Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe
Resource
win10v2004-20240508-en
General
-
Target
575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe
-
Size
85KB
-
MD5
29d0ce3f0c12f16c4573d496dcc2f3c0
-
SHA1
e128d204c50c929c70030cba03a68e584d3c6f58
-
SHA256
575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f
-
SHA512
d53d8a93cebafb09a6fd172756a93374ceacac732d4e4ea9357ec61c2b40b68bcfa8e997ffec035980ae2f0ab85fd3e4b01a80d4abaad07db4cf73b6d368d816
-
SSDEEP
1536:7PbrHlLyQHBHz7aEQey1s2LHIMQ262AjCsQ2PCZZrqOlNfVSLUK+:TXFvHBPaKKHIMQH2qC7ZQOlzSLUK+
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs
Processes:
Ilknfn32.exeIoijbj32.exe575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exeHjhhocjj.exeGfefiemq.exeGieojq32.exeIaeiieeb.exeGhmiam32.exeHggomh32.exeHiekid32.exeHgilchkf.exeIdceea32.exeHcifgjgc.exeGhkllmoi.exeGddifnbk.exeHogmmjfo.exeGopkmhjk.exeGobgcg32.exeHjjddchg.exeHodpgjha.exeGlaoalkh.exeGkihhhnm.exeHgbebiao.exeHkpnhgge.exeGmgdddmq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe -
Executes dropped EXE 25 IoCs
Processes:
Gfefiemq.exeGlaoalkh.exeGopkmhjk.exeGieojq32.exeGobgcg32.exeGhkllmoi.exeGkihhhnm.exeGmgdddmq.exeGhmiam32.exeGddifnbk.exeHgbebiao.exeHcifgjgc.exeHkpnhgge.exeHggomh32.exeHiekid32.exeHgilchkf.exeHjhhocjj.exeHodpgjha.exeHjjddchg.exeHogmmjfo.exeIaeiieeb.exeIdceea32.exeIlknfn32.exeIoijbj32.exeIagfoe32.exepid process 2188 Gfefiemq.exe 3060 Glaoalkh.exe 2908 Gopkmhjk.exe 2900 Gieojq32.exe 2656 Gobgcg32.exe 2536 Ghkllmoi.exe 2396 Gkihhhnm.exe 2728 Gmgdddmq.exe 2204 Ghmiam32.exe 1036 Gddifnbk.exe 1448 Hgbebiao.exe 2740 Hcifgjgc.exe 348 Hkpnhgge.exe 1708 Hggomh32.exe 2320 Hiekid32.exe 2884 Hgilchkf.exe 1876 Hjhhocjj.exe 296 Hodpgjha.exe 964 Hjjddchg.exe 1936 Hogmmjfo.exe 2940 Iaeiieeb.exe 1204 Idceea32.exe 1700 Ilknfn32.exe 1628 Ioijbj32.exe 2192 Iagfoe32.exe -
Loads dropped DLL 54 IoCs
Processes:
575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exeGfefiemq.exeGlaoalkh.exeGopkmhjk.exeGieojq32.exeGobgcg32.exeGhkllmoi.exeGkihhhnm.exeGmgdddmq.exeGhmiam32.exeGddifnbk.exeHgbebiao.exeHcifgjgc.exeHkpnhgge.exeHggomh32.exeHiekid32.exeHgilchkf.exeHjhhocjj.exeHodpgjha.exeHjjddchg.exeHogmmjfo.exeIaeiieeb.exeIdceea32.exeIlknfn32.exeIoijbj32.exeWerFault.exepid process 2116 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe 2116 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe 2188 Gfefiemq.exe 2188 Gfefiemq.exe 3060 Glaoalkh.exe 3060 Glaoalkh.exe 2908 Gopkmhjk.exe 2908 Gopkmhjk.exe 2900 Gieojq32.exe 2900 Gieojq32.exe 2656 Gobgcg32.exe 2656 Gobgcg32.exe 2536 Ghkllmoi.exe 2536 Ghkllmoi.exe 2396 Gkihhhnm.exe 2396 Gkihhhnm.exe 2728 Gmgdddmq.exe 2728 Gmgdddmq.exe 2204 Ghmiam32.exe 2204 Ghmiam32.exe 1036 Gddifnbk.exe 1036 Gddifnbk.exe 1448 Hgbebiao.exe 1448 Hgbebiao.exe 2740 Hcifgjgc.exe 2740 Hcifgjgc.exe 348 Hkpnhgge.exe 348 Hkpnhgge.exe 1708 Hggomh32.exe 1708 Hggomh32.exe 2320 Hiekid32.exe 2320 Hiekid32.exe 2884 Hgilchkf.exe 2884 Hgilchkf.exe 1876 Hjhhocjj.exe 1876 Hjhhocjj.exe 296 Hodpgjha.exe 296 Hodpgjha.exe 964 Hjjddchg.exe 964 Hjjddchg.exe 1936 Hogmmjfo.exe 1936 Hogmmjfo.exe 2940 Iaeiieeb.exe 2940 Iaeiieeb.exe 1204 Idceea32.exe 1204 Idceea32.exe 1700 Ilknfn32.exe 1700 Ilknfn32.exe 1628 Ioijbj32.exe 1628 Ioijbj32.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gfefiemq.exeGopkmhjk.exeGhkllmoi.exeHiekid32.exeHjhhocjj.exeHogmmjfo.exeIdceea32.exeIlknfn32.exe575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exeGkihhhnm.exeGmgdddmq.exeGobgcg32.exeHcifgjgc.exeGddifnbk.exeHgbebiao.exeHkpnhgge.exeIaeiieeb.exeIoijbj32.exeGlaoalkh.exeHgilchkf.exeGieojq32.exeHodpgjha.exeHggomh32.exeGhmiam32.exeHjjddchg.exedescription ioc process File created C:\Windows\SysWOW64\Glaoalkh.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gopkmhjk.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hiekid32.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hogmmjfo.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Ilknfn32.exe File created C:\Windows\SysWOW64\Hghmjpap.dll 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Hnempl32.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Hcifgjgc.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hkpnhgge.exe File created C:\Windows\SysWOW64\Nbniiffi.dll Hiekid32.exe File created C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Pdpfph32.dll Idceea32.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hgilchkf.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gieojq32.exe File created C:\Windows\SysWOW64\Febhomkh.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Gfefiemq.exe 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe File created C:\Windows\SysWOW64\Hkpnhgge.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Glaoalkh.exe Gfefiemq.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File created C:\Windows\SysWOW64\Jgdmei32.dll Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Gieojq32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Ghmiam32.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Hogmmjfo.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Ioijbj32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 1592 2192 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Gopkmhjk.exeGkihhhnm.exeIlknfn32.exeHgilchkf.exeIaeiieeb.exeGhmiam32.exeGddifnbk.exeHkpnhgge.exeHiekid32.exeHgbebiao.exeHjjddchg.exe575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exeGieojq32.exeIoijbj32.exeGhkllmoi.exeHjhhocjj.exeHggomh32.exeGobgcg32.exeHodpgjha.exeHcifgjgc.exeHogmmjfo.exeIdceea32.exeGmgdddmq.exeGlaoalkh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Iaeiieeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgilchkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hjhhocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgdddmq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exeGfefiemq.exeGlaoalkh.exeGopkmhjk.exeGieojq32.exeGobgcg32.exeGhkllmoi.exeGkihhhnm.exeGmgdddmq.exeGhmiam32.exeGddifnbk.exeHgbebiao.exeHcifgjgc.exeHkpnhgge.exeHggomh32.exeHiekid32.exedescription pid process target process PID 2116 wrote to memory of 2188 2116 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Gfefiemq.exe PID 2116 wrote to memory of 2188 2116 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Gfefiemq.exe PID 2116 wrote to memory of 2188 2116 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Gfefiemq.exe PID 2116 wrote to memory of 2188 2116 575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe Gfefiemq.exe PID 2188 wrote to memory of 3060 2188 Gfefiemq.exe Glaoalkh.exe PID 2188 wrote to memory of 3060 2188 Gfefiemq.exe Glaoalkh.exe PID 2188 wrote to memory of 3060 2188 Gfefiemq.exe Glaoalkh.exe PID 2188 wrote to memory of 3060 2188 Gfefiemq.exe Glaoalkh.exe PID 3060 wrote to memory of 2908 3060 Glaoalkh.exe Gopkmhjk.exe PID 3060 wrote to memory of 2908 3060 Glaoalkh.exe Gopkmhjk.exe PID 3060 wrote to memory of 2908 3060 Glaoalkh.exe Gopkmhjk.exe PID 3060 wrote to memory of 2908 3060 Glaoalkh.exe Gopkmhjk.exe PID 2908 wrote to memory of 2900 2908 Gopkmhjk.exe Gieojq32.exe PID 2908 wrote to memory of 2900 2908 Gopkmhjk.exe Gieojq32.exe PID 2908 wrote to memory of 2900 2908 Gopkmhjk.exe Gieojq32.exe PID 2908 wrote to memory of 2900 2908 Gopkmhjk.exe Gieojq32.exe PID 2900 wrote to memory of 2656 2900 Gieojq32.exe Gobgcg32.exe PID 2900 wrote to memory of 2656 2900 Gieojq32.exe Gobgcg32.exe PID 2900 wrote to memory of 2656 2900 Gieojq32.exe Gobgcg32.exe PID 2900 wrote to memory of 2656 2900 Gieojq32.exe Gobgcg32.exe PID 2656 wrote to memory of 2536 2656 Gobgcg32.exe Ghkllmoi.exe PID 2656 wrote to memory of 2536 2656 Gobgcg32.exe Ghkllmoi.exe PID 2656 wrote to memory of 2536 2656 Gobgcg32.exe Ghkllmoi.exe PID 2656 wrote to memory of 2536 2656 Gobgcg32.exe Ghkllmoi.exe PID 2536 wrote to memory of 2396 2536 Ghkllmoi.exe Gkihhhnm.exe PID 2536 wrote to memory of 2396 2536 Ghkllmoi.exe Gkihhhnm.exe PID 2536 wrote to memory of 2396 2536 Ghkllmoi.exe Gkihhhnm.exe PID 2536 wrote to memory of 2396 2536 Ghkllmoi.exe Gkihhhnm.exe PID 2396 wrote to memory of 2728 2396 Gkihhhnm.exe Gmgdddmq.exe PID 2396 wrote to memory of 2728 2396 Gkihhhnm.exe Gmgdddmq.exe PID 2396 wrote to memory of 2728 2396 Gkihhhnm.exe Gmgdddmq.exe PID 2396 wrote to memory of 2728 2396 Gkihhhnm.exe Gmgdddmq.exe PID 2728 wrote to memory of 2204 2728 Gmgdddmq.exe Ghmiam32.exe PID 2728 wrote to memory of 2204 2728 Gmgdddmq.exe Ghmiam32.exe PID 2728 wrote to memory of 2204 2728 Gmgdddmq.exe Ghmiam32.exe PID 2728 wrote to memory of 2204 2728 Gmgdddmq.exe Ghmiam32.exe PID 2204 wrote to memory of 1036 2204 Ghmiam32.exe Gddifnbk.exe PID 2204 wrote to memory of 1036 2204 Ghmiam32.exe Gddifnbk.exe PID 2204 wrote to memory of 1036 2204 Ghmiam32.exe Gddifnbk.exe PID 2204 wrote to memory of 1036 2204 Ghmiam32.exe Gddifnbk.exe PID 1036 wrote to memory of 1448 1036 Gddifnbk.exe Hgbebiao.exe PID 1036 wrote to memory of 1448 1036 Gddifnbk.exe Hgbebiao.exe PID 1036 wrote to memory of 1448 1036 Gddifnbk.exe Hgbebiao.exe PID 1036 wrote to memory of 1448 1036 Gddifnbk.exe Hgbebiao.exe PID 1448 wrote to memory of 2740 1448 Hgbebiao.exe Hcifgjgc.exe PID 1448 wrote to memory of 2740 1448 Hgbebiao.exe Hcifgjgc.exe PID 1448 wrote to memory of 2740 1448 Hgbebiao.exe Hcifgjgc.exe PID 1448 wrote to memory of 2740 1448 Hgbebiao.exe Hcifgjgc.exe PID 2740 wrote to memory of 348 2740 Hcifgjgc.exe Hkpnhgge.exe PID 2740 wrote to memory of 348 2740 Hcifgjgc.exe Hkpnhgge.exe PID 2740 wrote to memory of 348 2740 Hcifgjgc.exe Hkpnhgge.exe PID 2740 wrote to memory of 348 2740 Hcifgjgc.exe Hkpnhgge.exe PID 348 wrote to memory of 1708 348 Hkpnhgge.exe Hggomh32.exe PID 348 wrote to memory of 1708 348 Hkpnhgge.exe Hggomh32.exe PID 348 wrote to memory of 1708 348 Hkpnhgge.exe Hggomh32.exe PID 348 wrote to memory of 1708 348 Hkpnhgge.exe Hggomh32.exe PID 1708 wrote to memory of 2320 1708 Hggomh32.exe Hiekid32.exe PID 1708 wrote to memory of 2320 1708 Hggomh32.exe Hiekid32.exe PID 1708 wrote to memory of 2320 1708 Hggomh32.exe Hiekid32.exe PID 1708 wrote to memory of 2320 1708 Hggomh32.exe Hiekid32.exe PID 2320 wrote to memory of 2884 2320 Hiekid32.exe Hgilchkf.exe PID 2320 wrote to memory of 2884 2320 Hiekid32.exe Hgilchkf.exe PID 2320 wrote to memory of 2884 2320 Hiekid32.exe Hgilchkf.exe PID 2320 wrote to memory of 2884 2320 Hiekid32.exe Hgilchkf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe"C:\Users\Admin\AppData\Local\Temp\575d83e3adf77cf45fb8f426ad6be26e10ca933437d25b5cc1d0b5eaad0e3a9f.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Iagfoe32.exeC:\Windows\system32\Iagfoe32.exe26⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 14027⤵
- Loads dropped DLL
- Program crash
PID:1592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD5665f5686f35afe858d3b1a8bafc12d61
SHA159e51ac798d6cb1ba0652281560ee1d827be4b06
SHA25634b23fdcc0637f62700e9dc7f78ca13e6076d09e5afdd7f31822ab258f64db59
SHA5129c1682e4f07cedb893d9784976aef06ab1d2a8d654cb9d5a22e60c8666061d650b01380f678d6f58825e39c95f8093c541e1eec2e2cbc397a596b081491c72c7
-
Filesize
85KB
MD55f4ba56ae134695d421101274cf17696
SHA1729dae8c726f3325b8586640ae3b2bc8656c262d
SHA2560c09dbd20d64fee60aba2ad87294a93c9568e8909d6f9461f4edcde5e959d443
SHA51255e9e19e40233b4ee6defd763d3b9944849af8c745b81c20d8bfd54211cde5e287f5d61de5615c600d1f00c35d0a1c48947b7a73c24c58c3a228aee6a268f066
-
Filesize
85KB
MD530e628147da3aa333a1b34879089e42e
SHA185120b668eed55f523763d133f1eed83e1297818
SHA2562975d8ca94d11138d578a172ce2a660296889e6f867c4276b6435293ef3cae1d
SHA5125fa9c8e366dee4d39aad7041b98ea8d54520bd1af1f0b5bfb75cdcf331bb0eb7fe17a544c71ee602682613d46e9f38bf4a5d192bf7a16e38d383b7b3a80c90a1
-
Filesize
85KB
MD5f681985cd4f44951ff84a5f2b6ccd9b9
SHA190ccb8c6b6b3844c17c63409cd66f73f210a298c
SHA256aee9a4490252730c7758868b91153528ac4f77d6f764bd404fe91ca33361e425
SHA5129053a2f6d76f6253d53099a20a0b272a6832d53ce9b501fb150190cd5bbc4d047534cb45b9cef89070b3948533963c63fce9c53bda9d97d2498ad92eb9d3de6d
-
Filesize
85KB
MD59996991c46b7b0c9d8eb7da897ae7d77
SHA117736e928cdc8a77866f84aea8eff0d7747db2fc
SHA256f3ff79d52c42620d08be1ba7e8ce6a921c48a0f49b72917fd843cecb9d8ece5d
SHA512f3c6d79baee8b1c009cfd5982607f18da95926ed9c51ce7c1b408bbb4a4778a53973744cb3a46e8d68adfbcc58b16291e4d20c682ac7932d56d3b847eb8e66aa
-
Filesize
85KB
MD58babbd41e1e5f888baa355cb4d3e747e
SHA1bb1516a82a5e2b76c8bdc516ba88b2e81ecf81e4
SHA2567952c4bd870d5ed1f64e7522ba9aeef82cd87191b3a50e4f8e6a852475747411
SHA512870098aea05904b36442eba7068d652bdcc1331c68b9fb200d72dcf5a5d96f1b68e9fb8f183130bf4407cae78e50a6c8e963675f0ec3f37e27dafd77d2e0881a
-
Filesize
85KB
MD585ab8ad4adeecbbbff160a0c14033fce
SHA1bfa5f9f8aa316903c94780207a651f9f104089b6
SHA25613a81fe6962d838e5a8e80f2dd9f6929d124cc1e8a78e34c6cdd838c306cc0cc
SHA512861e2b18bd942db24a428a65031e12f8d2199164ff6e922fcde6e888eaa3192a092d26c6280d88950aa7a9add5748b2d5640efa9df9a14576f3742cf2dd3018e
-
Filesize
85KB
MD5e58fc2b63d134de8a228258c6d268df5
SHA1f8c27e4dba5254738bdc2309d2fb81c95e4d7bd3
SHA2567aeec0911150ce624b26a403b9dc273d729bb2e65c9b1f85e85c2b37e5832af0
SHA512d8267e9bfe4f25ab4444282510399314f95e427b059b058046d0e9ad7933170c604e70a1b61d287a5d187187be9729b33fc482921ebc6335ee7b01ec96321772
-
Filesize
85KB
MD5f8950ef6101e4694553aafce07d71a2c
SHA1ac66ec451b35ddd764e6aff8471e66894fbb95f5
SHA25663fa77a8796715051069b19b0ff66812213347a0a3cf0d2c241856f68542afdd
SHA51262ce72b48a392eeba3e88f38900db053cf0710faf96f987567d784a8e6f597e5712b4cc1da4e93c5a0ca6d877bdc4fe46aec64f5bc0a1637551ba0502b2ed1f0
-
Filesize
85KB
MD5d75e39164256362768c02be05404160b
SHA1e0df76ec67f900ed98ea531110a0c0ac6fcc268a
SHA25646ad6e742fe15521ed8cca48dac9ee7c963c22cabd8581357bf22fb083bb6f78
SHA5126907ae9f1bd0595f3283731f27d65cab257f998aabc91f2586224f663d05a4c9be33c15437ec9e2c288b0d5c16da5bb9c5c37f2b0930badf73bb2b034d9341aa
-
Filesize
85KB
MD590b32889468d62ffe9dff15e717b6d03
SHA186f0831733371e8abf875301a0eefc158bc98a07
SHA256aca029f0f50ce32e63455abe95f3b832e2205b852e12b83a5789fd09da938e0a
SHA512c3feb898f9d9d50eb647f7717e7ae4657c0065eab83775098d598304fc5543ee42029abf0376078fe76ba4cd3b66dce3ce5dcfa0385226bbe7985950482d1068
-
Filesize
85KB
MD5e91966030ff2595cb28bc2046cb43f37
SHA1e3a6438238ce1d756aee9f5148cf7b71ccfadadc
SHA256bdde2102c88340515eefc0413dfe04f0a7e5cd539dea90e8c1f7eef7456cb774
SHA512590fefc1b460a76bc310e4c39297d2574ac373a2d01eafc78b546fa97d022c5b56fb108df6e84248b3078edcacf141cc5b201768d7fe832f9954c6e55625deb6
-
Filesize
85KB
MD52eb9c2fd8d3de94dde118ad8d2a402b2
SHA14a67566142bb94fb3bb70a2bc5569bbdf0d00c8f
SHA2560c8a212ad9d77e50b8b0c57d8bf77dbefb85d85f57a71b099bec196fd885a195
SHA5125b2d6ada478b208e7f44b341067b118d7c0af9662fe5d13644d8fc4ce26d3bd8baca83eb6f0660cadbf8030c5443f310fd35b8c3a0f8a79e4e15d11d085f9126
-
Filesize
85KB
MD5536c4a6af1f7d642b2c4cd6c0f6bc3f6
SHA133b05e36270a42048601a487d051262f3b98e462
SHA25643861c9cd57db8c61eb0c8be1076089e30aff62976aff1fb4f5f7d2f97c211c0
SHA5125c3e967ee1e1b5682a6a2fbc3b3049ecbfd6e1f53fadc321a79aa772a767e6d4097a3789ca099281c10e65420b58a818a289623b1226d98654fd88ab497d50a5
-
Filesize
85KB
MD5cca947b19662a6fd14087651332b299a
SHA1ab5f5e8884cf4faa1b206a27895e4168cfb24f96
SHA25601e2ffcc7e6400467d878d5dab34a14050cbd5744b6cb1db81bbb6a57b908758
SHA5126baabab07dc654a461179f1a23cf4f78082cf13c3e24239c9ae9ad4c901c649c1a17b487fb474a6c88c9f872e71c8cec9304b248b751a6d3964d2f3b671fce34
-
Filesize
85KB
MD5682a69fe5e3bef5ec73fa11c72214823
SHA1a34be311e7c5fb8418b2999594cf4e99c12d4126
SHA256ae7079233b7bdf41a411df24af0c64b0636f2281e2c5010a5cae56e2406943a3
SHA5121f757b4b7cb6d96fde0955e307f33802e445ea1a1669cdb5512c2caec9ea2b2f6a5e640c3d8e73b0ccb5985b19e15123a041d6b3c8880e810cee240e82ef5db5
-
Filesize
85KB
MD5aee07bc4405c82b7ae2a3c80e2ff3e5c
SHA1684acc58f97f435103499a8cb5776c2b14d8a238
SHA2564ea18abc39ffefe7816689891751973c5ea7835c7151b4944a595bad9af2a3de
SHA5128f6c2ba07974b54d34d67494dd110d563be2018bb187d17fabbf7562c66f0712e2a1f65f9dc1041c6508db210fb78ca3ff6602f8607ee333e112920f3daec240
-
Filesize
85KB
MD56e8ec6651db0a673a8c1a8147bdba811
SHA1fe58d0e9cbc565b1f2b0dabf091a747940b713fc
SHA25600c2295ccfc0a1d794dc8b1d69996a2859f0ec99f261290534bdde16851e1332
SHA512eccd85d7c3d1c26d81c67c0bab248ef88283fc1360291732ad09fb2156794fe0d24acd62ebdeabd98d98d16f99f40d738949decd979c624c3c6fef2f22a92d62
-
Filesize
85KB
MD55b377f14180426889d31ff0729cf52ac
SHA1a2068359f96908c66a89ab4429f6690921f8b67f
SHA25616595538c1f775171ad72309e8fe7a6ed7ad9885ea83ea1a13a9b2a4f6b7cf2d
SHA512ab5016bb4d36cd99828e40435230aceb72924d3e47973a73fca3125bbd5ceac44d466b0be25dfb66f8f2d0ced1aca1730093501bf9bc8d99d237e25806fca9e1
-
Filesize
85KB
MD5a6714dd518a129e3d82a388b4d2e6cec
SHA11a1d9168045e45476dd00067ddeb431902c23215
SHA256cbfdd7f68f68ead09f86988d5302ca5af80e9933a963a0d7ce04d4fe7b392d73
SHA5121897fc88d2df2a62dc5fa591d14e5c3ae6fa341a46840f77adf24d9952b067726255e8497682056692fc4b91fbab93e29f9d35391267486f4cbe0cbe8cdd0f7f
-
Filesize
85KB
MD568f78163685b219e9aea428212b21bd2
SHA154eb081da2d018e07f9591758a98003d6f0637d5
SHA256ac23a9fe69e02ea39e06c89d90e44074c6b23a86068d0a8a267e7bff3a27d865
SHA5127590064ad67b7180e9329be5cb08e19744a1e3a53d9079e41138532c97926303dbbd56a93acec74062a8027015ac7381ecc161dbe17ef63c646c2230037d1f13
-
Filesize
85KB
MD5a861e3d9df3edf9d9a4f82dd4798cad0
SHA1573e56449b6d3fca6bdb8b4ffe65cebc3988d025
SHA2569ca5c72359cd38014eeffe320deef0fee86b3191e3c0594f6e9451dc1f943149
SHA512c3c0cce03377af4bcd5bf104e31a5346ebc2d671a28ffe1f843f083cc6a01226ae516ce9ad2c7966c13f0c47dc99dbbfa2f71e433d2780ee4c9693e116848e44
-
Filesize
85KB
MD54fe2cd8285a981a13d150fe685bf5094
SHA1e9019d3460d57ee8d78d4c72455c45771521d9fc
SHA2566d9599c05c93e61ca05bcd5ca15cac38b3fbafa73b5a16357fc3451866c02895
SHA5127a7848d8d7cdd1d84e4b32e128a958f15ab726b246668685ecfd70cb53ced896176561f91a56e574e9b525993da23167f728585aac1fd5f25aad3ddc0c07b185
-
Filesize
85KB
MD57733ac9a2f872d08803afa91fe54c446
SHA160ac86ecc38f81c15e89cdd5e608d52148bcccd7
SHA25687fa9b00ad0bd25caca5dd52ba4ede4f4fc646afcfeeb73d25e71ba74f513afd
SHA5126020925377a4d7288381f5f3a446124cc9a75a99fd5fb74955ebc98ee778917473b8d79716fd85cef7bf48f41776745822397d5528aadd671dabd60c4363a77c
-
Filesize
85KB
MD5616225431fb4a9d5282c4c3526ad77b3
SHA13880e57fb31ab5e9a359cd916701df6091bdb1c9
SHA25672d3f3fd17a20042bb4cc2f2629bd6ad38d7f603cb3822c92e820d7603a08b26
SHA512e5eda7913b6f0202a1368036570bcb5bbd1a7ea526ff6f5322a6d578faa44007dc689a625f4acf7b6616f7f6a6f7d846e1f8dbf79d97027d4c6584b0d174d247