df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Size

350KB
MD5

760a8f33a2b31c93ec8ec7b6e98cdc50
SHA1

e56874573ca89c354fd1631f02e5581416b16394
SHA256

df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097
SHA512

e7549361c00505c2015acf7b7880722ab1ba8156607f33760e60e4f6a99d1afa88347a79358561f9e7c89baf3a76cb9ce1a25a9ef7f415e14d4ba57d2f090a96
SSDEEP

6144:aOvbcu/XhUYVtpHVILifyeYVDcfflXpX6LRifyeYVDc:PvoZ6HyefyeYCdXpXZfyeY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe

Executes dropped EXE 20 IoCs

pid	Process
1708	Ekngemhd.exe
4972	Ekqckmfb.exe
3648	Fggdpnkf.exe
1508	Fjeplijj.exe
1716	Fqphic32.exe
1520	Fcneeo32.exe
712	Fkemfl32.exe
4320	Fncibg32.exe
3472	Fqbeoc32.exe
2256	Fglnkm32.exe
1516	Fjjjgh32.exe
2568	Fnffhgon.exe
1324	Fdpnda32.exe
4780	Fgnjqm32.exe
1892	Fnhbmgmk.exe
2756	Fqfojblo.exe
3156	Fgqgfl32.exe
1592	Fjocbhbo.exe
1608	Fbfkceca.exe
3784	Gddgpqbe.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kamonn32.dll	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
File created	C:\Windows\SysWOW64\Fggdpnkf.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Fglnkm32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fnffhgon.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Fggdpnkf.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Blghiiea.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Fnffhgon.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Ekqckmfb.exe	Ekngemhd.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
File created	C:\Windows\SysWOW64\Fjjjgh32.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Ekngemhd.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Fglnkm32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fncibg32.exe

Program crash 1 IoCs

pid	pid_target	Process
2932	3784	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghiiea.dll"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1708	1376	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe	89
PID 1376 wrote to memory of 1708	1376	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe	89
PID 1376 wrote to memory of 1708	1376	df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe	89
PID 1708 wrote to memory of 4972	1708	Ekngemhd.exe	90
PID 1708 wrote to memory of 4972	1708	Ekngemhd.exe	90
PID 1708 wrote to memory of 4972	1708	Ekngemhd.exe	90
PID 4972 wrote to memory of 3648	4972	Ekqckmfb.exe	91
PID 4972 wrote to memory of 3648	4972	Ekqckmfb.exe	91
PID 4972 wrote to memory of 3648	4972	Ekqckmfb.exe	91
PID 3648 wrote to memory of 1508	3648	Fggdpnkf.exe	92
PID 3648 wrote to memory of 1508	3648	Fggdpnkf.exe	92
PID 3648 wrote to memory of 1508	3648	Fggdpnkf.exe	92
PID 1508 wrote to memory of 1716	1508	Fjeplijj.exe	93
PID 1508 wrote to memory of 1716	1508	Fjeplijj.exe	93
PID 1508 wrote to memory of 1716	1508	Fjeplijj.exe	93
PID 1716 wrote to memory of 1520	1716	Fqphic32.exe	94
PID 1716 wrote to memory of 1520	1716	Fqphic32.exe	94
PID 1716 wrote to memory of 1520	1716	Fqphic32.exe	94
PID 1520 wrote to memory of 712	1520	Fcneeo32.exe	95
PID 1520 wrote to memory of 712	1520	Fcneeo32.exe	95
PID 1520 wrote to memory of 712	1520	Fcneeo32.exe	95
PID 712 wrote to memory of 4320	712	Fkemfl32.exe	96
PID 712 wrote to memory of 4320	712	Fkemfl32.exe	96
PID 712 wrote to memory of 4320	712	Fkemfl32.exe	96
PID 4320 wrote to memory of 3472	4320	Fncibg32.exe	97
PID 4320 wrote to memory of 3472	4320	Fncibg32.exe	97
PID 4320 wrote to memory of 3472	4320	Fncibg32.exe	97
PID 3472 wrote to memory of 2256	3472	Fqbeoc32.exe	98
PID 3472 wrote to memory of 2256	3472	Fqbeoc32.exe	98
PID 3472 wrote to memory of 2256	3472	Fqbeoc32.exe	98
PID 2256 wrote to memory of 1516	2256	Fglnkm32.exe	99
PID 2256 wrote to memory of 1516	2256	Fglnkm32.exe	99
PID 2256 wrote to memory of 1516	2256	Fglnkm32.exe	99
PID 1516 wrote to memory of 2568	1516	Fjjjgh32.exe	100
PID 1516 wrote to memory of 2568	1516	Fjjjgh32.exe	100
PID 1516 wrote to memory of 2568	1516	Fjjjgh32.exe	100
PID 2568 wrote to memory of 1324	2568	Fnffhgon.exe	101
PID 2568 wrote to memory of 1324	2568	Fnffhgon.exe	101
PID 2568 wrote to memory of 1324	2568	Fnffhgon.exe	101
PID 1324 wrote to memory of 4780	1324	Fdpnda32.exe	102
PID 1324 wrote to memory of 4780	1324	Fdpnda32.exe	102
PID 1324 wrote to memory of 4780	1324	Fdpnda32.exe	102
PID 4780 wrote to memory of 1892	4780	Fgnjqm32.exe	103
PID 4780 wrote to memory of 1892	4780	Fgnjqm32.exe	103
PID 4780 wrote to memory of 1892	4780	Fgnjqm32.exe	103
PID 1892 wrote to memory of 2756	1892	Fnhbmgmk.exe	104
PID 1892 wrote to memory of 2756	1892	Fnhbmgmk.exe	104
PID 1892 wrote to memory of 2756	1892	Fnhbmgmk.exe	104
PID 2756 wrote to memory of 3156	2756	Fqfojblo.exe	105
PID 2756 wrote to memory of 3156	2756	Fqfojblo.exe	105
PID 2756 wrote to memory of 3156	2756	Fqfojblo.exe	105
PID 3156 wrote to memory of 1592	3156	Fgqgfl32.exe	106
PID 3156 wrote to memory of 1592	3156	Fgqgfl32.exe	106
PID 3156 wrote to memory of 1592	3156	Fgqgfl32.exe	106
PID 1592 wrote to memory of 1608	1592	Fjocbhbo.exe	107
PID 1592 wrote to memory of 1608	1592	Fjocbhbo.exe	107
PID 1592 wrote to memory of 1608	1592	Fjocbhbo.exe	107
PID 1608 wrote to memory of 3784	1608	Fbfkceca.exe	108
PID 1608 wrote to memory of 3784	1608	Fbfkceca.exe	108
PID 1608 wrote to memory of 3784	1608	Fbfkceca.exe	108

C:\Users\Admin\AppData\Local\Temp\df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe
"C:\Users\Admin\AppData\Local\Temp\df4b5387fce125e420e7e1903bd56f8a3d40a16ee029f21c9c7eed90ec09c097N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\Ekngemhd.exe
  C:\Windows\system32\Ekngemhd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\Ekqckmfb.exe
    C:\Windows\system32\Ekqckmfb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\Fggdpnkf.exe
      C:\Windows\system32\Fggdpnkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 400
        22⤵
        Program crash
        
        PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3784 -ip 3784
1⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
350KB

MD5
56e273867dbe85cb93a86dab319a3773

SHA1
3b494c151a39343d32fc3a682405296d893d4b74

SHA256
8d84b311049221947987533ba86084aef47c86347879a5a96eae3ffe3ad492d9

SHA512
26fbdfc5addddac2ac9a38643b84f983bde25442319759482db16ae6ce349e2c77e09e2e5db0b58cfa1faf71da5fa54e47b51f625f4cb39cb599a12716d650c0

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
350KB

MD5
c0e70c0924d209e7c44b057a3a1db65d

SHA1
58810f8d694aff870a5efd603faee9e0e3d38345

SHA256
4d290eaffba304a689edc42ab5e2a08ffd679c3b7c5f0d32a7b3e589e9711986

SHA512
fb5e3a8a9716932db0c04a1f7143dd0f831ca47a45ca438ae9b6c0a823488717475d3daa4d1bb82de73e0076008343b7225d948f62907ca7c5a0794b160418ce

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
350KB

MD5
0966c1a9cc14d778e6e70cc081917b56

SHA1
bbb8507d82093baa8fb12bc1d0d8da95a6d4278a

SHA256
1e33105f6bf335b41a16634ee90517142feaf8da4ba541c40bd1816247c708a4

SHA512
3a8d784ae0466e5079865739bd5802e6a7fc1a96ca4bec1649f50acedc84a5a906736524182e44c1181375a076e128fee32fb94d5cc8aa635b0a8310b76a2f5d

Download Submit
C:\Windows\SysWOW64\Fcneeo32.exe

Filesize
350KB

MD5
9ef6e019201842df305a531a0aa65d08

SHA1
5266d179946c2d4774566543294e20464ad70c99

SHA256
32700627abf49d1cb91a4912c3ef41c2a58fe88d00134c793edf2d18ff4354a0

SHA512
25c6435ab6c428b812db76472687e35bd7eae5299767697bca84443d87412c241eb23b92fce67cf729ebffe12b2e874f665362d35b09ef1dd806f41516e80b51

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
350KB

MD5
e818cd3ac0de13e38cff8f335e8bca1f

SHA1
6828eb4764809aaca8907858bd270e4ee586c1ad

SHA256
c527ff0b584b85617544667d1dd3cafc21af9e5128a40e11069169499a43f9a1

SHA512
57ccfc22a4cc415afae5595d5837de8d0eeafc7b32d002a954edcd0cefa81ecc1dfda9b2df5606df02c816c96909a5c49e703a69db0ab530e9fa11a2bae8a652

Download Submit
C:\Windows\SysWOW64\Fggdpnkf.exe

Filesize
350KB

MD5
f320056647616b5dcfb5775bff67b3de

SHA1
59be4ea01d265c87bea64bfc0eb0c44123ed2ef0

SHA256
80432803547d47d086a0d07decd0dee7a66cb304b29d37fa208d7b85e34d0961

SHA512
2292f97f2f7285d7b3477185bd453bbc4bd241203d7e3f43e1ad3293e457c109ada614322af0753db06852e6a127dbb54a8cb404bf2ecc40bbff18fe0cb27617

Download Submit
C:\Windows\SysWOW64\Fglnkm32.exe

Filesize
350KB

MD5
e9325b2afabe3ea97f4adf0a982639e8

SHA1
15b291f2df14ab6511bcbbdb4250c05c189ea8f4

SHA256
610d2acea5e2173acd738f44ad87f1b004dc6de2907f88576142929aa2d0f6a9

SHA512
471e2b5520381310d77dd598cef8af9ee7b0663ed27e1a84c0fa6d384d6f8c0ae130e061058ad5d082d7ad14531a19e8b7d00a2d13928216ca6327e8d8c94d41

Download Submit
C:\Windows\SysWOW64\Fgnjqm32.exe

Filesize
350KB

MD5
57a7dcc5122cd34eddf76023c6a85515

SHA1
89060fb3f6a1d9b567de50cca823b12a4a82f662

SHA256
233358b8e2eae7b3bd5bbbdc9e92cb575bd531d07bfdb3bedfe21d5f3c7cfa52

SHA512
c54638621c079ba6188f67e190a5a76c55791a797b19bdd39b9c5cef43b72351f76f3f6e7df398aa1fc7c9187c28cae1e39fb61396edd017f627dbacd308ce20

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
350KB

MD5
5379c7e53b9c258b1e316394df5ca56f

SHA1
5776544e7a4c283f326d5914c02aecaeac3b266e

SHA256
d9f35a465cb2aa1a8187d596728d81cfa8c52fd93885fd4d4d0623d36891242c

SHA512
1a0a21985c90e9638cbb5f40294421614fd4a69dfec76a65a1687faaf5ccca5b569d5a9c5a4e0155852315b932723a0e0125359861c0262f0e0de6a439c5b778

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
350KB

MD5
9771d99f7a5c60cfd7426ae635dc9ffb

SHA1
d96211721e41609b74af27f2044c33e611e48453

SHA256
497aa7d7352e82e785bdb8a0162fa0fabd6096c88f964c7c3bd30af6f5e039d4

SHA512
825600815a2ff9429f49144475ebf614f3ae0a447ded42bda6945271e3429ef0b8863ef6e6d990fbc724a8bdc29e1e8b140aa5afba66d3e01a82f6085778f844

Download Submit
C:\Windows\SysWOW64\Fjjjgh32.exe

Filesize
350KB

MD5
c7460e1873070175ec1dbff958512bda

SHA1
ce3203b5fcd5f75c1e8a6abaadcb9a91ba399aa5

SHA256
8b5dbaa44f94a94393c5edfee39b6f8ee377f82ac894a5d9c0f91b6f0625915d

SHA512
a71ca3d29b4c278f76ae325ca2101fe30a210ddd57a2b9b87af7858a2210aa5af38a30ac721b29327571ef62996df091c276188b14c18e163406f8f8ab47b6e5

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
350KB

MD5
8c75532d7a1eaad4297048e012f5e82a

SHA1
5ae28e03e3c188d9017f1009f4b1923462ea8086

SHA256
c61c7ea22b50893cbf2256da9a92a2e5e74e66b85cd1bea960e1e791ed6be777

SHA512
8746f12990b32e4d0c7e20fb360ab4adf3e515e413aacd697377bdb5bb6d269740a3bc3b937b45af34966936af8830e0b2291c06cd68b18773a4b4d67067c33e

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
350KB

MD5
dcb1ef7aadfe262dd092d43c9ea43107

SHA1
bd2c87598bd96e610baed3c1166dbef30465e8c7

SHA256
dc34afeb9240e7bf29867588cf09b952fb551e9b96494af0f5341c0ec4cf3699

SHA512
3d172e750ceb13d237cc38762afd5f25c9347d981c881210dfe1f81e55235240c3eb820555787f5d7962e48c520fae8e4d9dab56e60feb2f8202bebfaaf54c57

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
350KB

MD5
ad6505cfb77e92fa34e9c142f4a32257

SHA1
7eb7b14170b1d8038140230c3a7e0bf8d160cb0c

SHA256
badfdb531276d3c75781b4c6aab485a8e0c64acffa51a7a963fb6c8c2e3af0d4

SHA512
1fc092484b84ed27632d39d99ec7da8f90d2328b0ed273b24b358b98384d2a53f9aa1e13e34173c672a5ebdaead84853d15338e039c433f103d54648edf47873

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
350KB

MD5
efaffb5c92e73c1731d158dd0a17e4ae

SHA1
58e0d4c9fc097958d6c448812611f0192e1be87a

SHA256
469a4c18949562425437a7aee3b18c4608d18ef7ef5520c07c1c9bf9abe60011

SHA512
4c308413d6de60055a58cd10fdddc6123966382547b3f7cb4acc30b0feeeb7714a8c35995d95a682cbbf3a355192d3947ba72b511f14f386d0a155de0e71274c

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
350KB

MD5
fa926327a67bfddbc5a4c3acacad508a

SHA1
9ef5216d0150cc27940bd66ca3ba2fefcaacb51d

SHA256
189254314aa4cda6d90e229bc3bd98ce3beebda8c775fd821b6ea7985711b494

SHA512
95b3a1efe8e4bc8c833b696b263661a8a33a4676d9adc364e8b1c63547a2823eddb9eca0cae847b1389476a2a694f84cdcd35bb2d2d95d64137e479a6f9f2af0

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
350KB

MD5
c19597f0643cdd5f15d0f611a4603075

SHA1
4786f403d2d0b6435b5f5ec7d5f1aab796de7b89

SHA256
bc33013ecbcfe8a4947043756202086944abb797513d50bc90303b5330e6a17c

SHA512
ce16293d8abb748f6afe786b2b2e57a9b669be47d0bab37272049caa1a141027c83054696ad0702ce545f187424e1ef83ab99602c348e41f51274b0691c8d899

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
350KB

MD5
5e5b1e72267b30ad5f882901bb306973

SHA1
e5c15178dd0006da3ef3d142f51a7af18b3d7980

SHA256
33166932093cab9d3a4d9cfa13a295de02f337fc4e53b5b46b100c372d0c9d01

SHA512
bada066e248ba258bcacb0c2094d09b0df9af91e061b46859a467977dbdd5f0ee53b9fd60590808f8434797964fe9be932e24e71579e262fd3f9508065a70247

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
350KB

MD5
6a86ab087d99afa9443d3cde537c6d73

SHA1
8b56bc42424c30f42f1e6005d01ff3fea1b449ac

SHA256
f85859c89420a10aaaafc288d7b302f5f63d174db06195f7e0a2346cfa29a41a

SHA512
5cbbe1bcdba1a2106f983f9bca8a0fc85aef27fc45b55ced1e3c4fdf8f6290013627998da10672417746123fcd6be9c4f9518278873f84edcb10ac7fb6caa0ac

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
350KB

MD5
05f33e935732e5af59d019930fea36f2

SHA1
bbddf60f698ba96a6a3323997f789f8e633c3349

SHA256
0a16eb3feed982cd4fa06878e7a7266d4322f2c31fd9eacc81c0904eb7d83a8a

SHA512
cee6e3ac35f1d382fc169b6650fcfbb3cd5d222a4d6675e6e0cbf9b5ee1814606cc02b99cdb8bdf9f71b03f7da79851c1c463e51e8e63752a771d3d437fbae69

Download Submit
memory/712-187-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/712-62-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1324-109-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1324-175-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1376-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1376-201-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1376-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1508-193-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1508-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1516-93-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1516-179-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1520-53-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1520-189-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1592-148-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1592-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1608-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1608-163-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1708-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1708-199-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1716-191-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1716-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1892-125-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1892-171-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2256-181-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2568-101-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2568-177-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2756-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2756-133-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3156-167-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3472-183-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3472-77-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3648-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3648-195-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3784-161-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3784-159-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4320-185-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4320-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4780-173-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4780-117-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4972-17-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4972-197-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads