0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 18:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Size

199KB
MD5

ba4fbea06f4e77ba6d76f8ef8fc6f418
SHA1

3001fbbb64cb0a0c72881fb1085024b20438d325
SHA256

0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad
SHA512

b2a7bf9d479428cf96f7e82cde8767d76b708d041c89105ba81660fa1a53fbc1b951629e63064b76838fe79d782e10a0c2be86adc9f6d4d5943989231e3a7ef9
SSDEEP

3072:NNCFfU042SS5DSCopsIm81+jq2832dp5Xp+7+10K03Rq/ghavVQXxFaPsRbh:7y/KSZSCZj81+jq4peBK034YOmFz1h

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe

Executes dropped EXE 18 IoCs

pid	Process
2216	Gfefiemq.exe
1096	Gpmjak32.exe
2612	Gelppaof.exe
2576	Glfhll32.exe
2596	Ghmiam32.exe
2536	Gddifnbk.exe
2960	Hmlnoc32.exe
2684	Hcifgjgc.exe
2936	Hlakpp32.exe
1768	Hejoiedd.exe
1700	Hlcgeo32.exe
316	Hcnpbi32.exe
492	Hhjhkq32.exe
1576	Hlfdkoin.exe
2320	Icbimi32.exe
2296	Idceea32.exe
620	Ioijbj32.exe
416	Iagfoe32.exe

Loads dropped DLL 40 IoCs

pid	Process
2208	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
2208	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
2216	Gfefiemq.exe
2216	Gfefiemq.exe
1096	Gpmjak32.exe
1096	Gpmjak32.exe
2612	Gelppaof.exe
2612	Gelppaof.exe
2576	Glfhll32.exe
2576	Glfhll32.exe
2596	Ghmiam32.exe
2596	Ghmiam32.exe
2536	Gddifnbk.exe
2536	Gddifnbk.exe
2960	Hmlnoc32.exe
2960	Hmlnoc32.exe
2684	Hcifgjgc.exe
2684	Hcifgjgc.exe
2936	Hlakpp32.exe
2936	Hlakpp32.exe
1768	Hejoiedd.exe
1768	Hejoiedd.exe
1700	Hlcgeo32.exe
1700	Hlcgeo32.exe
316	Hcnpbi32.exe
316	Hcnpbi32.exe
492	Hhjhkq32.exe
492	Hhjhkq32.exe
1576	Hlfdkoin.exe
1576	Hlfdkoin.exe
2320	Icbimi32.exe
2320	Icbimi32.exe
2296	Idceea32.exe
2296	Idceea32.exe
620	Ioijbj32.exe
620	Ioijbj32.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hlakpp32.exe

Program crash 1 IoCs

pid	pid_target	Process
1788	416	WerFault.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2216	2208	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe	28
PID 2208 wrote to memory of 2216	2208	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe	28
PID 2208 wrote to memory of 2216	2208	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe	28
PID 2208 wrote to memory of 2216	2208	0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe	28
PID 2216 wrote to memory of 1096	2216	Gfefiemq.exe	29
PID 2216 wrote to memory of 1096	2216	Gfefiemq.exe	29
PID 2216 wrote to memory of 1096	2216	Gfefiemq.exe	29
PID 2216 wrote to memory of 1096	2216	Gfefiemq.exe	29
PID 1096 wrote to memory of 2612	1096	Gpmjak32.exe	30
PID 1096 wrote to memory of 2612	1096	Gpmjak32.exe	30
PID 1096 wrote to memory of 2612	1096	Gpmjak32.exe	30
PID 1096 wrote to memory of 2612	1096	Gpmjak32.exe	30
PID 2612 wrote to memory of 2576	2612	Gelppaof.exe	31
PID 2612 wrote to memory of 2576	2612	Gelppaof.exe	31
PID 2612 wrote to memory of 2576	2612	Gelppaof.exe	31
PID 2612 wrote to memory of 2576	2612	Gelppaof.exe	31
PID 2576 wrote to memory of 2596	2576	Glfhll32.exe	32
PID 2576 wrote to memory of 2596	2576	Glfhll32.exe	32
PID 2576 wrote to memory of 2596	2576	Glfhll32.exe	32
PID 2576 wrote to memory of 2596	2576	Glfhll32.exe	32
PID 2596 wrote to memory of 2536	2596	Ghmiam32.exe	33
PID 2596 wrote to memory of 2536	2596	Ghmiam32.exe	33
PID 2596 wrote to memory of 2536	2596	Ghmiam32.exe	33
PID 2596 wrote to memory of 2536	2596	Ghmiam32.exe	33
PID 2536 wrote to memory of 2960	2536	Gddifnbk.exe	34
PID 2536 wrote to memory of 2960	2536	Gddifnbk.exe	34
PID 2536 wrote to memory of 2960	2536	Gddifnbk.exe	34
PID 2536 wrote to memory of 2960	2536	Gddifnbk.exe	34
PID 2960 wrote to memory of 2684	2960	Hmlnoc32.exe	35
PID 2960 wrote to memory of 2684	2960	Hmlnoc32.exe	35
PID 2960 wrote to memory of 2684	2960	Hmlnoc32.exe	35
PID 2960 wrote to memory of 2684	2960	Hmlnoc32.exe	35
PID 2684 wrote to memory of 2936	2684	Hcifgjgc.exe	36
PID 2684 wrote to memory of 2936	2684	Hcifgjgc.exe	36
PID 2684 wrote to memory of 2936	2684	Hcifgjgc.exe	36
PID 2684 wrote to memory of 2936	2684	Hcifgjgc.exe	36
PID 2936 wrote to memory of 1768	2936	Hlakpp32.exe	37
PID 2936 wrote to memory of 1768	2936	Hlakpp32.exe	37
PID 2936 wrote to memory of 1768	2936	Hlakpp32.exe	37
PID 2936 wrote to memory of 1768	2936	Hlakpp32.exe	37
PID 1768 wrote to memory of 1700	1768	Hejoiedd.exe	38
PID 1768 wrote to memory of 1700	1768	Hejoiedd.exe	38
PID 1768 wrote to memory of 1700	1768	Hejoiedd.exe	38
PID 1768 wrote to memory of 1700	1768	Hejoiedd.exe	38
PID 1700 wrote to memory of 316	1700	Hlcgeo32.exe	39
PID 1700 wrote to memory of 316	1700	Hlcgeo32.exe	39
PID 1700 wrote to memory of 316	1700	Hlcgeo32.exe	39
PID 1700 wrote to memory of 316	1700	Hlcgeo32.exe	39
PID 316 wrote to memory of 492	316	Hcnpbi32.exe	40
PID 316 wrote to memory of 492	316	Hcnpbi32.exe	40
PID 316 wrote to memory of 492	316	Hcnpbi32.exe	40
PID 316 wrote to memory of 492	316	Hcnpbi32.exe	40
PID 492 wrote to memory of 1576	492	Hhjhkq32.exe	41
PID 492 wrote to memory of 1576	492	Hhjhkq32.exe	41
PID 492 wrote to memory of 1576	492	Hhjhkq32.exe	41
PID 492 wrote to memory of 1576	492	Hhjhkq32.exe	41
PID 1576 wrote to memory of 2320	1576	Hlfdkoin.exe	42
PID 1576 wrote to memory of 2320	1576	Hlfdkoin.exe	42
PID 1576 wrote to memory of 2320	1576	Hlfdkoin.exe	42
PID 1576 wrote to memory of 2320	1576	Hlfdkoin.exe	42
PID 2320 wrote to memory of 2296	2320	Icbimi32.exe	43
PID 2320 wrote to memory of 2296	2320	Icbimi32.exe	43
PID 2320 wrote to memory of 2296	2320	Icbimi32.exe	43
PID 2320 wrote to memory of 2296	2320	Icbimi32.exe	43

C:\Users\Admin\AppData\Local\Temp\0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe
"C:\Users\Admin\AppData\Local\Temp\0bd499868a660e94ed5dfe8c167bbb3c300bb2f92150be75dbb3c842b95dbcad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Gfefiemq.exe
  C:\Windows\system32\Gfefiemq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Gpmjak32.exe
    C:\Windows\system32\Gpmjak32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\Gelppaof.exe
      C:\Windows\system32\Gelppaof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        19⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Glfhll32.exe

Filesize
199KB

MD5
2f416ffffbceeae2b59eb5e0b79cad74

SHA1
69acf7431a4ec0f5e1c34b5e7b3956016ee2b288

SHA256
22257cbb0988f8a60b3ee0e696e20342e27bbe5aa052686b4e9e205b2d179ed6

SHA512
520f88d0fdc18702c39271b641fd623ae678c977f3936ddb31286ab31757acf82367c4b218773a1e6b7ddc85ccc4058dd659b4381d09a56cd94d2335b54ec4e5

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
199KB

MD5
75a5c3887192a392a188e5a86932cb67

SHA1
391309b8d8ed2c48b6d530544bdfd3740cbd8a13

SHA256
4baac1903d5056687881526fd1c6d35682294ab2785bb3ada02f7dacbeeefd81

SHA512
8a0f85b0c6f3510287abcfb26e14808f60900b35158cbf149fce43db7868c50135a09cec45ddcbe6df55d81cf0dba17a6f6119c1f592f497fa39187caef438b2

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
199KB

MD5
20244f298da8e21c8bff60d46d0c4239

SHA1
c85281a3697aca5dd71faff1a392a9b936cb2023

SHA256
4ed88a2a324cdb61b28c6d6bfb74b30ee7104138395b34c55528c5793b8ffc65

SHA512
519052e13a8cee575a8c952b533f841a6b517bac479608c30cdced52022e6aa4a26ea14d1af03432b550b8ea29edce333fcac209f81331b1cbd09ca6f89ee8cc

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
199KB

MD5
3b63362c3cdefad2b8c3c279d4d0df63

SHA1
f811a4b781b06f8f7f5ec2589d7ac73033fa9079

SHA256
1ed97807ef7220d89ce357c37041ae18968e69b0ea8d54d250b0ab0aaed78c32

SHA512
68ce2d1174df189ae0fae57f3848a45f3cacb8ccb6259553ef3bc3084d5ac299118ce562cb2f450f59ae7c3674cd0b03a6e016ab031fdb75facfd4d408d2f234

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
199KB

MD5
fe42d31f6cf19073421ef7284318971b

SHA1
5d5097e53b03d7b56bf7704a4d044009ee862a1f

SHA256
99a21b9924cb2297b634bee21acd1f5b95f9df6e5067a5295c6ae4ff28b9ec23

SHA512
989e5a1cedf10dd14a48011fd61ccd36848ae65aaf5530660fc8e7a41ff428448267447251c7545f577f29ef44874757cfca1e6de274b89239e01b1fad2bb08a

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
199KB

MD5
c240c69d173a0e8c0b55dbc80e54042a

SHA1
da224956bd43f5e7a2278be0d11776478a83d672

SHA256
ef0248727e5e4dbdce94a4faca118f3f2f3400181402217e8e6c88d5d163ad04

SHA512
2622fdac759ea46c0c490b667d1de54826c1f16b5500f61aee7741a4a5f2d2793d6bebce303f0967c93e6c31ede25ee6a6a3e629fa6cc1507fd8233fbf5bddf4

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
199KB

MD5
08a19418469210021f179815ae1c3068

SHA1
98b50f1a7b053ccc44b934f23d6ae5d22a00c567

SHA256
93a0071e3e808d27d9afacb6db241d5c8e3f4902fadf6b0b3d8b23ae1ed949d5

SHA512
3bf7508e376e77923eb3f4824746c1520daffcd6fd8dec04f5d437be5e57daf4b46ae294d813c165046520fa4a34ff5f351f29b2c36693facf3b3cea9a010279

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
199KB

MD5
de2aa246317598508d504c3b3f6289aa

SHA1
ca2414cf17c1480bd63d8c0e16d439a5ac1164d8

SHA256
2b65111d49d3cb6b733e05887c4bd3101aeefc3b756e4a4d8837b5d690b405a0

SHA512
9190295cd354c17ac613cc2b7fe3efdcb5e3a981ee20221678a60de610be2c3384316695e28aef3ffdb389151fb0d4b431ec3fad09f229fb4d5b04c5c54baa4d

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
199KB

MD5
2c1e7234cd09660f5a517c9281709d1e

SHA1
3d01f30451c4458ce1952fde686a784c4686d37a

SHA256
e429578fb9fd145f2b322aae54d3be7d1cfd11e2e232a85ef942eb3820a51b21

SHA512
d460a4c784a184c293fd6fb6d6c4b18547c951dd693d3b8b5edaa5dac39360a54d4bc1ceaa0ad6b5a263409fec0ced51166d77661d7cc344dd27c84a93e916b5

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
199KB

MD5
ab79ab86098d06fcb5aa69e217a2ec84

SHA1
8c7baadedcb382ef198246c42066b43672ac1c0c

SHA256
9214b41c00a7b60a39b2d5dab15038c200336132a85b9eee5ffd1aef047b344d

SHA512
b780e6e9c4a498f54cfe56afc4e4c8dbb5b4092b53093586261068ee94eecd35de7b0088a96916d8e15666241665253736821e83b5dc71de45902c5adad503b2

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
199KB

MD5
ffc7e2789030336a0547e26eab9f67c5

SHA1
f69e6b5eedd234a0b80d28702aa87fed6097e92b

SHA256
8f70dc894a8d0098ea61ffaafe9a6a93875c32e7e3a87ac8ced079508468a200

SHA512
f083a2880c1862ee0ed9f4075a35e864991a92cdb7e20963db8c0ab16858eab9b764814b6a7feb044743a51a457b7fa05873dbfb2c663fcc39f6ea1268d4926f

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
199KB

MD5
68793c77091d50c09ab7cde967804729

SHA1
d3f99e93c76afbafdacea6424e77c468d65afc25

SHA256
c6d19961f97a65ea99246be676498c0e055932c42424d3ccfd358722ccbbd2fd

SHA512
99d98d94b2e9ea2f5f621ab744c5a921f342500dffc96baf5393a7133b99a6be7116886bd159fdae0a2ca7216851a6f93b1409d33e6f5386de322784d19eb44f

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
199KB

MD5
b0b7bd91457a08157df4cdfb8173ef4e

SHA1
4d9a9f9f7f1d40779f5cbd752a8b1ceacc2ed2b5

SHA256
dccaf16c45af0545d66c656e57e01b31a713a9a43fbe9d3924b77503b99c2c52

SHA512
cb2f68b7cb1471ba3bcd5093e1e314cc14e05913191b8b39570299a9552887ea3ba6311fa7351682bde4f177fa5e254db1ae9cdadd3d81b1d5966427b07ba317

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
199KB

MD5
95af5b066d3a2a7b0331c04c505c149e

SHA1
0ab89aaacd167560ba91abf70e12283dbc480271

SHA256
646b2689b81651ba29c82268048dcdb55a10b7654c52126b8765d4f345218e42

SHA512
27ca6d519f4e670d54f172944c944d8bdeaedb7c1712ec217f3f39931a3b6f5d9a2f5e84142d8dbd73cc2763c5b7158e4baa796e3120982645227fa5de879d75

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
199KB

MD5
c45aa01dcdf0357c5f6fe97fd4b41a7b

SHA1
501f32b12eba4ba766262aca32c436efe38c59d1

SHA256
e9acfa419d5dc0e2e105d21448832306c94a4bee5742bfa5c4772d4c41cd10f0

SHA512
b998d276594bb221a6a0d13b2247d3a20f7965bfd627c0abe3bd51cdfbaf2f567669e40be0b4abc01b7af1ed39ab2e535554f5a58e0a18db83f7e494f6b6d5a2

Download Submit
\Windows\SysWOW64\Hcifgjgc.exe

Filesize
199KB

MD5
fff9cdddf20f6a8b2f4cb6bad19854c0

SHA1
1b68ea67eda3ddb3bf12bb5e5b485f217f361438

SHA256
f6708244c0c99c3300021e46ed9e7ee3763f7206eba63ff92a8239a548200ef3

SHA512
3629affb161b8cf2ce58d5fa72556130b065c0eb0570d6687ee3a07a3f6717247d0add33a7582006fb8bf7b9ced707cd8f8ecc727d7a1f3332433563f8ea6988

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
199KB

MD5
0cedb9cce996b6d29c5cbce7a5f601e0

SHA1
f1b4df135ab185e04b84731c176521e2701fa537

SHA256
fb219ed4b8582e158d4ff5a73211843024d9c6a7e1860ad0ade3a897bbaf7371

SHA512
b4cae1a500cc12a7336af9e3ae8e3ff884eab6318d5d0306d015214f3ed37e00f45f08f51f7872e5919ae4afee8ceb9b5db3c36a8fb9602b9f12061ffe8cb0a1

Download Submit
\Windows\SysWOW64\Icbimi32.exe

Filesize
199KB

MD5
9032464136907b8a66a44c02d98bae59

SHA1
d11997d35c58095c283c96e38e9502263f6a4e2e

SHA256
1936903bf0ec1feb54a11d7e8f16630abe76a35c115d4cf7515c4262e8468612

SHA512
48d8939f33479017a9cedb6c88bef300111b8cc111feb94a0cec7344f0b095731a99fbfb94f17aff8b5d6054ef51e1abbd30e8441d9ec8be9739e5642a7fe3b8

Download Submit
memory/316-174-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/316-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/416-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/492-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/492-183-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/620-236-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/620-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-60-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1576-202-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1576-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-156-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1768-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-17-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2216-21-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2216-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-226-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2296-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-211-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2536-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-80-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2612-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-129-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2960-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-103-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads