02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Size

386KB
MD5

1c2ac55176f72c6cab12517b5ad73663
SHA1

d3cb84a8b594be0b8994f5f294afa9b314ec337f
SHA256

02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb
SHA512

757692d3e19bab148015536610af8afd4c2a0b59a7296ffa70bbc3eeaa6f6ab1623092d5a1b234e52bb8978ec2db395f06ed7a998ea956bf239232ac4050d988
SSDEEP

12288:E9BgwQZ7287xmPFRkfJg9qwQZ7287xmP:+gZZ/aFKm9qZZ/a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emeopn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdkli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epaogi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emeopn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe

Executes dropped EXE 21 IoCs

pid	Process
2032	Emcbkn32.exe
2388	Epaogi32.exe
2664	Ebpkce32.exe
2692	Ejgcdb32.exe
2132	Emeopn32.exe
2524	Epdkli32.exe
2564	Fcmgfkeg.exe
3012	Fjgoce32.exe
468	Ffnphf32.exe
1928	Fdapak32.exe
2872	Gbijhg32.exe
1120	Gicbeald.exe
324	Gopkmhjk.exe
1512	Ghmiam32.exe
1904	Hdfflm32.exe
1484	Hkpnhgge.exe
876	Hhjhkq32.exe
2268	Hodpgjha.exe
1536	Hhmepp32.exe
1608	Ieqeidnl.exe
2700	Iagfoe32.exe

Loads dropped DLL 46 IoCs

pid	Process
2232	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
2232	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
2032	Emcbkn32.exe
2032	Emcbkn32.exe
2388	Epaogi32.exe
2388	Epaogi32.exe
2664	Ebpkce32.exe
2664	Ebpkce32.exe
2692	Ejgcdb32.exe
2692	Ejgcdb32.exe
2132	Emeopn32.exe
2132	Emeopn32.exe
2524	Epdkli32.exe
2524	Epdkli32.exe
2564	Fcmgfkeg.exe
2564	Fcmgfkeg.exe
3012	Fjgoce32.exe
3012	Fjgoce32.exe
468	Ffnphf32.exe
468	Ffnphf32.exe
1928	Fdapak32.exe
1928	Fdapak32.exe
2872	Gbijhg32.exe
2872	Gbijhg32.exe
1120	Gicbeald.exe
1120	Gicbeald.exe
324	Gopkmhjk.exe
324	Gopkmhjk.exe
1512	Ghmiam32.exe
1512	Ghmiam32.exe
1904	Hdfflm32.exe
1904	Hdfflm32.exe
1484	Hkpnhgge.exe
1484	Hkpnhgge.exe
876	Hhjhkq32.exe
876	Hhjhkq32.exe
2268	Hodpgjha.exe
2268	Hodpgjha.exe
1536	Hhmepp32.exe
1536	Hhmepp32.exe
1608	Ieqeidnl.exe
1608	Ieqeidnl.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Epdkli32.exe	Emeopn32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Egdnbg32.dll	Ejgcdb32.exe
File opened for modification	C:\Windows\SysWOW64\Emeopn32.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Emcbkn32.exe	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
File created	C:\Windows\SysWOW64\Ebpkce32.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Fdapak32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Epaogi32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	Epdkli32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Pmdoik32.dll	Epaogi32.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Epdkli32.exe	Emeopn32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Ebpkce32.exe	Epaogi32.exe
File created	C:\Windows\SysWOW64\Njqaac32.dll	Ebpkce32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Epdkli32.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Epafjqck.dll	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	Epdkli32.exe
File created	C:\Windows\SysWOW64\Emeopn32.exe	Ejgcdb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Emcbkn32.exe	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ejgcdb32.exe	Ebpkce32.exe
File created	C:\Windows\SysWOW64\Fjgoce32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Mmqgncdn.dll	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
File opened for modification	C:\Windows\SysWOW64\Ejgcdb32.exe	Ebpkce32.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Epaogi32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Glpjaf32.dll	Emeopn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
600	2700	WerFault.exe	48

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Emeopn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll"	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emeopn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emeopn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epdkli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll"	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll"	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll"	Epaogi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2032	2232	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe	28
PID 2232 wrote to memory of 2032	2232	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe	28
PID 2232 wrote to memory of 2032	2232	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe	28
PID 2232 wrote to memory of 2032	2232	02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe	28
PID 2032 wrote to memory of 2388	2032	Emcbkn32.exe	29
PID 2032 wrote to memory of 2388	2032	Emcbkn32.exe	29
PID 2032 wrote to memory of 2388	2032	Emcbkn32.exe	29
PID 2032 wrote to memory of 2388	2032	Emcbkn32.exe	29
PID 2388 wrote to memory of 2664	2388	Epaogi32.exe	30
PID 2388 wrote to memory of 2664	2388	Epaogi32.exe	30
PID 2388 wrote to memory of 2664	2388	Epaogi32.exe	30
PID 2388 wrote to memory of 2664	2388	Epaogi32.exe	30
PID 2664 wrote to memory of 2692	2664	Ebpkce32.exe	31
PID 2664 wrote to memory of 2692	2664	Ebpkce32.exe	31
PID 2664 wrote to memory of 2692	2664	Ebpkce32.exe	31
PID 2664 wrote to memory of 2692	2664	Ebpkce32.exe	31
PID 2692 wrote to memory of 2132	2692	Ejgcdb32.exe	32
PID 2692 wrote to memory of 2132	2692	Ejgcdb32.exe	32
PID 2692 wrote to memory of 2132	2692	Ejgcdb32.exe	32
PID 2692 wrote to memory of 2132	2692	Ejgcdb32.exe	32
PID 2132 wrote to memory of 2524	2132	Emeopn32.exe	33
PID 2132 wrote to memory of 2524	2132	Emeopn32.exe	33
PID 2132 wrote to memory of 2524	2132	Emeopn32.exe	33
PID 2132 wrote to memory of 2524	2132	Emeopn32.exe	33
PID 2524 wrote to memory of 2564	2524	Epdkli32.exe	34
PID 2524 wrote to memory of 2564	2524	Epdkli32.exe	34
PID 2524 wrote to memory of 2564	2524	Epdkli32.exe	34
PID 2524 wrote to memory of 2564	2524	Epdkli32.exe	34
PID 2564 wrote to memory of 3012	2564	Fcmgfkeg.exe	35
PID 2564 wrote to memory of 3012	2564	Fcmgfkeg.exe	35
PID 2564 wrote to memory of 3012	2564	Fcmgfkeg.exe	35
PID 2564 wrote to memory of 3012	2564	Fcmgfkeg.exe	35
PID 3012 wrote to memory of 468	3012	Fjgoce32.exe	36
PID 3012 wrote to memory of 468	3012	Fjgoce32.exe	36
PID 3012 wrote to memory of 468	3012	Fjgoce32.exe	36
PID 3012 wrote to memory of 468	3012	Fjgoce32.exe	36
PID 468 wrote to memory of 1928	468	Ffnphf32.exe	37
PID 468 wrote to memory of 1928	468	Ffnphf32.exe	37
PID 468 wrote to memory of 1928	468	Ffnphf32.exe	37
PID 468 wrote to memory of 1928	468	Ffnphf32.exe	37
PID 1928 wrote to memory of 2872	1928	Fdapak32.exe	38
PID 1928 wrote to memory of 2872	1928	Fdapak32.exe	38
PID 1928 wrote to memory of 2872	1928	Fdapak32.exe	38
PID 1928 wrote to memory of 2872	1928	Fdapak32.exe	38
PID 2872 wrote to memory of 1120	2872	Gbijhg32.exe	39
PID 2872 wrote to memory of 1120	2872	Gbijhg32.exe	39
PID 2872 wrote to memory of 1120	2872	Gbijhg32.exe	39
PID 2872 wrote to memory of 1120	2872	Gbijhg32.exe	39
PID 1120 wrote to memory of 324	1120	Gicbeald.exe	40
PID 1120 wrote to memory of 324	1120	Gicbeald.exe	40
PID 1120 wrote to memory of 324	1120	Gicbeald.exe	40
PID 1120 wrote to memory of 324	1120	Gicbeald.exe	40
PID 324 wrote to memory of 1512	324	Gopkmhjk.exe	41
PID 324 wrote to memory of 1512	324	Gopkmhjk.exe	41
PID 324 wrote to memory of 1512	324	Gopkmhjk.exe	41
PID 324 wrote to memory of 1512	324	Gopkmhjk.exe	41
PID 1512 wrote to memory of 1904	1512	Ghmiam32.exe	42
PID 1512 wrote to memory of 1904	1512	Ghmiam32.exe	42
PID 1512 wrote to memory of 1904	1512	Ghmiam32.exe	42
PID 1512 wrote to memory of 1904	1512	Ghmiam32.exe	42
PID 1904 wrote to memory of 1484	1904	Hdfflm32.exe	43
PID 1904 wrote to memory of 1484	1904	Hdfflm32.exe	43
PID 1904 wrote to memory of 1484	1904	Hdfflm32.exe	43
PID 1904 wrote to memory of 1484	1904	Hdfflm32.exe	43

C:\Users\Admin\AppData\Local\Temp\02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe
"C:\Users\Admin\AppData\Local\Temp\02b7af79bc37833ffba88a902c682cb6c4cf02b55f4cca4924a964c3d196efcb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\Emcbkn32.exe
  C:\Windows\system32\Emcbkn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\Epaogi32.exe
    C:\Windows\system32\Epaogi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\Ebpkce32.exe
      C:\Windows\system32\Ebpkce32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Ejgcdb32.exe
        
        C:\Windows\system32\Ejgcdb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Emeopn32.exe
        
        C:\Windows\system32\Emeopn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Epdkli32.exe
        
        C:\Windows\system32\Epdkli32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Fcmgfkeg.exe
        
        C:\Windows\system32\Fcmgfkeg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        22⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebpkce32.exe

Filesize
386KB

MD5
196edc842cf55275974df542f6b9b1b3

SHA1
426f781b34e06eae39275a3d7ee7cd8b8ec208e5

SHA256
05681ce971f5d9091962ac85c9ea612b83944e1af05fba984c2f9d46bcffbd8b

SHA512
aefc63bbf0a221ea4c1bb73d576d79e1d599f188f90c067850e103c1471c7605311d29f0dd7af7828ebcddffc9ce14babe665ba7ed560b966a929299f84c4bd1

Download Submit
C:\Windows\SysWOW64\Egdnbg32.dll

Filesize
7KB

MD5
71d3899d372561352c4fd3e0c09a5c95

SHA1
c357499df35e99530186a6a01fb50c44b5edb7e0

SHA256
d80166266868d6c5b205a539c92c14f3d30851d84030e3dce45c41b862898607

SHA512
f952a956d67c3527d8282375b4175409466bfd80f0446ea1f5587b6c78be0e3d49f815b1f773394a436f56edcec25aa77e00e5057b7576816d65d433280f709d

Download Submit
C:\Windows\SysWOW64\Ejgcdb32.exe

Filesize
386KB

MD5
49bef9816ab5765b735d24962cdacc21

SHA1
115b9d9691da06b21181d0a40df0b213b085fa31

SHA256
ddf08a90719594a34240aca0d4ab0c3939e1fc45c81cd4d9dd738224ed64e11c

SHA512
cf69db341f9528238fe9782fb6286ca00f1be1f4253135cb9f8d251a6a6b996323bd7866dd028707fd766b3b4ab5c3856351284fbf67aecb055bbeb448b78b6d

Download Submit
C:\Windows\SysWOW64\Emeopn32.exe

Filesize
386KB

MD5
463c1ec50392b4c35226c6c959673bfb

SHA1
2f63846714ed64b03cd12aefbf389e414f1b421a

SHA256
ce6db578f63a96c82b1ee21894b4ed7ff45cd0bc5e26b72117a147334865e9d0

SHA512
7a7894ca42adca04c2f78b4467c81865ac247703139381a054f80b1b1d7b00673dbc7d2436249f393b526202dbdaa30bc2f84caa0cfe74e0de500c8c7097bc02

Download Submit
C:\Windows\SysWOW64\Epaogi32.exe

Filesize
386KB

MD5
34036579be3683a441ad3d03cce47c13

SHA1
a09105ee4d47db9f184ff031b625de8c572a571f

SHA256
b44e85a20440ddc11f8c0515cd111f4ac5c5eb12a2e6f0608b5cb617490b52b1

SHA512
30e09058143406e8773c893655d60812c494e540453a394df94ab8be7b31e68598834d51d40f2ab1ce1624aebf4c9c17ec948d1b3825ce08d570a9a1c70c9152

Download Submit
C:\Windows\SysWOW64\Epdkli32.exe

Filesize
386KB

MD5
0da1d73725e6ff37c7914f6f5555507d

SHA1
413404bfed9d73a07c09ca0a831bee194751d87f

SHA256
5cc6a3e60a945cd8d8bf73675ed29ccae1da82340600e68b1a1ce6195c31e8d4

SHA512
7fe86eea03dc9f76aabd179d06169b78a664243baefdd38127f074ce101f2a4c7c1b7a8af1e0daa9f8427c8ab0cd689ee69bdfaeb94db76513dd5369d08a5b0e

Download Submit
C:\Windows\SysWOW64\Fdapak32.exe

Filesize
386KB

MD5
31bf9f04c64675e95fc266502ab6b9b9

SHA1
2c169d65d53505eade55dc46ccb37501fbaf7c5c

SHA256
0a96c37428930fb8e819b446da23782d74375f2cd3d10853114f88fd1fb9d303

SHA512
9a5fb7f565657929a42546b59df01deb86f11a19c5657c002276d5821b1db0c878991e1c01d7f43b2c0099858b3716ff1c3e743255cbe71727f76ac3daef5a13

Download Submit
C:\Windows\SysWOW64\Gicbeald.exe

Filesize
386KB

MD5
ba6308963d854cf3d6cf31109b3dea67

SHA1
60e5c71e1e79d5467a560526f10e7ac6015cdabf

SHA256
af738dc25ca7fa15ead3d4109ed43cdda05875ed827e8856be5e51b70f287046

SHA512
ce5108772c2f6fca568a4ac003d92dce032b23fdbac8e0225b755d5a4a210aff2aa08c7a15fdaaf51d2178c7a3ef830f3f25de2e11c790f45b63ffcf8795a53b

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
386KB

MD5
c74d876e51c11d9bd1a9a7d9bf3eb377

SHA1
25d1f11658646d4b0d155459e152eeb5ab93a100

SHA256
b150368f5ad658414d82dcac477f987f507be80ce764df2cd47f6b85398cf89c

SHA512
49c93a9dab3597129fef1b8c275cd27f4128022474987b4c64df0c9bf037e0d58149b15f4e7ff6509c240ea86a25676144b982fee945fc3bcffd6215abba8753

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
386KB

MD5
d0d0f29bcfa7a219d00f79c3c925df6f

SHA1
d17c893407c67b1b2877521c4b2c820a202dfe4e

SHA256
6ec6023fc8de400425c40bd0141b6e1347b6db3237836bf12d41683b45b442d7

SHA512
778827729de7d6bcb133eff28fa106888d242580d48be1abb97289025311b9ca124724f6da09dc229de22a51a9922e83a94d6e534a04717f1b5b4663bb8249e0

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
386KB

MD5
8951293cd266f22f2cd7137a8f252637

SHA1
0bf10b109c6cd462e4c3fd5d6f06eaee867efb9c

SHA256
99be8c581a0d55a7f5d31b031336ebf805c08960293c2c917aab975005db9e3a

SHA512
1055a8271d61e2c8d8eaedefefe16301bf7381827b4ba8734719a2d590c8b252b7b4c7aeceebef0933cd963226bf14d6d00030ba9a3a52676ffd8569f93e3ac8

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
386KB

MD5
c0bd488b058fd4e641175e2685cef6f5

SHA1
406b0b569a579094e6260c9e4c8b2bde25cff426

SHA256
c072e3704aac411e393d4fe76414ec2e064bc50ae980bb720db6a8bc7627d25a

SHA512
945e04956cfa863091da47ca4e4f412fbdca63c6f4e815e7c4496c081f3d5c78245a8d7da0ec15662024b1c973b757d1e5cbdae21bbb551d7a4e72323833ed6a

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
386KB

MD5
5ced0b87e09c7f8fcd3d0c1e69471272

SHA1
5e6f8bb15f078f78509c532508b29b63f458c934

SHA256
abcf220b8d9118ca448a92124524166f647d780f182dc395aa7c68829e2a0c13

SHA512
d4582142866041f5c55742bbbf351ff9e5a4c7bd90407b6ce2b236f4cae01968839ba0ad009192138ff42275ade5add1dc2514f2591648dbd7ea275bd0a50329

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
386KB

MD5
74e7fc69647e37251cd196e6ad1f0fcf

SHA1
608e47192e46d73f79573ed9691ad31caa048160

SHA256
c7f0518564af90c02cebb729680d2aaeaf2248d450b7c61fb52602434ea665c2

SHA512
7e034c374c741d9dedd76a9ef832518e3ca134cb8ba439fba873efb1508495251d6bb537bf5d64b2c5f9c7568db728241c78a9dd36db58da5abf9d9e8c6fdd83

Download Submit
\Windows\SysWOW64\Emcbkn32.exe

Filesize
386KB

MD5
51e23ac9d0e50d0264084d8fba24fdc4

SHA1
a727b536b9c8db6190242dc72030486460600f5f

SHA256
cc7255968ca91fc9c3f68cd9c43d22552b4ae89752c3a0fbebfac680f2cb36a4

SHA512
3a1b4fb508070ce74d063c26af91cc4a9d300d4ae2be51cf119bde539b31913ea76e4e6b22e9a17025345661e9c4c66d8359b279797a169c8ae1e850c2ea5781

Download Submit
\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
386KB

MD5
c4c60a316f6726738068f5fc26ba184e

SHA1
d552afb5cd799efa4feffebb35b83da0a9eefa83

SHA256
bcf124d81eb8c2ea0d37d7097cf8035b532b66321a9e921c9e6eb2fc0df9a685

SHA512
5415173eb073ef9bfea64865b19c95fdd00555cf28274857dfbbef2b8bb52c2e6ff8cbd23b732cac95e4acf929283d804c14de911f1b6e23c7d43bbc42b06dd0

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
386KB

MD5
c3a6a7cca6559d7fa94e9e848a6ba093

SHA1
e941de4aa4e3d916ec7479ea1297b3e221e7412c

SHA256
aa04406f21c634fa8ca260f8d04b7464a7de7fc3f248c37b34c79c41fbd1730f

SHA512
932998b9596ed1bac78e919029ed672a65051182c79c3947b15a393bb79d46d803246b777d28a387a26997f8502037c777d3b42da21680cac8d283210b64f092

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
386KB

MD5
4ec10f203d9f03850314848c62fff1dd

SHA1
edc067d715e2d600878e0f716ade47fb03e8b520

SHA256
dd0104839809031137bd12ae4ec130672bc8122d80730132f8a68781c95c1790

SHA512
f1885c253b25e332376d289a0c05b55d182bc67405ef2d6a0335b01dd89a776a20a1791394a57b23439f23548954a7d67e4190e6c533cacfe88309518429d10e

Download Submit
\Windows\SysWOW64\Gbijhg32.exe

Filesize
386KB

MD5
00dcd82f34d1d98e49a2bab6adf111ae

SHA1
f2f481612fabd03ad37571a05520ae39377fb6e5

SHA256
26ca8445c39a7bb087adc6e6d012f28630ad34896b7099f7395d6c1b6a8e348c

SHA512
1a99459a8f8ee775da4485e9fd1ba82ec8e4e68b47c99b46e72260d6f26ef2ee5a7c6fd6e1b43d9446934fe8e0387ee9e797efcf606106b17a959422be0ebaed

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
386KB

MD5
80cc8c1c8c8fea5a038b15508f58616d

SHA1
1ed24f5efe3aae2119143775c993e6ae9f98ec56

SHA256
a1b8e667d74d3850e45e1636b78dcc7ff035b04e97de4765dd8b9972d302bb20

SHA512
2f5ece6c3c81595e9abc993a13d9b90f46109f3c28e029000542c30484bfa89fd0f83786e1e554a4237c0ae912da1cc3e715833a07361fe52745a6944565afa7

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
386KB

MD5
a0550523f10846826964510bf3c452e1

SHA1
9ec122a8912f1d26ed69f2bbcab880f9616d958f

SHA256
567c119b3e1e143340d8902321e2d4cca869d02f592c3cb131932cfc37dfb714

SHA512
09ff3ade50b108a63d28d9016d85c2a76d20d65beded2824d64d62cffad36e3a50a42417b09e2b6b54932d10612e3ddee0fd410063c8685e4097e71b8637c154

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
386KB

MD5
1bc8a651ff513114b76c2e31df05b8cc

SHA1
8a09b63366578c1be9027cc25d806cbe9005499e

SHA256
39c25290b21ebccd459800c215f0f8592185e92dfa3327bcc0dcf7b1e2d4acc3

SHA512
0060c23b57a0e88e9b0c2213169a0b9391901db74887c4d32131e6c76d9ab9b316524da19a4423468cbf524874b88e4e83f6a94eec6314fcf248adc683dff924

Download Submit
memory/324-187-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/324-192-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/324-355-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/324-179-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/468-118-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/468-347-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/468-133-0x0000000000330000-0x00000000003B7000-memory.dmp

Filesize
540KB

Download
memory/468-132-0x0000000000330000-0x00000000003B7000-memory.dmp

Filesize
540KB

Download
memory/876-239-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/876-245-0x0000000000550000-0x00000000005D7000-memory.dmp

Filesize
540KB

Download
memory/876-363-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/876-246-0x0000000000550000-0x00000000005D7000-memory.dmp

Filesize
540KB

Download
memory/1120-353-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1120-177-0x0000000000320000-0x00000000003A7000-memory.dmp

Filesize
540KB

Download
memory/1120-164-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1120-176-0x0000000000320000-0x00000000003A7000-memory.dmp

Filesize
540KB

Download
memory/1484-235-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/1484-234-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/1484-224-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1484-361-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1512-357-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1512-194-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1512-212-0x0000000000260000-0x00000000002E7000-memory.dmp

Filesize
540KB

Download
memory/1512-213-0x0000000000260000-0x00000000002E7000-memory.dmp

Filesize
540KB

Download
memory/1536-258-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1536-367-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1536-268-0x0000000000310000-0x0000000000397000-memory.dmp

Filesize
540KB

Download
memory/1536-264-0x0000000000310000-0x0000000000397000-memory.dmp

Filesize
540KB

Download
memory/1608-279-0x0000000000500000-0x0000000000587000-memory.dmp

Filesize
540KB

Download
memory/1608-278-0x0000000000500000-0x0000000000587000-memory.dmp

Filesize
540KB

Download
memory/1608-371-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1608-273-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1904-223-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/1904-214-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1904-359-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1904-222-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/1928-152-0x00000000002F0000-0x0000000000377000-memory.dmp

Filesize
540KB

Download
memory/1928-148-0x00000000002F0000-0x0000000000377000-memory.dmp

Filesize
540KB

Download
memory/1928-349-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1928-134-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2032-328-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2032-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2132-336-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2232-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2232-326-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2232-18-0x0000000000370000-0x00000000003F7000-memory.dmp

Filesize
540KB

Download
memory/2232-6-0x0000000000370000-0x00000000003F7000-memory.dmp

Filesize
540KB

Download
memory/2268-365-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2268-256-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/2268-257-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/2268-250-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2388-330-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2388-39-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/2388-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2524-341-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2524-78-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2564-343-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2564-91-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2664-53-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/2664-332-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2692-334-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2700-280-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2872-351-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2872-154-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2872-162-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/2872-161-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/3012-116-0x0000000000340000-0x00000000003C7000-memory.dmp

Filesize
540KB

Download
memory/3012-119-0x0000000000340000-0x00000000003C7000-memory.dmp

Filesize
540KB

Download
memory/3012-345-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3012-107-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads