12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Size

192KB
MD5

85d1bda7f5b051d0a6df2527945d1406
SHA1

236bfaabb77189a8c536e607cd20f934463ae5e1
SHA256

12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc
SHA512

f95ab0c0b7f8b0481bc64f2b584201a34875464b2fabe8ee48086e18b86b0176ed21571ca1e51ff59bac4af7eccc0d0831c22fad4d50c293172cc4ffd36b4a5e
SSDEEP

3072:3CS/p5aBqHyzTpNK836+oXO56hKpi9poF5aY6+oocpGHn:SKaBJZNK8q+Eu6QnFw5+0pUn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe

Executes dropped EXE 18 IoCs

pid	Process
2204	Flmefm32.exe
2760	Feeiob32.exe
2644	Gpknlk32.exe
2432	Gegfdb32.exe
2808	Gldkfl32.exe
2424	Gelppaof.exe
2468	Goddhg32.exe
1508	Geolea32.exe
2820	Ghmiam32.exe
2944	Gaemjbcg.exe
496	Hgdbhi32.exe
1984	Hnojdcfi.exe
2708	Hiekid32.exe
1284	Hpocfncj.exe
2604	Hcplhi32.exe
1492	Iaeiieeb.exe
2960	Ioijbj32.exe
892	Iagfoe32.exe

Loads dropped DLL 40 IoCs

pid	Process
3000	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
3000	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
2204	Flmefm32.exe
2204	Flmefm32.exe
2760	Feeiob32.exe
2760	Feeiob32.exe
2644	Gpknlk32.exe
2644	Gpknlk32.exe
2432	Gegfdb32.exe
2432	Gegfdb32.exe
2808	Gldkfl32.exe
2808	Gldkfl32.exe
2424	Gelppaof.exe
2424	Gelppaof.exe
2468	Goddhg32.exe
2468	Goddhg32.exe
1508	Geolea32.exe
1508	Geolea32.exe
2820	Ghmiam32.exe
2820	Ghmiam32.exe
2944	Gaemjbcg.exe
2944	Gaemjbcg.exe
496	Hgdbhi32.exe
496	Hgdbhi32.exe
1984	Hnojdcfi.exe
1984	Hnojdcfi.exe
2708	Hiekid32.exe
2708	Hiekid32.exe
1284	Hpocfncj.exe
1284	Hpocfncj.exe
2604	Hcplhi32.exe
2604	Hcplhi32.exe
1492	Iaeiieeb.exe
1492	Iaeiieeb.exe
2960	Ioijbj32.exe
2960	Ioijbj32.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Geolea32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Geolea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	892	WerFault.exe	45

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hiekid32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2204	3000	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe	28
PID 3000 wrote to memory of 2204	3000	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe	28
PID 3000 wrote to memory of 2204	3000	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe	28
PID 3000 wrote to memory of 2204	3000	12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe	28
PID 2204 wrote to memory of 2760	2204	Flmefm32.exe	29
PID 2204 wrote to memory of 2760	2204	Flmefm32.exe	29
PID 2204 wrote to memory of 2760	2204	Flmefm32.exe	29
PID 2204 wrote to memory of 2760	2204	Flmefm32.exe	29
PID 2760 wrote to memory of 2644	2760	Feeiob32.exe	30
PID 2760 wrote to memory of 2644	2760	Feeiob32.exe	30
PID 2760 wrote to memory of 2644	2760	Feeiob32.exe	30
PID 2760 wrote to memory of 2644	2760	Feeiob32.exe	30
PID 2644 wrote to memory of 2432	2644	Gpknlk32.exe	31
PID 2644 wrote to memory of 2432	2644	Gpknlk32.exe	31
PID 2644 wrote to memory of 2432	2644	Gpknlk32.exe	31
PID 2644 wrote to memory of 2432	2644	Gpknlk32.exe	31
PID 2432 wrote to memory of 2808	2432	Gegfdb32.exe	32
PID 2432 wrote to memory of 2808	2432	Gegfdb32.exe	32
PID 2432 wrote to memory of 2808	2432	Gegfdb32.exe	32
PID 2432 wrote to memory of 2808	2432	Gegfdb32.exe	32
PID 2808 wrote to memory of 2424	2808	Gldkfl32.exe	33
PID 2808 wrote to memory of 2424	2808	Gldkfl32.exe	33
PID 2808 wrote to memory of 2424	2808	Gldkfl32.exe	33
PID 2808 wrote to memory of 2424	2808	Gldkfl32.exe	33
PID 2424 wrote to memory of 2468	2424	Gelppaof.exe	34
PID 2424 wrote to memory of 2468	2424	Gelppaof.exe	34
PID 2424 wrote to memory of 2468	2424	Gelppaof.exe	34
PID 2424 wrote to memory of 2468	2424	Gelppaof.exe	34
PID 2468 wrote to memory of 1508	2468	Goddhg32.exe	35
PID 2468 wrote to memory of 1508	2468	Goddhg32.exe	35
PID 2468 wrote to memory of 1508	2468	Goddhg32.exe	35
PID 2468 wrote to memory of 1508	2468	Goddhg32.exe	35
PID 1508 wrote to memory of 2820	1508	Geolea32.exe	36
PID 1508 wrote to memory of 2820	1508	Geolea32.exe	36
PID 1508 wrote to memory of 2820	1508	Geolea32.exe	36
PID 1508 wrote to memory of 2820	1508	Geolea32.exe	36
PID 2820 wrote to memory of 2944	2820	Ghmiam32.exe	37
PID 2820 wrote to memory of 2944	2820	Ghmiam32.exe	37
PID 2820 wrote to memory of 2944	2820	Ghmiam32.exe	37
PID 2820 wrote to memory of 2944	2820	Ghmiam32.exe	37
PID 2944 wrote to memory of 496	2944	Gaemjbcg.exe	38
PID 2944 wrote to memory of 496	2944	Gaemjbcg.exe	38
PID 2944 wrote to memory of 496	2944	Gaemjbcg.exe	38
PID 2944 wrote to memory of 496	2944	Gaemjbcg.exe	38
PID 496 wrote to memory of 1984	496	Hgdbhi32.exe	39
PID 496 wrote to memory of 1984	496	Hgdbhi32.exe	39
PID 496 wrote to memory of 1984	496	Hgdbhi32.exe	39
PID 496 wrote to memory of 1984	496	Hgdbhi32.exe	39
PID 1984 wrote to memory of 2708	1984	Hnojdcfi.exe	40
PID 1984 wrote to memory of 2708	1984	Hnojdcfi.exe	40
PID 1984 wrote to memory of 2708	1984	Hnojdcfi.exe	40
PID 1984 wrote to memory of 2708	1984	Hnojdcfi.exe	40
PID 2708 wrote to memory of 1284	2708	Hiekid32.exe	41
PID 2708 wrote to memory of 1284	2708	Hiekid32.exe	41
PID 2708 wrote to memory of 1284	2708	Hiekid32.exe	41
PID 2708 wrote to memory of 1284	2708	Hiekid32.exe	41
PID 1284 wrote to memory of 2604	1284	Hpocfncj.exe	42
PID 1284 wrote to memory of 2604	1284	Hpocfncj.exe	42
PID 1284 wrote to memory of 2604	1284	Hpocfncj.exe	42
PID 1284 wrote to memory of 2604	1284	Hpocfncj.exe	42
PID 2604 wrote to memory of 1492	2604	Hcplhi32.exe	43
PID 2604 wrote to memory of 1492	2604	Hcplhi32.exe	43
PID 2604 wrote to memory of 1492	2604	Hcplhi32.exe	43
PID 2604 wrote to memory of 1492	2604	Hcplhi32.exe	43

C:\Users\Admin\AppData\Local\Temp\12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe
"C:\Users\Admin\AppData\Local\Temp\12cadd6f10e1cae8a0699dff455546358daa41dc060858279b9d8d3aebdb37bc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\Flmefm32.exe
  C:\Windows\system32\Flmefm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\Feeiob32.exe
    C:\Windows\system32\Feeiob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Gpknlk32.exe
      C:\Windows\system32\Gpknlk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        19⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Feeiob32.exe

Filesize
192KB

MD5
8ee5bd2a13bebacc31dbf49328556cde

SHA1
f3326ed318ccb398fd490e94d2722db4d932a02e

SHA256
14695ea16880c2628b38961616ec565af2cb9222c78dc47693e5ecb5f875b5ab

SHA512
7b1528a856ca1ebbb7f4df9bcc8139d4f6ab784825c7731507d0829eadf04cce2d303b2e59767bbd62b50758f951aeefc7cc40be5a6e81660ddaa9ac69311846

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
192KB

MD5
6877344fc7b03494cbe1b3b600df5846

SHA1
4aa5ebc97ea5f72fc1557c176b1cfe0f12638784

SHA256
e2f800146b06cad7ec36474f56923d22d009676cc3bd480a97fcb44d8b192755

SHA512
c874154e9cb75deaac183fd9b2e53e32400b548dd9c184b65a7d5a802fdbbf2dac88afc135a7af2590bd4d5085aeef4e1e91277af3cda208fe56df154babc227

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
192KB

MD5
fd6e327bc5abb8ee79eece015ebc9aba

SHA1
48476a3259e49818cedb6c026c125d2ecce5b3c3

SHA256
076a93a855e58f62431836cdf4155e88d0e2e94bd30d08012f69922d4f78dcd5

SHA512
05685bd37f53f6299e91f1f149458b4ee62f7d47f742fcefebaee8b2dbc65dab5b52a291cb7437ac4d4ca6f920a1972a5b5d660214628f668f4051c54ec4cc3c

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
192KB

MD5
8af2cfde880102cbc7ac378445205177

SHA1
8d4af508807edd54fd748f82d4bbc47b16ff017d

SHA256
057f319e58d3d4f89f01dd5ad625c2c667ce27a600a7a4b065edc41721da6c73

SHA512
2a259601f72ab84d0de2a0d3dcbff13d60399f05c13b9f1c3da26cc00083392b822012b5c2b8a3adfac8f9c36472764f25937eee04c2866e68525454d911f352

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
192KB

MD5
7344b60dd935cffd52ab24f28703dddd

SHA1
343f25e31be15c0e5b91ef5f2aa792efc28a6587

SHA256
57e92df9c7b3f3699f5fe94e9fb6249625be939179a5a8031c24de53e72f52c7

SHA512
b8c814f4feb6c8c39bc393403e6c93acb34c959fa69bd342012b8ea0bc617ec534921332cf0d786a1dda53adfd9b739c34834fbcdaf6de823b8bd68b509ca32b

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
192KB

MD5
8059e9be9803b725e9a703aa66cf1b69

SHA1
4e0b0f2f221a11650cd62388e1a28f8fe2ca1e05

SHA256
d94827140a67627189d97392d31d374f49b61e68db5e791b4204893d16567807

SHA512
6e472509d0bec5f6738dc42a4521c77841a678e59d5cfc7a898b56c3c9e226044c04256d0d37b24b0a2515a787ea76975dff59e844e9f5e4cd587d2e8c2eab37

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
192KB

MD5
6a96bf32f975e9720c6dd0eadc6b84ef

SHA1
a889a4c5c097dbfb437d18d8eb74ded5961965d5

SHA256
c6d0d64a85bc9d2294174e53b0932bea4e42cfa9d3253afa793b3e6f8ff13149

SHA512
9c46fd3e79a627827ff599efb53a202e68467b6349a1e248dbeaacb2b333d30722f85224e2fb88a6f9d7d20bbf3842b83f602ff77322e59885b12bea27a90be5

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
192KB

MD5
69feb49c8ca1846331c4af1bac10a79f

SHA1
5c4b81dd6e5538207aa75f9770922aa48d0add2c

SHA256
ba1fdb3ea10e01e62533125a93bbe0ce212754dd550043aa9175eaa4faf5e8c5

SHA512
c67d8a403c1418fde277da15f08c8c0ddb62986a2fa2f1e45991169f59e0bd2a1aa79afbd614393e0e93cdf30230e80e37159a207c24cedef3475e28c0fe956a

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
192KB

MD5
8d629e0d8c5a0ac44851a97f0fb19b97

SHA1
d9e6bec89905886eacfe29adf4ea7e0780cfc615

SHA256
5ce49619f70e00f58653bf99987277386319773e888726a9fcf11a7ca6b54f60

SHA512
a785b383ea5b0a17543237c83248f99bbbd029ae66efe3b63c3d94b3a58bac592fdaf257d02f3e90cda6f9e1b47c06cbec8f598bf984aaaeb0040c912d0ce14f

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
192KB

MD5
86042bf48ca040fbdd300e309eb6cac0

SHA1
c0aa74c5bbde7375f9effe2b4fd08b0172e3b09f

SHA256
149967b7a6585d09dce64044bfd77c78250812fca35a75d564d02b49770437e3

SHA512
6ca6ff85f67b9ae07767918f018f2045ebf2c6f1caec5ebbba39eaaba6733bd77f4546bf36d591887c2a1da5dbf0a081d1410a359d8a7e8bd37d8143279951fc

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
192KB

MD5
4eb083b243f54a26d22f2641d572e0ad

SHA1
44e5801f884db16a80b1b4c5e3c1a1bbb0ba94df

SHA256
a6dd257bb6008f17be59b5f50fa8ee1abe4ad588307c5cb145c8fabc859761b2

SHA512
acd72a758cafb6456f68493469403bf96a32c035478405683c3b392e45b5acc74dddd1c3bc2dea152ae3e5e053c52033c333ce63de77ff0f90487f049a515c03

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
192KB

MD5
eacb342ffae7c5f3ef2a7adbdbef1f33

SHA1
2a29f8fe64bed5b1dd52562f547498f3ab6ce101

SHA256
a7d3604a42595c1f4b2484fcdcbaa9c9276f9d117640bf1240e8956254b9d52b

SHA512
88c15178678452e27c3971f569361781ab014ff42d6bc520ee4a32c5bb7be6abb85d8d13c41a3968415968e63b76cf9c4858a991b8b0187537b590803f5a861d

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
192KB

MD5
31c46cbd72b18def2ce216bdf1313b3a

SHA1
758064c125ea1327571f75874fb347006a09e563

SHA256
ea18be1a17342b3f8d4c6608a8d57c409e335631c69808ff6d4495fac523b4b5

SHA512
4ca38086db5b348d0eba050de17a02f5ffb2423fdc9339a5153b25ee9d1cfd130c620ee67c33d59b0aa98e863ba9c9d2086caae478c98c0ac63ed842479317c7

Download Submit
C:\Windows\SysWOW64\Pnnclg32.dll

Filesize
7KB

MD5
c1a3863608c7aec6dcb4d918e12c9de9

SHA1
075ceb8406f264bc833c847adb777e8c5db734d9

SHA256
031d3e99e0bba8eaa51d3b09a2fd3c48cbeab1fd0036ad4cdf8e35d8902e7a68

SHA512
facad2d9bf169491fff7b9e5d9f69cc4c3989c91de525593dce31945f169f55f59d41dcef43bb531f0e434a543329f54b34a2bbd708d14363ff900eeb67962d0

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
192KB

MD5
73a857df316175954954a75c52b3f65f

SHA1
1dd43ef4195a8dca9ea9de1b1fb5f20589cdf6ca

SHA256
6608dd18816de7f870192fb77245c5630c44f402a8a35459e4ed4949443826ac

SHA512
27c168c24f6c4d181bdb3ff00805d33e415b73b15140694d35a5318984569e684f39b3f63f8daf68335af97e2eba573afaffd3b2a46fce27936f3b19b0940b03

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
192KB

MD5
fff50f99fd5f2d1e2136f7592ddafc51

SHA1
5873486610169705cee7a6e2618d5a0b4d85aedc

SHA256
3ab25ec72ac9889344939d9ca5ecd4af9d18625d5d564f80c3441b974a9da996

SHA512
22e3ea52660484413c83df6359fe92bbe5b13a967faad8399f8b20c37fe329c86b3d180855c53f0a45cd0c54c2979c471f46cb902683c795022389d8a3dc7d82

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
192KB

MD5
f7ab275612f9371d57a7f32e3af7ef94

SHA1
d1db0e3e48b53f593027f47f44bcf5112c60b4b7

SHA256
f848dc02ccddd4280f6648360fc00499b7e16b43cba8ce5d75673c65c4004d20

SHA512
66bf6a1f76f31206b9eb481b5a9bfa5b423d36651be0ed1eb822ed712c0ec4af7968a36f5e28b8f662fe1f2befcfe8ac5b89a4338b451b8d7e652083117537cc

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
192KB

MD5
99232157cf006b1cfbd9d7e6cd48b8a5

SHA1
9dffc9ec6d21c03169c8f41fb44be50eb7014f29

SHA256
9d86ea08e177ce9f833de26eb7b9565114fb65f322dfe01e82834dfcf96c380f

SHA512
7843c2e803487777f0a172ee874cf08ea8a12403fefbcaef2032d24f2b35dfa4e7bab3c5d8850712933df70baaeba559f73798e7b31d85d635959937a9b0c2f3

Download Submit
\Windows\SysWOW64\Hnojdcfi.exe

Filesize
192KB

MD5
a0fab344882ca9e97b2bed52e9019475

SHA1
992e6448dced903c4b7172b3329b0a808c496970

SHA256
d330a4b7d702ec25c8603a6a6dfb475a071eac631d5f27d1e4609c7f1955f1ad

SHA512
1f9ad607a4b0badbc237dc4583821784cd2e90887468a0903d8f5138843119b7bc62840db2f3d0981394a8e0505a0868f18a674ef2a98fcece959d95ac01f10e

Download Submit
memory/496-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-25-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2204-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-66-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2468-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-118-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2604-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-53-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2644-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-6-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads