6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
Size

45KB
MD5

059820058e75492e527550246351abe0
SHA1

f5d92f451a62963fccfbf7564897ef814506feed
SHA256

6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c
SHA512

09e51f30037e17b2c05682c0fdc254aba7284fdebb29dbfd26d057a37ebdf13ff2886ba88c01a3899147de02b066b9533b53917978d6b7f0141804c4e247a9b9
SSDEEP

768:Uf2T1yvN3FHZMlTov8mBcAVnih0+QCKkAe52a6/1H5p:UOT1gZyTovpniq+QHs8aA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe

Executes dropped EXE 38 IoCs

pid	Process
2932	Gfefiemq.exe
2676	Gopkmhjk.exe
2572	Gbkgnfbd.exe
2548	Gieojq32.exe
2444	Gobgcg32.exe
3012	Gaqcoc32.exe
2240	Gdopkn32.exe
1456	Glfhll32.exe
1672	Goddhg32.exe
2332	Gacpdbej.exe
2324	Gdamqndn.exe
692	Gogangdc.exe
1900	Gaemjbcg.exe
848	Gddifnbk.exe
3064	Hgbebiao.exe
2764	Hiqbndpb.exe
1624	Hmlnoc32.exe
1148	Hpkjko32.exe
2232	Hcifgjgc.exe
2032	Hgdbhi32.exe
1928	Hicodd32.exe
968	Hlakpp32.exe
2224	Hdhbam32.exe
2496	Hggomh32.exe
3016	Hejoiedd.exe
1896	Hlcgeo32.exe
3004	Hgilchkf.exe
2516	Hjhhocjj.exe
2744	Hlfdkoin.exe
2440	Hjjddchg.exe
2420	Hlhaqogk.exe
1724	Hkkalk32.exe
2464	Icbimi32.exe
1856	Ieqeidnl.exe
2180	Ihoafpmp.exe
1676	Ilknfn32.exe
2388	Ioijbj32.exe
1524	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2872	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
2872	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
2932	Gfefiemq.exe
2932	Gfefiemq.exe
2676	Gopkmhjk.exe
2676	Gopkmhjk.exe
2572	Gbkgnfbd.exe
2572	Gbkgnfbd.exe
2548	Gieojq32.exe
2548	Gieojq32.exe
2444	Gobgcg32.exe
2444	Gobgcg32.exe
3012	Gaqcoc32.exe
3012	Gaqcoc32.exe
2240	Gdopkn32.exe
2240	Gdopkn32.exe
1456	Glfhll32.exe
1456	Glfhll32.exe
1672	Goddhg32.exe
1672	Goddhg32.exe
2332	Gacpdbej.exe
2332	Gacpdbej.exe
2324	Gdamqndn.exe
2324	Gdamqndn.exe
692	Gogangdc.exe
692	Gogangdc.exe
1900	Gaemjbcg.exe
1900	Gaemjbcg.exe
848	Gddifnbk.exe
848	Gddifnbk.exe
3064	Hgbebiao.exe
3064	Hgbebiao.exe
2764	Hiqbndpb.exe
2764	Hiqbndpb.exe
1624	Hmlnoc32.exe
1624	Hmlnoc32.exe
1148	Hpkjko32.exe
1148	Hpkjko32.exe
2232	Hcifgjgc.exe
2232	Hcifgjgc.exe
2032	Hgdbhi32.exe
2032	Hgdbhi32.exe
1928	Hicodd32.exe
1928	Hicodd32.exe
968	Hlakpp32.exe
968	Hlakpp32.exe
2224	Hdhbam32.exe
2224	Hdhbam32.exe
2496	Hggomh32.exe
2496	Hggomh32.exe
3016	Hejoiedd.exe
3016	Hejoiedd.exe
1896	Hlcgeo32.exe
1896	Hlcgeo32.exe
3004	Hgilchkf.exe
3004	Hgilchkf.exe
2516	Hjhhocjj.exe
2516	Hjhhocjj.exe
2744	Hlfdkoin.exe
2744	Hlfdkoin.exe
2440	Hjjddchg.exe
2440	Hjjddchg.exe
2420	Hlhaqogk.exe
2420	Hlhaqogk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gaemjbcg.exe

Program crash 1 IoCs

pid	pid_target	Process
844	1524	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2932	2872	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe	28
PID 2872 wrote to memory of 2932	2872	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe	28
PID 2872 wrote to memory of 2932	2872	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe	28
PID 2872 wrote to memory of 2932	2872	6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe	28
PID 2932 wrote to memory of 2676	2932	Gfefiemq.exe	29
PID 2932 wrote to memory of 2676	2932	Gfefiemq.exe	29
PID 2932 wrote to memory of 2676	2932	Gfefiemq.exe	29
PID 2932 wrote to memory of 2676	2932	Gfefiemq.exe	29
PID 2676 wrote to memory of 2572	2676	Gopkmhjk.exe	30
PID 2676 wrote to memory of 2572	2676	Gopkmhjk.exe	30
PID 2676 wrote to memory of 2572	2676	Gopkmhjk.exe	30
PID 2676 wrote to memory of 2572	2676	Gopkmhjk.exe	30
PID 2572 wrote to memory of 2548	2572	Gbkgnfbd.exe	31
PID 2572 wrote to memory of 2548	2572	Gbkgnfbd.exe	31
PID 2572 wrote to memory of 2548	2572	Gbkgnfbd.exe	31
PID 2572 wrote to memory of 2548	2572	Gbkgnfbd.exe	31
PID 2548 wrote to memory of 2444	2548	Gieojq32.exe	32
PID 2548 wrote to memory of 2444	2548	Gieojq32.exe	32
PID 2548 wrote to memory of 2444	2548	Gieojq32.exe	32
PID 2548 wrote to memory of 2444	2548	Gieojq32.exe	32
PID 2444 wrote to memory of 3012	2444	Gobgcg32.exe	33
PID 2444 wrote to memory of 3012	2444	Gobgcg32.exe	33
PID 2444 wrote to memory of 3012	2444	Gobgcg32.exe	33
PID 2444 wrote to memory of 3012	2444	Gobgcg32.exe	33
PID 3012 wrote to memory of 2240	3012	Gaqcoc32.exe	34
PID 3012 wrote to memory of 2240	3012	Gaqcoc32.exe	34
PID 3012 wrote to memory of 2240	3012	Gaqcoc32.exe	34
PID 3012 wrote to memory of 2240	3012	Gaqcoc32.exe	34
PID 2240 wrote to memory of 1456	2240	Gdopkn32.exe	35
PID 2240 wrote to memory of 1456	2240	Gdopkn32.exe	35
PID 2240 wrote to memory of 1456	2240	Gdopkn32.exe	35
PID 2240 wrote to memory of 1456	2240	Gdopkn32.exe	35
PID 1456 wrote to memory of 1672	1456	Glfhll32.exe	36
PID 1456 wrote to memory of 1672	1456	Glfhll32.exe	36
PID 1456 wrote to memory of 1672	1456	Glfhll32.exe	36
PID 1456 wrote to memory of 1672	1456	Glfhll32.exe	36
PID 1672 wrote to memory of 2332	1672	Goddhg32.exe	37
PID 1672 wrote to memory of 2332	1672	Goddhg32.exe	37
PID 1672 wrote to memory of 2332	1672	Goddhg32.exe	37
PID 1672 wrote to memory of 2332	1672	Goddhg32.exe	37
PID 2332 wrote to memory of 2324	2332	Gacpdbej.exe	38
PID 2332 wrote to memory of 2324	2332	Gacpdbej.exe	38
PID 2332 wrote to memory of 2324	2332	Gacpdbej.exe	38
PID 2332 wrote to memory of 2324	2332	Gacpdbej.exe	38
PID 2324 wrote to memory of 692	2324	Gdamqndn.exe	39
PID 2324 wrote to memory of 692	2324	Gdamqndn.exe	39
PID 2324 wrote to memory of 692	2324	Gdamqndn.exe	39
PID 2324 wrote to memory of 692	2324	Gdamqndn.exe	39
PID 692 wrote to memory of 1900	692	Gogangdc.exe	40
PID 692 wrote to memory of 1900	692	Gogangdc.exe	40
PID 692 wrote to memory of 1900	692	Gogangdc.exe	40
PID 692 wrote to memory of 1900	692	Gogangdc.exe	40
PID 1900 wrote to memory of 848	1900	Gaemjbcg.exe	41
PID 1900 wrote to memory of 848	1900	Gaemjbcg.exe	41
PID 1900 wrote to memory of 848	1900	Gaemjbcg.exe	41
PID 1900 wrote to memory of 848	1900	Gaemjbcg.exe	41
PID 848 wrote to memory of 3064	848	Gddifnbk.exe	42
PID 848 wrote to memory of 3064	848	Gddifnbk.exe	42
PID 848 wrote to memory of 3064	848	Gddifnbk.exe	42
PID 848 wrote to memory of 3064	848	Gddifnbk.exe	42
PID 3064 wrote to memory of 2764	3064	Hgbebiao.exe	43
PID 3064 wrote to memory of 2764	3064	Hgbebiao.exe	43
PID 3064 wrote to memory of 2764	3064	Hgbebiao.exe	43
PID 3064 wrote to memory of 2764	3064	Hgbebiao.exe	43

C:\Users\Admin\AppData\Local\Temp\6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe
"C:\Users\Admin\AppData\Local\Temp\6eeefb51487e712ff11762caeb628feb057ee7e2987c3645722690101c03dd7c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\Gfefiemq.exe
  C:\Windows\system32\Gfefiemq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\Gopkmhjk.exe
    C:\Windows\system32\Gopkmhjk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Gbkgnfbd.exe
      C:\Windows\system32\Gbkgnfbd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        39⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 140
        40⤵
        Program crash
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
45KB

MD5
78c8dd9b818b0e4e6cf9be7178b722b0

SHA1
532d33735e19ee750d33b21bf03da8af8e410e05

SHA256
dc252a70d41363c7ce662a1193a850cdaaedc4368d92a1ecb95d2b1784340345

SHA512
c12984b10d08999582d787858e26566d0e09b1a03637ca2fbcecbf1969d58979787f46cbaf0154e6d6528172b41a2fc40f4f4ec173a9f3d7465a31c6f241195b

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
42KB

MD5
b138346c965633815bb25e09a9bf333f

SHA1
b6285213898cd0e08c93e2a738c58d772b945978

SHA256
c8a2dfbcb8c20d074e432d2407d3d7d6619563a0e561843830b5389e2737b5d5

SHA512
c87dc7fdbb9350eafa3ac95880d75bfe1e14946406141ce28251fc20730659feb933230f555df94db5d755deb4b1aa2faac33c37dbb6aebfdb4b9a2792f2f510

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
18KB

MD5
191c1a78d7e7bd5bf8710c70dba7e38b

SHA1
2553311376ec449ba9b4cd57760ae5b3fdb47226

SHA256
0e98604b36ca5c3670e07570f23337e613e2edac88fe77987f57eab158974e31

SHA512
ff26fc816f8e0f401fb8be0c8fff58a068bf4490513330947e0f745dfb7c27421518c6bbbaeee5e4c6e12924ce6d2d9c851e02bf0e7bd103ce27c92be9e998df

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
45KB

MD5
df6051303c5a0f1b42705c67b982cb4a

SHA1
4bee1d3154eb5e7a1e18fa7595361f10e421ba26

SHA256
a59d99ccca6d652bac64954e06bdb1552ef96797bbe23037c79b8eafe9fd0b11

SHA512
12dcecf5642909142830823ccafb6d8309b22a2e5a17a8ece0edfb5bb89e89cdb17e729dd69661b9176e1c7ce5148c77cb3099fbb221168bba8fcd22ec0a652b

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe

Filesize
45KB

MD5
6b4e0a462976ba71e88a5d7fd8501045

SHA1
187f3000d70270bfc665f28a64aa25875abbcef0

SHA256
ebcf27e9923e2027704f272343c75cdc7a78e4b268fea26f82414d3aeace4648

SHA512
e48490c4fa34aa10979059335bb69a8d1080a95527485a2622a52636a570b4748f8b0fcc1d258609eface48163a1fd8576505321dcdcfd619b4ba72d57dd40a1

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
45KB

MD5
9f29f46ac50e59f13f68c7aa7c8269e5

SHA1
1aaeb0dc1370f361202046b7e6f0ff471ef3fcf5

SHA256
8c268d9b61b83381a9afa892c7ce194cfbcab6363831c3893d4d47d3ad86065c

SHA512
72b142f3d2a18067d52e9c8d44886a6ed6293779453b5155be30baba4074cdcd1c278bad4e417abc4ec4359452e777e8a78d71e3113c1a3c1e2eca3fc67799ed

Download Submit
C:\Windows\SysWOW64\Gddifnbk.exe

Filesize
45KB

MD5
4beecdbb0415ad0911d497769eed92ab

SHA1
26cb9ed3a38c59ab0108b346edc51c916a141306

SHA256
99e48b1cfd15148f9ba5325e2046f51a6e80f22480c00c06a6ac08c7da6c8ea5

SHA512
2d55d6222905907a6edd82ce3b807030cb3cfa11ab32ec140d0660d4d903c952cdb07901239e5f62ce9550f73f593900b0644c94fd1fd512fcc01ad2ce5c746c

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
45KB

MD5
b87c7f665f055d2ffd909c4e3f18c2ac

SHA1
72b1980e86ce0a9705ea99305c7be971427425f1

SHA256
3b6b4231d95c1ea6b5eeb17dc63fb2fdde3b25f70564d9fb180b1e43cf7b66dd

SHA512
24f1590ad2622a3cada97312839c2f4224098e028d20fbc85f07882ffecf3af7c9b13ed571f4ac7462c09b1e508dc374eab4789ba2246b1feaba4ca079651fe1

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
45KB

MD5
ad6a808b1552ccce6e367dcc84a8c6e7

SHA1
9c38506c94dda566cf952e310630b45689ee36a8

SHA256
a251babe638c12e2580ff667510c204295927179b93d29898d11f96335ee7759

SHA512
b824935d2e3912ec3e13fa43959976adb81e50709151f264d3641a458e446decec0f14f23e038f23e4bbf653a2ae10f238d360c00801e1114674ae86edc33bc3

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
45KB

MD5
18498d845fbf391a12418d314a1ad261

SHA1
61dc03ee0a83c374b63d6e76690cfbe7d027eb71

SHA256
2a69f8ff2fed0bec13e66999818082ba8d0db35445cfaac319fc962d3ea8c2e4

SHA512
8ae4a4292d3ba00a9ec1ed928161e9683f8f5e1a8e4b47d1f2dcd7b7780574df440ac828b3bf936de772ca22d8b19a2d3c341f395d004142b594d7562185de29

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
45KB

MD5
dbbf231440680b138b19ab75e65dacf1

SHA1
d125de8c509e85214c424a12ec89d939f9086366

SHA256
404ed631a6dc14bc3f2affb26cad8a71174cabc0cbf91105d060c5a5190fc0f6

SHA512
e0446bf3e999a2c965dee282da5de07fed555374e0a27c31fb90a7d5c400fc5d70889d3edd6f0696d4e977578973013b27405c771a7a50ae05fdfdbffcee8548

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
45KB

MD5
6ff4d65e58da8337f5a10ec388e2b30d

SHA1
0936372695bf95c237dfdbc5e21e5a021bb2ad2b

SHA256
7c6fec15da2225f09214001021312d5383010ff6f22f3cce15d8a12cb441ebe2

SHA512
29f63f9e9e18a5c3eeeef17e1e2c88ac8f73bc784b9bd744ea5bd492cde0fedd1985d8352128583e94a051e295a3a2565fbe3fab41c6c9508e40fae86df60ca8

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
45KB

MD5
e0cfd8fe2e07e4bc3ef663afbb208c4c

SHA1
33eb1022e4b50691c51f4726dd34e77abaf88b34

SHA256
e44c78292b30eca2ec2ddce63d2708a24f9bdfc6ed1b47371f85acf82bdd6ae2

SHA512
e5befff201ac9038a5519a5e8ec414468b2288bf6b3ee147bd385eebfd164b75448883d81d1ca1dd0379a985f6f8abd0238e371c92cbbf5fcaff50e1ab8403d5

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
45KB

MD5
60fe8026e78bcbb5bbc7a90a03690a74

SHA1
7e46d17782abd32f5399e34ae9328161b06e511c

SHA256
31d35f4a65d6755cb259f9f8fa33528842e5947d072c7d92596fc03c4942b3ef

SHA512
394567ad588a4cc4c9e75554689f3c581df278a5a9aec346056f6a1805678867269e0b302e98cc63821bb248a89fe8665fc3dd9ece8a4911fcc5a67832a1a674

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
45KB

MD5
908fb022cc0bcbc55c93e54b40dce5f4

SHA1
7cfe0f3c81684d924d1dae0ca9594b1f84d3f2cd

SHA256
c11c56a3b765e5cb76805f0d0b35ed25cebd5eeddecf72fa468835379520b8d6

SHA512
d10fb8162b68a5cd8a68540edcd5396c0eb3a3a50e3531d1f736d554e449163fc604399f3dd55fa8c99e7546dc6e6104fb04e401b5d02342e82d4537f3e19574

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
19KB

MD5
333dd79b6a8bdbc823d66a26d2f92391

SHA1
857b06ee79df52696460823b1adbe973290ed286

SHA256
fb41a45104e2783c269b5df725a09c30d142ea159259da2d5d7ffe37e5556a32

SHA512
4db355abf37de38f6b7cb8de6d8fdd11879634cc609ac24cd42151553505b9e37cc6c33959a1471d9746611d88ab8c29b3b62b9948a433595ed05e3f7eba72e1

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
45KB

MD5
a31f78d8fafe1926f2ffa83729f3a77d

SHA1
6a04f6916569bd2207bffff52446e08e13a54728

SHA256
cce6339b5bafada54c044721bd01d7e873b7d76936d38701994731de7ddb7b98

SHA512
d8cb91925a938f922454c1a27c98a2b034f1eab675f421492dd8662dcd2368ebe894d85169ca2ec735f08fca4ae20432718542a3e1d8bacc8a8b917ace0d2dcf

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
45KB

MD5
5856717ca419c14e058ff86b3d13c526

SHA1
0f67b73cfcae73c2517c2d977b81568a3a0bbaa2

SHA256
b172a5e80ee7deaeff1598aa83fbe98662a7cc1d5af7305403eab5c7446fc490

SHA512
61ba9566f36d82296efa180b37823ecd643b8150c1ad458655cc0fa349d9b580a9df6d9ebe845054570cd8e24b51a349fa8811355394228d1e461d8fa34f72d5

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
45KB

MD5
c8a2cb484067cfd81bae7154f9ea15c8

SHA1
dda41740a8b28187612bc6341b99b67e6759d1a8

SHA256
3d48704ced85bb0b95fdf1d083148a023279be9b864554ea88f9a52e6ac68e94

SHA512
47b2a14a504a40ea855539b8c14c9d5a7273626231ff6a3d400007ea13e52dc8eac41ef2ef4e7ac254ce17fb73c44a45c240edd21a6e0e293b3257e99a7c88fc

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
44KB

MD5
1d646e29bb775d07d6a9a61a76b5ef77

SHA1
478cea413a850a4c3454882902178d5d27095f21

SHA256
3bb736fcf6ea7274e8c963bfc7db82cfbdb7c01b0cc7356e2a45e2c0bacb4507

SHA512
774e4d70aee4bab46d90155fcee5fb5537a1f84daa68efec8a93eb7d61cb3c49b06f5d4f559c2bee0cc3e220886c0661ba945043369eee9da5d2e4c413b1cbcb

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
45KB

MD5
fe69de6d60518e464d93584e88ebc536

SHA1
3913bc8685a4011270acab1a95fdaedf291446c4

SHA256
ad4fce315281f7564731869cf141e751d5aad346c236a71d0439e1c8b22a3afc

SHA512
45e9eeabf34f1f7f829fae3756ea13f294e245a6f7a6f24e645a5050006980d42c239babbd33931b2565c83c0f233f0b0aa0d1391ac2ac74fa929e208e48edc7

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
45KB

MD5
99d804310475ad8ceb704f9584e565a0

SHA1
64c4f93a41c9ca6f326bb4f97dc062f56e048730

SHA256
40a1618773aa3110f303b5177f12549764d1b14bd748de2c3c183a26db34e89b

SHA512
2557fdc0d773d6de04b05e4e4d8595ad9b14602bdf277d3118cb14d524a2a2fb9ee50131a4d29f1057eea6e33183fc05cf1cfbdefdcc197426dafde1c28b53d5

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
43KB

MD5
f871fcb1f2d834ba2bcb6041f6c881af

SHA1
6b7646f31051d77d2785a420845010f7456f0715

SHA256
78ef20c528043b95dba5aacb68ccc2d9999aaa3b32b6d3a763231cfccbdefdc3

SHA512
38088798cdd075f85ae4b98dcaa041e1e1ed50b420403680bb55bfae0cec1c7848dabeffe65649c2a05e7a1c546b493224910f518b40cd700bc98a2e7fdf63f1

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
45KB

MD5
1530701e8423ba9123f5a2b8634e6848

SHA1
c7eede7953171803455a85fde1c18cefb2ab15b6

SHA256
e174ef1475ce33c2d2a95eb03fa953734dd9a442c91ee89857f090472e8e5e4c

SHA512
a1f2c730496db76407bf44f73ff5ca23d9614880d6738ce30a5d6df817dc274ba853d352f02a98f2e3bd9d62ab4a73037bf75b087188c2a8362aba267c8e0c2e

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
45KB

MD5
48d86026579a3a679ebb4536145d00f2

SHA1
f3f06d4182e27a13864e85fabe6a65c513a8a3cc

SHA256
048b92e3d9227b23ea05f256004c69f32b35990e363ad22c80914d8f7de54e46

SHA512
a816dc326b5a2361374f0aa67efd601a5a4f7c6a99199eb16aa0758ca4cc00f1a800cebea4ef4945c49bcac656dc4a082bce759f3321158af50bf015ea8ab46e

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
45KB

MD5
5f11eb6810f5e87bab45e999a26a233d

SHA1
0a62e3ee3d4ac9404c2fc6b4ea82896e4cddf7d4

SHA256
f90c678433f4ecc4990452b2c35ef3a6a62b21c661cc36f2f702aa4716c21aa8

SHA512
1459086201473a8b75319bd5d5d75fd3828a3e4ce3e7363d485aff85161d31b748cd58efb23bd442ac2fa076cb0d84168e5b1307116ee5d8d16cb4be731d0733

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
45KB

MD5
580fe68d86588e8fc28388177781d9d0

SHA1
49e827963ffcffa3fcb532118ccbabcbaf7eb19e

SHA256
afd57f626e4019f53006fcb93d7050dd1945fb740d41763eb62396a726c4f865

SHA512
d83d0af14da12f455f52cec767645a8eba7fb8c819012bfa7a4ae1a63efd39cdad836f33649b10ee5498b82e947ce784f0866101b355f12f3737498b1c2fa2bb

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
38KB

MD5
c0f20b789328d3e084157ac0ec08250a

SHA1
e5fee9ac04b95918dcb29035f1373fc2a1ba9e37

SHA256
47790057ad1480a98d41d91bfa10fa012ce16b01d5dc95d8c8c1f99caacce9f8

SHA512
bb053f3ec1c69bb59494d2518c3a563687f7cdd832d8c861b75bcbd107d17ea9e41bfbc3b837eab08fcd1d7183cd5aba92fbe55cf831d875e48e8d3393fb99b7

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
43KB

MD5
e0ee5e5548cd691beca08af08dcc91b8

SHA1
d061e61f0ca5561ea35980437f2f29cc7f2d4bcc

SHA256
d7594d5e5a022bfd505a95b9adb35b9a6136388e346b3ff6250b864ff5d34a2c

SHA512
6e7d088c2e44bca3184b858aa70b5e862a7d5f9019162b331e3585a93cb91aca437533f5af9d4f782cb4bb9a403ffda2b0273669f1b27d32b92b7560c4768617

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
39KB

MD5
de265699e4939aac727c8cf7cb761fd2

SHA1
f7353e03d8ebf69e9e6a055b7b56a8f9629f52d5

SHA256
dcccc95dea9bf0df1a14c4b5278db4d6348b7c8cca20b79d78bd9a47002ab91b

SHA512
69028a6f9af62094c3004720bfbaeca0b959f6d794b67da44af556905bfa1b8a60e236237bcaaa2c32eea4146c6efd1c50321343f8a2aeccaa797f0a91141ed4

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
45KB

MD5
927ae2c82b5d607bde45fc286bca8d93

SHA1
3bd5a411df6e11494e4cf66f07122ae900001aa6

SHA256
c6a224b4dc1a878a26a255e2191573b3061c0d147347e0dfad8cf9aefc5215a2

SHA512
431256b75b8009a7039f367f3c137f8a307e7a4fc476f51509f72a951b7754e83e729e7d061b92f8b59219491edf36d0644d4e12adf4bb4c9f9689863e97434a

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
45KB

MD5
ba6374404496909c37de99a0ed0d328c

SHA1
a0419f3103bdb08bd048f40ebe9c7f7a4a2ddf83

SHA256
b04c64ee7fdd2b9f3b912c442fd6040979c3eb6ad4116a83ad995254d887c976

SHA512
51117ba31aad12e09bdebdef09960178ebf1c36d6118c560aa089723d60428159ba3e6e0a6e484fc1e0f008507d58cd92eb8245a38236948bf4d113dafb23424

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
45KB

MD5
a64c1f8f207e45ba436dc242a39a1c66

SHA1
ad9095aea67d5e6c016c8d8f50bf43b4869a89a8

SHA256
bb9376d00c31177c8616ce88423c9fcd9638a958d44d9ed02bfbf8ce143e5ed0

SHA512
a8990bb8d577c706b1bae6eef1fd76db3a3111a94cef58972eb3acd226213f56fb34d0e807d16f0f01bfade957b0bbafc51bf7ad4e1918c2214272ff67af5b63

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
45KB

MD5
0908f6a8af9f9afac7a454af8f74c4f8

SHA1
9e48f8ecb094c69d022254948a633662bf1eface

SHA256
dec2f41620a664786c0f9176a5cb025eb2669869cd336fac37a82d9619c6b3ce

SHA512
7cf2da4080c3456750cf48dc4a076a27f2ce8804e9d05cf95c373ba96a59a8cbb484f23d02e893b9b3186b6b3d601ceb47a74f33ac391d0725d21bf21a35b471

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
45KB

MD5
8d48dcbb55c7791d7103dd287a72c95d

SHA1
412989f5d24e6a81c4ec1cd5fcf7b16b650c5054

SHA256
9858993242c28bff24908a0adc82d19381b1d4f2670b6e9f7e97d6e9e01f4196

SHA512
c49fa3db9578852cbfbff1fbe8303f276b96b772796ae952ccfcc5cdd6e70052a2e4a257246e069023aa322ea9bdfe204da28b8a13209918b199adf3f640767d

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
40KB

MD5
68ec19f7b595e94b6391baacb0eb2e74

SHA1
6e80906c5f26e04c88cb1ea5aaf2d5f035712dad

SHA256
5933187ba38e5bc6bb48236ada07c9085bb08223b5297b3dc96f8fd69f3ec3c0

SHA512
7e9754110bbccc1d4a09329750ec342cfab4eeba5b8a2dfcb4b38e5bbc298459b37d079c0ae0c3a833e0b2e4c9b8ecc2d479811710af30e00a1f3a2c8e9f8b7b

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
13KB

MD5
6d32a180de3caa1b1e60ef030a27e785

SHA1
aeee4169769d06b8cc09674b7cd3663f13e4cf17

SHA256
2b81071a7b355c623c335cfacdf4cfd193fef9b32733a39de7bfff8913e1e06e

SHA512
43519679072b0a6c2b7aff13aad119ef45d11654d20f822b1c9ef77d692b9e066dfb865d7de9b5b6548845c809f9bd53cd7a8003dbbec8e17d95854c5c2aa281

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
17KB

MD5
8883b6147f5a17b5f862fa892ee1d6c3

SHA1
a86eb107fec6000f70f7b41936b32b61e8ef5121

SHA256
1b33b08a32c76afe5965de2b28647ba41b61dd84c7873b3364625976a89d00c7

SHA512
d20a2ef8299f05397e4dc8e972cda07e74bb5cd219be1ca704abc0ef6b8246d27ba1dd15f4e770e535f52e6cfa56d5e0f8cdabea384413ea027dc0c9e5c615a1

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
45KB

MD5
1648ddef6c24eba217167182b147d9c4

SHA1
7bdc24c4c122ba418e3299fe44b454f383feeb3a

SHA256
8efdef9480cd8442326cf274f0839d0c39383aa6133dd8cdbd254d54a612483a

SHA512
7f65f9e772fc2b77de33325e09927d1bfbf576998caf4f915f8384c195d258878fe00dec9f8ebd54a11f0db3693df38e1f1fe5799eb2b84b965b08daec2d0cdf

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
45KB

MD5
002046f53a917696a34b1aa253339472

SHA1
929eafdea9bcec356817ea82a02ca4eb56a40922

SHA256
ee26ea4c8f82dedd82fe67103a1507fa7568ecd4e9fa0aae0a76229b5ff5431d

SHA512
af2ab8c306b49a054d39f275c58a8d378239eb8b1051be21759410534385d872a040ff41531c4d9a88f7b66537e48a6fcf8a6ada4e0f992efa65d91b8e878f71

Download Submit
\Windows\SysWOW64\Hgbebiao.exe

Filesize
45KB

MD5
bbbff1a4423f5b68634e24e63915b6fc

SHA1
fef1c38132be21f5a349d92d0ba02e15615b8bf4

SHA256
a69fec36ecfcaca7f12a64ff888e42f92a51b688e7125093b4a916c34818f06e

SHA512
ff66c45c9e9d28f1f31b14573a4bf04617c7e1590aa4b9640149334d2b69624ebe0f2e1870ac23f6a092530fba2b5b515608d51a5c3a5bb1d0a269b1bca848e9

Download Submit
memory/692-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-281-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/968-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-239-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1148-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-404-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1724-397-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1856-409-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1856-414-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1856-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-333-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1896-324-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1900-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-271-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2032-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-419-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2224-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-287-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2224-292-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2232-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-372-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2420-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-361-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2440-366-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2440-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-406-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2464-391-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2464-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-304-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2496-298-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2496-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-340-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2548-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-53-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2676-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-353-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2744-350-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-6-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2872-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2932-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-335-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3004-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-93-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3012-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-309-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3016-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads