c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Size

192KB
MD5

4f16abbe308c0d78c43269738b0e7d92
SHA1

65b8c8943f5ab23b8a35fc7c17bf98cc06104bcd
SHA256

c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc
SHA512

5660340b9d50cd489d3cadafcae98cf7739ba174df0361ff248389021bd2e8efa8907f7304cf2fe8ccdbd653effed8bf5bd3425585cae6244857c9ec398fe251
SSDEEP

3072:s85ilQbx/ASnBhL86iC4Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrR:P5iabBASBhLriCBOHhkym/89b0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe

Executes dropped EXE 16 IoCs

pid	Process
3040	Gpknlk32.exe
2620	Gpmjak32.exe
2240	Gieojq32.exe
2624	Gldkfl32.exe
304	Glfhll32.exe
2936	Gaemjbcg.exe
2740	Hgbebiao.exe
2816	Hmlnoc32.exe
1444	Hlakpp32.exe
1516	Hnagjbdf.exe
2636	Hcnpbi32.exe
616	Hodpgjha.exe
916	Hjjddchg.exe
2488	Hkkalk32.exe
1264	Ilknfn32.exe
2008	Iagfoe32.exe

Loads dropped DLL 36 IoCs

pid	Process
2172	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
2172	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
3040	Gpknlk32.exe
3040	Gpknlk32.exe
2620	Gpmjak32.exe
2620	Gpmjak32.exe
2240	Gieojq32.exe
2240	Gieojq32.exe
2624	Gldkfl32.exe
2624	Gldkfl32.exe
304	Glfhll32.exe
304	Glfhll32.exe
2936	Gaemjbcg.exe
2936	Gaemjbcg.exe
2740	Hgbebiao.exe
2740	Hgbebiao.exe
2816	Hmlnoc32.exe
2816	Hmlnoc32.exe
1444	Hlakpp32.exe
1444	Hlakpp32.exe
1516	Hnagjbdf.exe
1516	Hnagjbdf.exe
2636	Hcnpbi32.exe
2636	Hcnpbi32.exe
616	Hodpgjha.exe
616	Hodpgjha.exe
916	Hjjddchg.exe
916	Hjjddchg.exe
2488	Hkkalk32.exe
2488	Hkkalk32.exe
1264	Ilknfn32.exe
1264	Ilknfn32.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe

Program crash 1 IoCs

pid	pid_target	Process
596	2008	WerFault.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gieojq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3040	2172	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe	28
PID 2172 wrote to memory of 3040	2172	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe	28
PID 2172 wrote to memory of 3040	2172	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe	28
PID 2172 wrote to memory of 3040	2172	c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe	28
PID 3040 wrote to memory of 2620	3040	Gpknlk32.exe	29
PID 3040 wrote to memory of 2620	3040	Gpknlk32.exe	29
PID 3040 wrote to memory of 2620	3040	Gpknlk32.exe	29
PID 3040 wrote to memory of 2620	3040	Gpknlk32.exe	29
PID 2620 wrote to memory of 2240	2620	Gpmjak32.exe	30
PID 2620 wrote to memory of 2240	2620	Gpmjak32.exe	30
PID 2620 wrote to memory of 2240	2620	Gpmjak32.exe	30
PID 2620 wrote to memory of 2240	2620	Gpmjak32.exe	30
PID 2240 wrote to memory of 2624	2240	Gieojq32.exe	31
PID 2240 wrote to memory of 2624	2240	Gieojq32.exe	31
PID 2240 wrote to memory of 2624	2240	Gieojq32.exe	31
PID 2240 wrote to memory of 2624	2240	Gieojq32.exe	31
PID 2624 wrote to memory of 304	2624	Gldkfl32.exe	32
PID 2624 wrote to memory of 304	2624	Gldkfl32.exe	32
PID 2624 wrote to memory of 304	2624	Gldkfl32.exe	32
PID 2624 wrote to memory of 304	2624	Gldkfl32.exe	32
PID 304 wrote to memory of 2936	304	Glfhll32.exe	33
PID 304 wrote to memory of 2936	304	Glfhll32.exe	33
PID 304 wrote to memory of 2936	304	Glfhll32.exe	33
PID 304 wrote to memory of 2936	304	Glfhll32.exe	33
PID 2936 wrote to memory of 2740	2936	Gaemjbcg.exe	34
PID 2936 wrote to memory of 2740	2936	Gaemjbcg.exe	34
PID 2936 wrote to memory of 2740	2936	Gaemjbcg.exe	34
PID 2936 wrote to memory of 2740	2936	Gaemjbcg.exe	34
PID 2740 wrote to memory of 2816	2740	Hgbebiao.exe	35
PID 2740 wrote to memory of 2816	2740	Hgbebiao.exe	35
PID 2740 wrote to memory of 2816	2740	Hgbebiao.exe	35
PID 2740 wrote to memory of 2816	2740	Hgbebiao.exe	35
PID 2816 wrote to memory of 1444	2816	Hmlnoc32.exe	36
PID 2816 wrote to memory of 1444	2816	Hmlnoc32.exe	36
PID 2816 wrote to memory of 1444	2816	Hmlnoc32.exe	36
PID 2816 wrote to memory of 1444	2816	Hmlnoc32.exe	36
PID 1444 wrote to memory of 1516	1444	Hlakpp32.exe	37
PID 1444 wrote to memory of 1516	1444	Hlakpp32.exe	37
PID 1444 wrote to memory of 1516	1444	Hlakpp32.exe	37
PID 1444 wrote to memory of 1516	1444	Hlakpp32.exe	37
PID 1516 wrote to memory of 2636	1516	Hnagjbdf.exe	38
PID 1516 wrote to memory of 2636	1516	Hnagjbdf.exe	38
PID 1516 wrote to memory of 2636	1516	Hnagjbdf.exe	38
PID 1516 wrote to memory of 2636	1516	Hnagjbdf.exe	38
PID 2636 wrote to memory of 616	2636	Hcnpbi32.exe	39
PID 2636 wrote to memory of 616	2636	Hcnpbi32.exe	39
PID 2636 wrote to memory of 616	2636	Hcnpbi32.exe	39
PID 2636 wrote to memory of 616	2636	Hcnpbi32.exe	39
PID 616 wrote to memory of 916	616	Hodpgjha.exe	40
PID 616 wrote to memory of 916	616	Hodpgjha.exe	40
PID 616 wrote to memory of 916	616	Hodpgjha.exe	40
PID 616 wrote to memory of 916	616	Hodpgjha.exe	40
PID 916 wrote to memory of 2488	916	Hjjddchg.exe	41
PID 916 wrote to memory of 2488	916	Hjjddchg.exe	41
PID 916 wrote to memory of 2488	916	Hjjddchg.exe	41
PID 916 wrote to memory of 2488	916	Hjjddchg.exe	41
PID 2488 wrote to memory of 1264	2488	Hkkalk32.exe	42
PID 2488 wrote to memory of 1264	2488	Hkkalk32.exe	42
PID 2488 wrote to memory of 1264	2488	Hkkalk32.exe	42
PID 2488 wrote to memory of 1264	2488	Hkkalk32.exe	42
PID 1264 wrote to memory of 2008	1264	Ilknfn32.exe	43
PID 1264 wrote to memory of 2008	1264	Ilknfn32.exe	43
PID 1264 wrote to memory of 2008	1264	Ilknfn32.exe	43
PID 1264 wrote to memory of 2008	1264	Ilknfn32.exe	43

C:\Users\Admin\AppData\Local\Temp\c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe
"C:\Users\Admin\AppData\Local\Temp\c4238b9b44867719f6d9ce34242f6c05583b4718a8a08926dfffbed1b33755cc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\Gpknlk32.exe
  C:\Windows\system32\Gpknlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\Gpmjak32.exe
    C:\Windows\system32\Gpmjak32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Gieojq32.exe
      C:\Windows\system32\Gieojq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        17⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Glfhll32.exe

Filesize
192KB

MD5
1ee772779bf0224e10fe5e9dea126084

SHA1
877d255952c01ab2d142d5ca5def1776fdd4bc50

SHA256
695e83ffe490b02a3ba6ac4232614715e3c2fb007619beb7cccb8ceccf208909

SHA512
4e8e54b3b997d63c2f7acd7850ddba5114a26b83feb1608285971354a284a5f710f51d5b950952ea4ecc5379c00e9d33a54d250bd102b84ae46c764f1dd8ef81

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
192KB

MD5
f07d9844aaeb0d2d1c4820009e2249fb

SHA1
987514c8c585a2abfcf8edf682f8733782a0e444

SHA256
e896405587219bd234661ae153d393a07d021171972fdb8d3d4f76c41c16e8fb

SHA512
f9c90b1dcf99acc39f06033cf5ace601669bf4c6bc16ba59c9bbb05e4e0f7febac8298585c0324e3ea7cf4be2681436c0b40b177d93c4b88412bc4ce54136f2c

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
192KB

MD5
279987f9cefc0188063e9b66cf42c87b

SHA1
5c0c74d59c470c5f06f58ec7ea7eb67169a8ad9a

SHA256
1427e5c13237d428941b6805fe8167781c142997766a327a01060dff7bd23216

SHA512
6e1f2d3d4fd3a607d5282492785b86acfb855a6e2b513413234892890ab8443b30f2fa201d9718be5ad1379dc396177b0666060a6768ed6fe0fb38adbb4708fd

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
192KB

MD5
708e0c0f761ada7a25563cc8f365e8c6

SHA1
e468d43ded9a07df622b8c5aeced4a5a3c1b921b

SHA256
174cf4b3732511dc16020d451139ed19b64b914568b8dfc8f5b0e79a28b90e26

SHA512
95c9d8037a5cea514df461d246a33ac28918e5b5b864e5fafb973277a73a42c0c10f0f245b7822e3669b1b7ec32ed091d98e520328248fb3ef38a2d9de7d251c

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
192KB

MD5
82a17eb3ebf138c287d481341cace383

SHA1
f1a8085190ac5284522ed9fc0a39e6d97951d35c

SHA256
eefe98cc0da566551435613f7a82623461ca1ca587850b72cb244af8459c9c19

SHA512
48ebd361d9ec4bdda63da6e9680e3f566277d2622a104fc9a6606a95c4dd86af51d441f548edda9204c7115efe5de4342ef3f5e3d978efedbc636a22af1d4bd4

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
192KB

MD5
27784c1cee78aecdddf3eb0b87ea88d1

SHA1
b0327d80be69e1a45ed10a5f7d082d79945ecaf0

SHA256
e86b96780a6aa4157e4cd569aeed1c2833b766d9575a21f35e228277c273a8a3

SHA512
e267350e70a093277794c3b7ab4e542acc8cd0b46193b54211af0cf2731707823747a7d434448a7f0b9c84deca2d6c1937ee57af2ce43fde842b86b8af9b3b65

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
192KB

MD5
ceabb2cc6cac88d126f6c0b94749dd29

SHA1
8e1c6484217f55c578cf96aa8da176460ae9daaf

SHA256
2b802ed69f333366f0ec3e6bfe72ebc426274c7270a05f716c74080a4b7c9e49

SHA512
e888e15fc411ed131be0291611109f1365097c6de78f48622aea22861b92abd94cade544afe53860625e0a730d27b3d96956c7d3b97ef0a39ad0b3bf2aeeaae2

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
192KB

MD5
4c3a0b8b8407c3cdae305ad8a5cb7e1f

SHA1
5cf71b826ebd07a4ff8b2892265813b9543bfe59

SHA256
97dcf052adbdf42c674bedd5a09cc991eb9542b52966192e699d8291683d361e

SHA512
38446036e7874524c1b591c7986d7aa208920a8893685af95cb62fbed655641633bb1609392a4b5122425b9404ea73c4f0359940bade0ac9d6c213957fffeda2

Download Submit
C:\Windows\SysWOW64\Ooghhh32.dll

Filesize
7KB

MD5
9ec72969fdbafb873b2ca23a8a4c8b20

SHA1
fcd71ba835a59fa1a67aa4b7051f75851955029a

SHA256
fd791d3c45e2bfb67b80c6d6e8676c002385b6d00548c359ddede4812431b51f

SHA512
08de6992bd0845f859d64cd6411aca83c0f72b30c30689c6c081129159a940568e9b7aa99c1ba2616ff27e3360a51e6eb6ddb001a54809d951af211f34b25ae1

Download Submit
\Windows\SysWOW64\Gaemjbcg.exe

Filesize
192KB

MD5
35362365f6d0f62f2be4fa7858764e98

SHA1
af6aef4c8db96813e9bf27c2e487cd84cf752708

SHA256
90b4ce1b52cfa8d8c4a4d871f9051fbb171476bd83488748022105b515ca47b9

SHA512
563a9accacb2db2408332f305621aa513077f79d1b593e05a16d53c66a33deed704db63ec6c6cbcbc1d2b63569c5e46356b8655e0e8fb7abdd84c28463d25e0a

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
192KB

MD5
d2ad19f0224226cf7a6ff9491ed1d940

SHA1
a812bd856924738e77c73b82a445632a31d638a1

SHA256
f04d6913249f577756676c2bea61db5f08b3b76009d56532acb73830bc332807

SHA512
b0804995c794f5c2b0be8dcc5addce6d184a25d654a39d45039e35aced1747b080377ec384ce658c9cd0c5ac70aba27ee486080fe8af30241326f14db4ff7401

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
192KB

MD5
082ea24c6c2a74f23ea3d61c50907beb

SHA1
48566a673c3ec9ca0a5ec0747fcb1e87dc69812b

SHA256
6af1fa44071404eafd76f5b10402248018d0b92e9ea9930bfa7102ca7577472b

SHA512
5f1f1f6a2ad161842efea07c05edf6d23fc8daaf53e5b23dc26057f4fef0190d78d9f96d868a06d31b3cf3d728ae0819917e513d995be27d80d931f6b87d71ff

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
192KB

MD5
8b92258585b6ce0389e8ebbb82eca845

SHA1
1a05e77ab97956e70b980335f39811f1c036b234

SHA256
9ee33f9425f3bed3dc022da3713296af80da834cfaa752589129016cf410a889

SHA512
04c0e86abf747245d193a147fa5227bbf0b1217dbd9cc7b241885a10f2503ba671b4a3f28e3261fbdb2f9a8985b5b97f38112671041c59bf5f038110358b3900

Download Submit
\Windows\SysWOW64\Hcnpbi32.exe

Filesize
192KB

MD5
2c71935c72ac022c4176b3525e361e78

SHA1
20f931d2c3be601dd568770b35f8136bf30a94c5

SHA256
d54a9ce217329a02a4d08f84b519313fb956b1ccc1ae9780701dad92fde79321

SHA512
c3093685d13f087be8f6d1f2fc5ed131edd4ef4d521f6d577324487a959d0afec608a8234ecbd837387e8c7ead3b3af3bea6236684796b677a2063d53e1a57be

Download Submit
\Windows\SysWOW64\Hjjddchg.exe

Filesize
192KB

MD5
60884daa44397f361e993db1660640db

SHA1
10b86c431e7f6e4b0038e0f441854efefe61e482

SHA256
0394fd6264a358fd90fddc8d4554b370fa4739b2d1229d30bd0ea46c3fed6f93

SHA512
52df79007e758183918492fc7ec1a9d93a65e4e9c0ad854076c29bcb5204e72b3089f0d53193d65052b685bda107313e2e7075c32c90e2449fc73b83931fe50d

Download Submit
\Windows\SysWOW64\Hlakpp32.exe

Filesize
192KB

MD5
15de47fc0d164ffe5ed3522c401e72cd

SHA1
3bda21f1726077b477ea915a613bdbc1b320a42e

SHA256
fae84964774373a29c5693f10141b7292938f918e3915c4782eb8a0295c7b107

SHA512
32c486216fa4c802847b5a502de232128058b14a65951034b8d836239c08ecc5473836170c8251f4ea44f77d7a729cfd733de599035a9a73464df4809d902795

Download Submit
\Windows\SysWOW64\Hmlnoc32.exe

Filesize
192KB

MD5
6753d28cc273b4f6057fe657048529c7

SHA1
9040d3401aa4370135329e7990bf2ff15606559f

SHA256
8facfb0846b85f3029a4a7b102401d4ff6230b8b04e93fc39121306ec4643376

SHA512
b286c40ab87df91fc5aa6b5e1ac15d05371dd5d33ee580119087f38981b5149d5920c161f96ba0166b5daf8ff0e5335b3a64fee578638091752f337b7ed74ccb

Download Submit
memory/304-73-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/304-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/616-177-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/616-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/616-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-210-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/916-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-211-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1264-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-11-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2172-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-50-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-60-0x00000000004B0000-0x00000000004EF000-memory.dmp

Filesize
252KB

Download
memory/2636-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-100-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2816-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-119-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2816-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads