Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 20:45
Static task
static1
Behavioral task
behavioral1
Sample
425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe
Resource
win10v2004-20240226-en
General
-
Target
425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe
-
Size
427KB
-
MD5
f8660b3e04c705edefbd1502dc6544b4
-
SHA1
cb5774d1e2a70f0a130ffa4af8ee9e4c81306289
-
SHA256
425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8
-
SHA512
d5d8be773ccb1e1be6f350fa75f08c7acd8579227f6da9829360fcd1ba99073f54906a39309845a369217d7f6c7663a807249a4d3cd03ff5d1da64b104791131
-
SSDEEP
6144:twmi+7GXeSTYaT15f7o+STYaT15fAK8yfMx/D4LJZPlVcxqy1:uK7sTYapJoTYapz8ye49vWq
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe -
Executes dropped EXE 14 IoCs
pid Process 1556 Epieghdk.exe 2480 Ealnephf.exe 2576 Fcmgfkeg.exe 2488 Fmhheqje.exe 2536 Fjlhneio.exe 2296 Fmlapp32.exe 2716 Gopkmhjk.exe 2776 Goddhg32.exe 1176 Ggpimica.exe 2128 Hgdbhi32.exe 2552 Hpmgqnfl.exe 2292 Hjhhocjj.exe 2952 Hjjddchg.exe 2260 Iagfoe32.exe -
Loads dropped DLL 32 IoCs
pid Process 2856 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe 2856 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe 1556 Epieghdk.exe 1556 Epieghdk.exe 2480 Ealnephf.exe 2480 Ealnephf.exe 2576 Fcmgfkeg.exe 2576 Fcmgfkeg.exe 2488 Fmhheqje.exe 2488 Fmhheqje.exe 2536 Fjlhneio.exe 2536 Fjlhneio.exe 2296 Fmlapp32.exe 2296 Fmlapp32.exe 2716 Gopkmhjk.exe 2716 Gopkmhjk.exe 2776 Goddhg32.exe 2776 Goddhg32.exe 1176 Ggpimica.exe 1176 Ggpimica.exe 2128 Hgdbhi32.exe 2128 Hgdbhi32.exe 2552 Hpmgqnfl.exe 2552 Hpmgqnfl.exe 2292 Hjhhocjj.exe 2292 Hjhhocjj.exe 2952 Hjjddchg.exe 2952 Hjjddchg.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Epieghdk.exe File created C:\Windows\SysWOW64\Facklcaq.dll Ealnephf.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Fcmgfkeg.exe Ealnephf.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Fmlapp32.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Qhbpij32.dll Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Hjjddchg.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hpmgqnfl.exe File created C:\Windows\SysWOW64\Gcmjhbal.dll Epieghdk.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Fjlhneio.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Ggpimica.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Ealnephf.exe Epieghdk.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Fmhheqje.exe File created C:\Windows\SysWOW64\Goddhg32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Ggpimica.exe Goddhg32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Epieghdk.exe 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Ggpimica.exe Goddhg32.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Jgdmei32.dll Fmlapp32.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe File created C:\Windows\SysWOW64\Fcmgfkeg.exe Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Njgcpp32.dll Goddhg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1948 2260 WerFault.exe 41 -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlhneio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hjhhocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmgqnfl.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2856 wrote to memory of 1556 2856 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe 28 PID 2856 wrote to memory of 1556 2856 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe 28 PID 2856 wrote to memory of 1556 2856 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe 28 PID 2856 wrote to memory of 1556 2856 425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe 28 PID 1556 wrote to memory of 2480 1556 Epieghdk.exe 29 PID 1556 wrote to memory of 2480 1556 Epieghdk.exe 29 PID 1556 wrote to memory of 2480 1556 Epieghdk.exe 29 PID 1556 wrote to memory of 2480 1556 Epieghdk.exe 29 PID 2480 wrote to memory of 2576 2480 Ealnephf.exe 30 PID 2480 wrote to memory of 2576 2480 Ealnephf.exe 30 PID 2480 wrote to memory of 2576 2480 Ealnephf.exe 30 PID 2480 wrote to memory of 2576 2480 Ealnephf.exe 30 PID 2576 wrote to memory of 2488 2576 Fcmgfkeg.exe 31 PID 2576 wrote to memory of 2488 2576 Fcmgfkeg.exe 31 PID 2576 wrote to memory of 2488 2576 Fcmgfkeg.exe 31 PID 2576 wrote to memory of 2488 2576 Fcmgfkeg.exe 31 PID 2488 wrote to memory of 2536 2488 Fmhheqje.exe 32 PID 2488 wrote to memory of 2536 2488 Fmhheqje.exe 32 PID 2488 wrote to memory of 2536 2488 Fmhheqje.exe 32 PID 2488 wrote to memory of 2536 2488 Fmhheqje.exe 32 PID 2536 wrote to memory of 2296 2536 Fjlhneio.exe 33 PID 2536 wrote to memory of 2296 2536 Fjlhneio.exe 33 PID 2536 wrote to memory of 2296 2536 Fjlhneio.exe 33 PID 2536 wrote to memory of 2296 2536 Fjlhneio.exe 33 PID 2296 wrote to memory of 2716 2296 Fmlapp32.exe 34 PID 2296 wrote to memory of 2716 2296 Fmlapp32.exe 34 PID 2296 wrote to memory of 2716 2296 Fmlapp32.exe 34 PID 2296 wrote to memory of 2716 2296 Fmlapp32.exe 34 PID 2716 wrote to memory of 2776 2716 Gopkmhjk.exe 35 PID 2716 wrote to memory of 2776 2716 Gopkmhjk.exe 35 PID 2716 wrote to memory of 2776 2716 Gopkmhjk.exe 35 PID 2716 wrote to memory of 2776 2716 Gopkmhjk.exe 35 PID 2776 wrote to memory of 1176 2776 Goddhg32.exe 36 PID 2776 wrote to memory of 1176 2776 Goddhg32.exe 36 PID 2776 wrote to memory of 1176 2776 Goddhg32.exe 36 PID 2776 wrote to memory of 1176 2776 Goddhg32.exe 36 PID 1176 wrote to memory of 2128 1176 Ggpimica.exe 37 PID 1176 wrote to memory of 2128 1176 Ggpimica.exe 37 PID 1176 wrote to memory of 2128 1176 Ggpimica.exe 37 PID 1176 wrote to memory of 2128 1176 Ggpimica.exe 37 PID 2128 wrote to memory of 2552 2128 Hgdbhi32.exe 38 PID 2128 wrote to memory of 2552 2128 Hgdbhi32.exe 38 PID 2128 wrote to memory of 2552 2128 Hgdbhi32.exe 38 PID 2128 wrote to memory of 2552 2128 Hgdbhi32.exe 38 PID 2552 wrote to memory of 2292 2552 Hpmgqnfl.exe 39 PID 2552 wrote to memory of 2292 2552 Hpmgqnfl.exe 39 PID 2552 wrote to memory of 2292 2552 Hpmgqnfl.exe 39 PID 2552 wrote to memory of 2292 2552 Hpmgqnfl.exe 39 PID 2292 wrote to memory of 2952 2292 Hjhhocjj.exe 40 PID 2292 wrote to memory of 2952 2292 Hjhhocjj.exe 40 PID 2292 wrote to memory of 2952 2292 Hjhhocjj.exe 40 PID 2292 wrote to memory of 2952 2292 Hjhhocjj.exe 40 PID 2952 wrote to memory of 2260 2952 Hjjddchg.exe 41 PID 2952 wrote to memory of 2260 2952 Hjjddchg.exe 41 PID 2952 wrote to memory of 2260 2952 Hjjddchg.exe 41 PID 2952 wrote to memory of 2260 2952 Hjjddchg.exe 41 PID 2260 wrote to memory of 1948 2260 Iagfoe32.exe 42 PID 2260 wrote to memory of 1948 2260 Iagfoe32.exe 42 PID 2260 wrote to memory of 1948 2260 Iagfoe32.exe 42 PID 2260 wrote to memory of 1948 2260 Iagfoe32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe"C:\Users\Admin\AppData\Local\Temp\425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Iagfoe32.exeC:\Windows\system32\Iagfoe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 14016⤵
- Loads dropped DLL
- Program crash
PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427KB
MD54a4b06b89981403129b4b0132b5aaa6a
SHA163bbba3973f02b33ba32c3e2c548a4216466c22f
SHA256b2fb88526d5403ad1689f788b860e6856d7a86cdfc12fe5af8251256bea59cdc
SHA51240487c48914040ccfa128f3753955f39cc1a7843d4e6c270a76fb8741be782bdca45100421635bb22d2e28586da95f2482eb33ff59f935079aab25b5da25e3f8
-
Filesize
427KB
MD531a620a661c6104ee56e25c34c934148
SHA16f918cc4079c793e8cc24815515d995e29cc835d
SHA25620c7b9bf19b423a8b65b23f12d083fe2fbd370f7c1ad56557f39606951ecaf4b
SHA5127ff99318509e0eee60c1ebcd339bc48d62613bc7f9c212141ac6e0eb81eae92cca7d977bbb18d12b4beea46baeac12bb3dbb41a9e483625324e9e006ccd8ce78
-
Filesize
427KB
MD5b990ce8a464644d30a2db7708c0ab504
SHA136384b2c150c464d96bc1d7a5296da2a03e4f30e
SHA256d8cd06ed8895ef546dba78c436bb6dfd6ea681b242cfcf022594b7504c722a34
SHA512a0cc5f80d0bdabe8612c400dfb50faae7e3942e392238ee04d3ef491c6f59349f59c1be79fd93a32dcdbe69918c6ea9a93d467aa88c79d8c3c65a55c989462d1
-
Filesize
427KB
MD548d0e00bf6ce3f822b98f6e43f4fb8ea
SHA16651990852fb144409791da3f431b09ccf5bedfa
SHA256ddf759bcb51cc34916981dbeeea8f9cd0712a0a1f3385a261bd3c88fd4194b07
SHA512c831769dd2b401690fec1b5e912f561ebfd4ac32907c0163542c966980b6fe1d7270b06f419c11b0591d7dfd414bafd05e9a38a95898d23d56de4d5d7f91cec5
-
Filesize
427KB
MD5a8d63308cd082987ace04db66a01d952
SHA1d269e524f865db411abe2490e614ec1cd7884276
SHA256cc2fd2f2277e3a1ae3799300f35c0da88e32074a164784630c7929997fd0a503
SHA5126df144e35c127978577f083aa654dc03f5bb851533b99ee42c1ae97e7cadaa7db45dc2f64a2e96d31493c536eb309378ccf0140e4246a560fc61f9ae5463f3c6
-
Filesize
427KB
MD5a82e8a527804ab309c63d1baa2f02c91
SHA125bb01b563819f0d82a6f5f0c72d914ddd998ce7
SHA256671f6cfe2b5b1471c2a97cbac018e4d4e9166fde783bccc96489a4ff3b053d26
SHA512439fc7b873be18f0d2dc3dec177a8a3237e3b6748361d184838db9a5ec25c60a806eefb98716bac8f8b31e8c60d2237c8880212de775d39c08a9832e6f434541
-
Filesize
427KB
MD57d8cbf65bdabd4ea1e3cf36e820c81b1
SHA10608b25cf56780be1c3ea509a9138752a16fa4a7
SHA256eadc1ccd30617cb5b66e94d02c3e4b842f9e8ef5520ffa37a5153d5cad9391ae
SHA512863506ffa27826a767e08ac715a7a7729f7e9f14420bdb990b2a2c0d110816d7de4b572afa92748c2c51e2f0d38b3912fa99d7fed5e3f1361d0dd1b24e42a14e
-
Filesize
427KB
MD53a7a3623f0225fc0c1244da799b05b65
SHA1779089b95b573a9835c8ce677758741fe370212a
SHA2568b605031ad526a95a7f3e21e4b6aaacf817fcf32ca52fce940c681913b60a433
SHA512d7afc5e27fab50ec12a67916953d8c1dbcad91486cd256d03f293855f2f91a17b739fc0b9e1af5bf1bc32658e3df0d3a6e56f15dfe053dc826428d9e20215405
-
Filesize
427KB
MD5157b5483d6f24215921e9171d7e4701d
SHA14b3f234406b0ecaf556947aac4080af942c82a11
SHA256de1de4590c20bd02b6b8c9c69f5e70a985699bad1f923e22ddfe7ba229f4a6e9
SHA51286856dbfc1139f3c5630e6b725365f7448ccbcf0cb4979d03ce56fa991ce0a1e37242840fcd2962003af5340ab1bcad8009f718884f9dbe976fe41d49f51c53e
-
Filesize
427KB
MD50d4c19168523ae97089275d644b5eb33
SHA13ae986af5a34b8e04295ef08ce857fd10f38fcfe
SHA25649a0bd96a76e2456a04f82f411deef24703ab3248ab61c14e37eb7d00194919a
SHA51286fcf4265db544ed751b1f77f2a24e5bba345e729309978a9d9d24eb4b99ba5de90774faab7c55a4723cf394cf26d884041cfd8426ee0cb204feb4a15bf11274
-
Filesize
427KB
MD5a7d6f128018f41f19984fa8a99a5455f
SHA1b3640be33e71d958fa6f005b904f01b9382e8e34
SHA256589d411d0906d3e67a40d4252223fbd135e38ff611413de41bc701d9b5f89b7d
SHA512ec9420ee35163f4929a736eaf2e46a66a7355d68662f0834ec3709e32072230ae20bc3cf8f60b076aebe3be903c2de1260e76ad49ea6e30fdbb8bc3c59a686ff
-
Filesize
427KB
MD56a3853c79e649d44c08f7d0b1cf1e373
SHA1a9b564bb1bff5f9d04500fd8f145cc5f27a24c6d
SHA256d900262de59c6cb35b9ecd19b55584caef202d6175fcc5716fd451d1520f073e
SHA5129a03254bead763adbbe17e05043dfa43c22096179fae82768a5a7a518962153f911a5c9e6958895983b9b4938bfa14787361b32e68207aa9ea71d3eeecc0974b
-
Filesize
427KB
MD59a7f13564147e35526847ade4a6d2acb
SHA181090353dd95d47d73addc6a44c26439c844db01
SHA2561ab13f801bdf07d6e77bc8123f6139349591a489722ea678092bbc63c74c3c7a
SHA512bd7c830c82ed2b6766998f24998be9c607de2a25b31123152b286a7e17ffda1d822d7f8aad68a208c91300ef9fc70e24020ecce261346eee503e08ac6bdaebf5
-
Filesize
427KB
MD56344574a0d1fd4ce547bcd5941db8d6d
SHA1c404fff7637122d87d35a1ef3f1223e0882eed8f
SHA256b3b7c7e5d2d066de09ee33792e2178d27811fbe53aae589dc42bd607d195ba8a
SHA5121793a5b0eb528f1e6cd4c144af99a126934e1932ee0ab12a3cc91c964ce774d3e057127b8731e37867493aca91be03623f95ace32887747598705705f75c2ec0