohnffc.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Fofobm32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Kminigbj.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Bbjlpn32.dll	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Gnmlhf32.exe	Ggccllai.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gnaecedp.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Ecikjoep.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fkjfakng.exe
File opened for modification	C:\Windows\SysWOW64\Gnmlhf32.exe	Ggccllai.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Ggccllai.exe	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Ggccllai.exe	Fqikob32.exe
File created	C:\Windows\SysWOW64\Gnohnffc.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gnaecedp.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Fqikob32.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Gnohnffc.exe	Gdgdeppb.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fdmaoahm.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Fqikob32.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Gclafmej.exe	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Bfedfi32.dll	Gclafmej.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Gnaecedp.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Djojepof.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Ogeigbeb.dll	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Gnaecedp.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gnaecedp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
400	3528	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnaecedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgohiia.dll"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kminigbj.dll"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqikob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqelbcc.dll"	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll"	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeigbeb.dll"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedfi32.dll"	Gclafmej.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4836	4888	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe	90
PID 4888 wrote to memory of 4836	4888	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe	90
PID 4888 wrote to memory of 4836	4888	ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe	90
PID 4836 wrote to memory of 1508	4836	Ejagaj32.exe	91
PID 4836 wrote to memory of 1508	4836	Ejagaj32.exe	91
PID 4836 wrote to memory of 1508	4836	Ejagaj32.exe	91
PID 1508 wrote to memory of 1716	1508	Ecikjoep.exe	92
PID 1508 wrote to memory of 1716	1508	Ecikjoep.exe	92
PID 1508 wrote to memory of 1716	1508	Ecikjoep.exe	92
PID 1716 wrote to memory of 1128	1716	Ejccgi32.exe	94
PID 1716 wrote to memory of 1128	1716	Ejccgi32.exe	94
PID 1716 wrote to memory of 1128	1716	Ejccgi32.exe	94
PID 1128 wrote to memory of 2408	1128	Eajlhg32.exe	96
PID 1128 wrote to memory of 2408	1128	Eajlhg32.exe	96
PID 1128 wrote to memory of 2408	1128	Eajlhg32.exe	96
PID 2408 wrote to memory of 2348	2408	Fgiaemic.exe	97
PID 2408 wrote to memory of 2348	2408	Fgiaemic.exe	97
PID 2408 wrote to memory of 2348	2408	Fgiaemic.exe	97
PID 2348 wrote to memory of 2568	2348	Fdmaoahm.exe	98
PID 2348 wrote to memory of 2568	2348	Fdmaoahm.exe	98
PID 2348 wrote to memory of 2568	2348	Fdmaoahm.exe	98
PID 2568 wrote to memory of 680	2568	Fbaahf32.exe	99
PID 2568 wrote to memory of 680	2568	Fbaahf32.exe	99
PID 2568 wrote to memory of 680	2568	Fbaahf32.exe	99
PID 680 wrote to memory of 2528	680	Fcbnpnme.exe	100
PID 680 wrote to memory of 2528	680	Fcbnpnme.exe	100
PID 680 wrote to memory of 2528	680	Fcbnpnme.exe	100
PID 2528 wrote to memory of 4792	2528	Fkjfakng.exe	102
PID 2528 wrote to memory of 4792	2528	Fkjfakng.exe	102
PID 2528 wrote to memory of 4792	2528	Fkjfakng.exe	102
PID 4792 wrote to memory of 2576	4792	Fgqgfl32.exe	103
PID 4792 wrote to memory of 2576	4792	Fgqgfl32.exe	103
PID 4792 wrote to memory of 2576	4792	Fgqgfl32.exe	103
PID 2576 wrote to memory of 1592	2576	Fqikob32.exe	104
PID 2576 wrote to memory of 1592	2576	Fqikob32.exe	104
PID 2576 wrote to memory of 1592	2576	Fqikob32.exe	104
PID 1592 wrote to memory of 4680	1592	Ggccllai.exe	105
PID 1592 wrote to memory of 4680	1592	Ggccllai.exe	105
PID 1592 wrote to memory of 4680	1592	Ggccllai.exe	105
PID 4680 wrote to memory of 2788	4680	Gnmlhf32.exe	106
PID 4680 wrote to memory of 2788	4680	Gnmlhf32.exe	106
PID 4680 wrote to memory of 2788	4680	Gnmlhf32.exe	106
PID 2788 wrote to memory of 2856	2788	Gdgdeppb.exe	107
PID 2788 wrote to memory of 2856	2788	Gdgdeppb.exe	107
PID 2788 wrote to memory of 2856	2788	Gdgdeppb.exe	107
PID 2856 wrote to memory of 2288	2856	Gnohnffc.exe	108
PID 2856 wrote to memory of 2288	2856	Gnohnffc.exe	108
PID 2856 wrote to memory of 2288	2856	Gnohnffc.exe	108
PID 2288 wrote to memory of 880	2288	Gdiakp32.exe	109
PID 2288 wrote to memory of 880	2288	Gdiakp32.exe	109
PID 2288 wrote to memory of 880	2288	Gdiakp32.exe	109
PID 880 wrote to memory of 4784	880	Gclafmej.exe	110
PID 880 wrote to memory of 4784	880	Gclafmej.exe	110
PID 880 wrote to memory of 4784	880	Gclafmej.exe	110
PID 4784 wrote to memory of 3528	4784	Gnaecedp.exe	111
PID 4784 wrote to memory of 3528	4784	Gnaecedp.exe	111
PID 4784 wrote to memory of 3528	4784	Gnaecedp.exe	111

C:\Users\Admin\AppData\Local\Temp\ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe
"C:\Users\Admin\AppData\Local\Temp\ffbf33956d41eefd253fbffddc74571beacef6e4784e8dbd2643e826cd4e61b2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\Ejagaj32.exe
  C:\Windows\system32\Ejagaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\Ecikjoep.exe
    C:\Windows\system32\Ecikjoep.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\Ejccgi32.exe
      C:\Windows\system32\Ejccgi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 400
        21⤵
        Program crash
        
        PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3528 -ip 3528
1⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
364KB

MD5
792726138ebc4f3ffcad1369f2594c68

SHA1
68234dae05957b12814ee7009b3a7ec4f5fef108

SHA256
080acdcd8d62427fda86de34ac0a9645394528c2943fb536b401713f1a3f24e3

SHA512
04447fe7a7ca6864676dc6f6d45368e0ee26f54fa082f8c529622fbd80435cf49ea6d09e780ffd04b7fe77473310ecc4cef0a25499d418d317f3ff51e9367ddf

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
364KB

MD5
e6b7c5536c75a3f3eb673f8a72d13f7e

SHA1
38a45fa029431d247910b43b26bd95863cbbefa0

SHA256
f8ecc32d0b6a4a99e9b1f8c014c962f5bf7a5745d4ac5317a57025dd2e80c617

SHA512
55a7717f11feebd892dbf5c96538adb0df78dc238669741d874c607a5e66337ce50f4a241148c61906e6c701879ecee0c70928d554b267837e7763202e121d98

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
364KB

MD5
fd624665adc75c1e8a14ac0f2db4353d

SHA1
7eea684a5ac168b393eaab4c4144e001b19e8d25

SHA256
e26310e3a83ed3666c212c9eb1bef8f102079684313d2934dc3d12822e56b456

SHA512
493dd9659a819cac9749cf746909d70e5eb40fa23ac50b9d558d93b260c6c96e14189d865b8bbeb530ac267d6fd76bcf54ddf8a5bb4372fc8baf3391ad0424eb

Download Submit
C:\Windows\SysWOW64\Ejccgi32.exe

Filesize
364KB

MD5
a3253881b9ba392d6c930729504c6600

SHA1
8e5d30e8d28265d7ec35c3daeb5f7b37de64963c

SHA256
2a9b424e05e1a4818110124788492c76078d9f9019419e9262d36f32dc46128b

SHA512
0c476d6b5bdac8cc0c457a6f16fc0259a7f343ec34c193359b1513bcfb6cf86906c7e8ca8e3d22fcc30b0f35578b59ba63c8803e507b84d74acbf849c3b56b01

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
364KB

MD5
01864e4f8a0f58d4b0b679d95ca34194

SHA1
97753b352756d4f3ad78f8ab8c8ea7288ba2a35a

SHA256
3d3f7674d16b6c4a4792577f4b4ebaf5676736e725a3988d26e6138e52f03688

SHA512
af894e106c06f01c8c22177b58726504a82e5511365e44f10b54f1a3fbf253df42e389b20be4c03cf83cc21abe747bd57be1cb0ebd032516ad690dde0a6f5397

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
364KB

MD5
ff846f97a7a57eadd39ec9735ff8c471

SHA1
b96f7fa18b4af5307985b33c51746ea6d66d948a

SHA256
3f51e6b612bb11af95a182cd4fda75bf46e962307d7874d8a05f5fc469e4c0e3

SHA512
be2bc13e52b5fe49fc8e31959fefe0db5a5020baf87408d555b6452e17e0f7aebe586f8547a1b7c94ff646ae4717608d8dabbbec90fea738138698ea9a98e49d

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
364KB

MD5
357a6b66623104ab9f1c24a5114398d5

SHA1
90d5635ed3c67ba799048776fa0d724277d8ff0c

SHA256
d63fb1bc621b308be8aeddccc1cac194bfac37d8a7555b2322d1c3f548bcb14e

SHA512
4766a8ac11efb7daf46d36c149c0dcb542b5ad57b85caa792efcc80ba37335bd31a7de0d3644bd34f91855074d25859ffae64757c4456e721321194a2f7e282f

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
364KB

MD5
47cf74b9e25b74d22653a06121becbae

SHA1
ab385f8f3dc93cb5e9ec5ca3d57a688ffc394e7a

SHA256
441cb22831902b0ddb958594471ac6653d7157b78ed3a569fbb901e7363043ae

SHA512
b7aacafbdbf051eb85da5375ade7f5610ac87baf1e81852328b420310fed2b17686110fec0e0361ce2ab46c31bcc2a83660853a2beeabd4d236ffb41a29e8b98

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
364KB

MD5
cf7f8b156399f266b47f67bb8736d4fd

SHA1
8aa22d2571f3837196db7a482a036c35738f81dd

SHA256
fa804d1a469037d9320fab1c5118566504683103a0c320a6168c0175c2e02af6

SHA512
482e1e61ee02e5dfbaa78919d80daca2d84e95d7e0b0821d002277abc07fbfb45adac67be65a77075d760dedaa633efa6bdd0d4078e3874be23e4881b612285e

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
364KB

MD5
915c31efa6e0081bfde214cb3fc2d0a2

SHA1
eeb9a7c436b56d407197653a72221879b263363e

SHA256
f8ccddfba87af556e94f8144b81a54a56faf561d77440824675c2faf1ca3cc66

SHA512
87cda472b39e05a683b914e587081f71299d78ecb83e62e7dcb68b5e71644a5c40f06b3d4f1a6d0bbe7170994841b04aabe3ed3af7d5dd35b01eca7c471344e8

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
364KB

MD5
51a556e3fa7dc062217663c625233878

SHA1
6122da14d3a7c671009b1a7c9aad9924cce1ef4c

SHA256
87c5257fea69240a559b964f125773b4b55f0598eddfcc69c67652dc50400891

SHA512
e4f9e6fac659e5ecb3beb8ee264428e485d3114ce6d0a80e44be1ee0022397fb90bb6766e4051b9b7a6af405dc7471d0b59dda7686f702defa80ac7556037eba

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
364KB

MD5
f9c2dfaab654616fb3ff44e416b92548

SHA1
96b060902fc24528089f10f2cd9673dcd3926156

SHA256
19b8fb3cd05ab277ecc52fff0f8fe9e0af04801e62905d6e8cfe7e64c35d8e3e

SHA512
2943d1716af0207eea515452ceeeb3d7d09add1210a36ed7500bc9aef50865b658c5fc52cb8c89280920ac620f13333614098ae808763440f40581016f2f26df

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
364KB

MD5
23f895197bc771b92f3d6e73aa677c78

SHA1
d9cd0d199013000a5f4418832b87430897166523

SHA256
287360ade9f9bdd74d9769587afdc6b6d63efa72010ab1eca022dfee92cd8624

SHA512
795e3f8552aea2bcb7562b511617fd941be783b8ec1adc45304c94396cc149e0415e0f0484602addadff864829ba1d4e57d6d512a21ffa00366fba1fad4fc006

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
364KB

MD5
b960cf65faddeb8682efa5b0c7e2d352

SHA1
149df444d75e0403a141729bc989f184897c3f75

SHA256
04da2aa522aaf6c0d41aec300658209747c3d90178a93a0ce58cf495ee67ab84

SHA512
4faeeb7db4eba4c076a943695fe28be7ade51d8192a819eec6329a51025c31e0fc90c23c36994a1dc45921a00691c169636dd6345ea344a71b44307698016b5a

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
364KB

MD5
867a0af714403575df892670df03abf8

SHA1
ea684a2255d08c36a32fe76d7638c8bf9e712e92

SHA256
56ce47395cd141217084a826fcf7549dff4f9cd341edbcc1b9b69eccd4005089

SHA512
0b2b7028ee45535c8f2fc5c7553327b85fba1abeb9c623d983fe4f1c9daf08dcbdaafdce75c2531be0598a542d3d0448711f374f5aeb155026deeeb4f37f01c7

Download Submit
C:\Windows\SysWOW64\Ggccllai.exe

Filesize
364KB

MD5
ecdbbffe586665aa02025042cff5c232

SHA1
910b00bfc233822de5fbc3fc6637b5ba9ea6ee35

SHA256
724494cc53bcc1050a592ea92906d55207c5e1d0601aaff9e5342c26ae70dfaa

SHA512
188c20900607cca68cad4aeee3af6bd40ccf21bcc300a8206f08655f3a72242edbc9654864a2ae131fa8e20df113f8c118816bde5559249b23ac1272ad18c348

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
364KB

MD5
02ed9a550ee80206d4e11d6d7a65557a

SHA1
669cbd685c8bc045d2ea831c6344739268ea95e3

SHA256
f0cbb492dd8619d64ea747352cc7f0b9c41ef56719b81d0d72bd978b9ab18d30

SHA512
b11011b90df6dcd4ab8db0477ad7b159814c5a142761579c0dc22745928d5f1fe7aaf2df5a313b31dc440b94e33340e6adf1e68632530c9766bc1c4f9fb222e4

Download Submit
C:\Windows\SysWOW64\Gnmlhf32.exe

Filesize
364KB

MD5
9d2801f5e25501a3c3060974a47d8c72

SHA1
606d44f597c1763bf04587e67543b3bf46bd0455

SHA256
88119277419d5823cb90ad3b15b45ac28952bfa96701b3592bdb9348b5e18ca1

SHA512
33efb59d810a9a3718465278ad8a72111414df61a78d972d74a887646a849e4d19317bea4fcde1f6d56599c79e627cd2cce08e47721d4292f8ffe76907ebe9cf

Download Submit
C:\Windows\SysWOW64\Gnohnffc.exe

Filesize
364KB

MD5
6295d24a46bc1a8ee129727e669deca9

SHA1
88bb0d174c6e8f21b174c7b65dc4fab23f8756b5

SHA256
8fd79e0cc300eabe49dbe7640e687c68caee6ad605ed1673ed87009af894c9c1

SHA512
af2e1a8978deee47aece00e4bd3c00e898f6d48f0af40d90e0f11a462c662a52a5a7812f7c505ed9f451e4c6183db5d793a070b95413f72c10f6f85e6b99cdaf

Download Submit
memory/680-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads