968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Size

346KB
MD5

08a96773c09618bbde88582a569dfaaa
SHA1

70745269459a1e35f05a31811ff2c627be8d0257
SHA256

968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c
SHA512

521b2561488078d8692ca5735bb6449a4e83a20d79bf09a6a0e550b64e30ef0faa46298b956de3aff0cecf39c896be5c8eb30e3e447892e9acf3ab1a9a8dd66d
SSDEEP

6144:TL+o7O6Tho5t13LJhrmMsFj5tzOvfFOM6:3+oqiho5tFrls15tz4FT6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe

Executes dropped EXE 17 IoCs

pid	Process
2428	Ghfbqn32.exe
1096	Gbkgnfbd.exe
2612	Ghhofmql.exe
2776	Gkgkbipp.exe
2508	Gogangdc.exe
2532	Gaemjbcg.exe
2252	Ghoegl32.exe
2820	Hmlnoc32.exe
2520	Hcifgjgc.exe
1264	Hicodd32.exe
1756	Hcnpbi32.exe
1484	Hcplhi32.exe
1632	Hhmepp32.exe
1508	Icbimi32.exe
2260	Idceea32.exe
1432	Iknnbklc.exe
2528	Iagfoe32.exe

Loads dropped DLL 38 IoCs

pid	Process
2208	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
2208	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
2428	Ghfbqn32.exe
2428	Ghfbqn32.exe
1096	Gbkgnfbd.exe
1096	Gbkgnfbd.exe
2612	Ghhofmql.exe
2612	Ghhofmql.exe
2776	Gkgkbipp.exe
2776	Gkgkbipp.exe
2508	Gogangdc.exe
2508	Gogangdc.exe
2532	Gaemjbcg.exe
2532	Gaemjbcg.exe
2252	Ghoegl32.exe
2252	Ghoegl32.exe
2820	Hmlnoc32.exe
2820	Hmlnoc32.exe
2520	Hcifgjgc.exe
2520	Hcifgjgc.exe
1264	Hicodd32.exe
1264	Hicodd32.exe
1756	Hcnpbi32.exe
1756	Hcnpbi32.exe
1484	Hcplhi32.exe
1484	Hcplhi32.exe
1632	Hhmepp32.exe
1632	Hhmepp32.exe
1508	Icbimi32.exe
1508	Icbimi32.exe
2260	Idceea32.exe
2260	Idceea32.exe
1432	Iknnbklc.exe
1432	Iknnbklc.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
File created	C:\Windows\SysWOW64\Gkgkbipp.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hhmepp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	2528	WerFault.exe	44

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2428	2208	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe	28
PID 2208 wrote to memory of 2428	2208	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe	28
PID 2208 wrote to memory of 2428	2208	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe	28
PID 2208 wrote to memory of 2428	2208	968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe	28
PID 2428 wrote to memory of 1096	2428	Ghfbqn32.exe	29
PID 2428 wrote to memory of 1096	2428	Ghfbqn32.exe	29
PID 2428 wrote to memory of 1096	2428	Ghfbqn32.exe	29
PID 2428 wrote to memory of 1096	2428	Ghfbqn32.exe	29
PID 1096 wrote to memory of 2612	1096	Gbkgnfbd.exe	30
PID 1096 wrote to memory of 2612	1096	Gbkgnfbd.exe	30
PID 1096 wrote to memory of 2612	1096	Gbkgnfbd.exe	30
PID 1096 wrote to memory of 2612	1096	Gbkgnfbd.exe	30
PID 2612 wrote to memory of 2776	2612	Ghhofmql.exe	31
PID 2612 wrote to memory of 2776	2612	Ghhofmql.exe	31
PID 2612 wrote to memory of 2776	2612	Ghhofmql.exe	31
PID 2612 wrote to memory of 2776	2612	Ghhofmql.exe	31
PID 2776 wrote to memory of 2508	2776	Gkgkbipp.exe	32
PID 2776 wrote to memory of 2508	2776	Gkgkbipp.exe	32
PID 2776 wrote to memory of 2508	2776	Gkgkbipp.exe	32
PID 2776 wrote to memory of 2508	2776	Gkgkbipp.exe	32
PID 2508 wrote to memory of 2532	2508	Gogangdc.exe	33
PID 2508 wrote to memory of 2532	2508	Gogangdc.exe	33
PID 2508 wrote to memory of 2532	2508	Gogangdc.exe	33
PID 2508 wrote to memory of 2532	2508	Gogangdc.exe	33
PID 2532 wrote to memory of 2252	2532	Gaemjbcg.exe	34
PID 2532 wrote to memory of 2252	2532	Gaemjbcg.exe	34
PID 2532 wrote to memory of 2252	2532	Gaemjbcg.exe	34
PID 2532 wrote to memory of 2252	2532	Gaemjbcg.exe	34
PID 2252 wrote to memory of 2820	2252	Ghoegl32.exe	35
PID 2252 wrote to memory of 2820	2252	Ghoegl32.exe	35
PID 2252 wrote to memory of 2820	2252	Ghoegl32.exe	35
PID 2252 wrote to memory of 2820	2252	Ghoegl32.exe	35
PID 2820 wrote to memory of 2520	2820	Hmlnoc32.exe	36
PID 2820 wrote to memory of 2520	2820	Hmlnoc32.exe	36
PID 2820 wrote to memory of 2520	2820	Hmlnoc32.exe	36
PID 2820 wrote to memory of 2520	2820	Hmlnoc32.exe	36
PID 2520 wrote to memory of 1264	2520	Hcifgjgc.exe	37
PID 2520 wrote to memory of 1264	2520	Hcifgjgc.exe	37
PID 2520 wrote to memory of 1264	2520	Hcifgjgc.exe	37
PID 2520 wrote to memory of 1264	2520	Hcifgjgc.exe	37
PID 1264 wrote to memory of 1756	1264	Hicodd32.exe	38
PID 1264 wrote to memory of 1756	1264	Hicodd32.exe	38
PID 1264 wrote to memory of 1756	1264	Hicodd32.exe	38
PID 1264 wrote to memory of 1756	1264	Hicodd32.exe	38
PID 1756 wrote to memory of 1484	1756	Hcnpbi32.exe	39
PID 1756 wrote to memory of 1484	1756	Hcnpbi32.exe	39
PID 1756 wrote to memory of 1484	1756	Hcnpbi32.exe	39
PID 1756 wrote to memory of 1484	1756	Hcnpbi32.exe	39
PID 1484 wrote to memory of 1632	1484	Hcplhi32.exe	40
PID 1484 wrote to memory of 1632	1484	Hcplhi32.exe	40
PID 1484 wrote to memory of 1632	1484	Hcplhi32.exe	40
PID 1484 wrote to memory of 1632	1484	Hcplhi32.exe	40
PID 1632 wrote to memory of 1508	1632	Hhmepp32.exe	41
PID 1632 wrote to memory of 1508	1632	Hhmepp32.exe	41
PID 1632 wrote to memory of 1508	1632	Hhmepp32.exe	41
PID 1632 wrote to memory of 1508	1632	Hhmepp32.exe	41
PID 1508 wrote to memory of 2260	1508	Icbimi32.exe	42
PID 1508 wrote to memory of 2260	1508	Icbimi32.exe	42
PID 1508 wrote to memory of 2260	1508	Icbimi32.exe	42
PID 1508 wrote to memory of 2260	1508	Icbimi32.exe	42
PID 2260 wrote to memory of 1432	2260	Idceea32.exe	43
PID 2260 wrote to memory of 1432	2260	Idceea32.exe	43
PID 2260 wrote to memory of 1432	2260	Idceea32.exe	43
PID 2260 wrote to memory of 1432	2260	Idceea32.exe	43

C:\Users\Admin\AppData\Local\Temp\968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe
"C:\Users\Admin\AppData\Local\Temp\968e3b5eab5b701a6e87d3b6cad2da88bf7681b63e7effbb55c3d610a1e8d35c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Ghfbqn32.exe
  C:\Windows\system32\Ghfbqn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\Gbkgnfbd.exe
    C:\Windows\system32\Gbkgnfbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\Ghhofmql.exe
      C:\Windows\system32\Ghhofmql.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        18⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
346KB

MD5
af854cd14102e08538783eabe01cc942

SHA1
88372e93e1d3611da74d84d9907ffa7c314d3cfe

SHA256
c438da38b4c592306ad91c76512dc504ebc34c6bd30343140740b5a8198691a3

SHA512
ac6095929558ef857f69ecb8b4c0343ab870c434d898c94833536d9d4177f69bdea433b1132c0044e474840dee6adfbecfd71151711c67b49433d10135da7d5c

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
346KB

MD5
0b6b1b1f5deb79c57035dcdec712661b

SHA1
05c3ca2b315e0d29e4d73078fc2f916566e3f84f

SHA256
a784cfc0b2b16a6b854ab9288c4e7a0dd21344d52cb31d1d4d51dbde18182b11

SHA512
8e3e60b9b8c4c51da9e18e85e4bb245b56ed58dbf66bbbceb9543fff0a2eb3fa4d020eba7750d89355c2b6ba451e2eceec0665cad3f3bfdddb45950c1ee4f991

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
346KB

MD5
affdaec02a96cb4fc827a1ce57ebd923

SHA1
920e5ca03ab6fb62973a5dfeeef15303357937f3

SHA256
543c7c46576b19f732341126fe34ba728ae012bcf1a87523df70ca49b0b5c2d9

SHA512
b355e64e85eca758164a8771060f6024701c1e6b1c7f7763c7a6c9a1dc89c14a3c210c15f5e29132533ed22118bb050e03ca0885378dad831c1dcaf8934f8242

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
346KB

MD5
b8a46d6c82dc7318181d2b2c7414468f

SHA1
ca6cd81f02be7d49283a75bcebfb728a51566659

SHA256
30d09ba711409c7b9e17eece9d72ae11fe07c0b6e80023285fe3e1abfc8259ab

SHA512
e0bacda7a9de6387dd4d6977d761bb82d0162c7ce4ef91b78c00df9e54a5ddfb6ad613841f5aa6c81ad9e3020e02893c7614c01e889fb01efd9db509b8d49119

Download Submit
C:\Windows\SysWOW64\Gkgkbipp.exe

Filesize
346KB

MD5
497c5c015e259abf727928d0e6c5d47e

SHA1
32d7a329ed23db383fb2ec27a863a1262ca63612

SHA256
3e844889ac7c7f5128eb1cc0ac5140723bdb431b460b29e2e1ac6d29efadc232

SHA512
5467101f7f2b9fc4b9dcbd44d8294cabfb62c9d24dba07a9e3f2a9d0135e77e62acf46397c63c342f3640f4c2da7b64b972a0e806c7aaf7cd046bd5c14a3532e

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
346KB

MD5
2063d9b998fd0b895ca629544e1ed50b

SHA1
ed32af4552f620f08753b1f44bfcbdc5b11c48a5

SHA256
8041252056757812064ef8b451b4487f6347d05d66de941e0cd0cc7f3db58e5c

SHA512
f3b6513bf9634b945515a246f53fe8d219be495d6c6ea44154aceeb09d0802b37199f61b6def8eb2fd876ac07c3a863d9f6490e771347b5011f7e1ee67649cb4

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
346KB

MD5
28729457dbd9b71a9971c7986578345a

SHA1
1b6a68b1957678bbaae98e017f35636b9d68708a

SHA256
7918dbb2670879b5c21722068dad3d9e3d3479cec723c8ff7c4f91db79c228d1

SHA512
18ca178c3343375daf184be6e983dcca641f5e3025edbc6111af8ed8d92939e33c104cbfd728a5c32c82ae64deb7c7ad77087fb22ef933845c3efa57f5054a06

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
346KB

MD5
c193cd797a133ce5fd01628e9b1769f7

SHA1
47392c060b8faa8f9debf867281cf1c5d242b7fe

SHA256
e3257027621fbd3176b1e9d6257fe6edca2750993ade8a91e99f6849f5ec1f4f

SHA512
8677d517a29f5d4b922b3704a9530ff12c10b0af5ad5aaea4cd1b7fe1e93a039bcb644adbd9a199ca334d6dc63491cde73e44239292c1dc5d19b5515ef6a6463

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
346KB

MD5
326f3ba2be83cabea1efd5c4e7e7c70d

SHA1
0f41679a3c4f2612815856676b4c1bfe9a55f5d6

SHA256
acf6303bd591f7a6064a7b505bdedd4ea9681171a0016d7553d51b5796571ffc

SHA512
68bda67fe81810ab50a5af0beac94cc9670d9bf4bb959288128ad2c07af3fff04ec8e509a4f63d74086eefd3e388e84ffa4cad27b60b78a3413ffb5e2f01ac03

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
346KB

MD5
57dfd6c1679af420aed4d4b847a89232

SHA1
efdcc78cfc22d767f8c1215a316c2ee10ed7bfcd

SHA256
4601592acdd7fd988387cabc93802abaa190aba73db190f9b30016caa2304c01

SHA512
fe427b6d05d55ecf7ca115eb805673cc44aa9a0ed76283f0e1779fd6655f5a5b016b5c5d726426684efb132548002892a143eca453639f89d1702078b1640cf2

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
346KB

MD5
bc4f69f2258aaa105573679d5764499d

SHA1
f92fb9abb1ca9365b0cc9ac2c7c8589a148e3d8b

SHA256
20c1524a2f289cd0558d42c9d3981eec6f61e8b602a6ead7b3e83e13f6bb44f9

SHA512
fb5dfc62f0c73135ea6b4afcae972a084971ee6a7209cbdf58a072fd4f27e1e6f03b87af376c44393940c202bb56b7163cffc7f4ba0335b5bbbfc3a18552562b

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
346KB

MD5
4bc0da4e0797976c8b02da15a3cea128

SHA1
352b0198ba7c2ee1675852ef6e2e152c3b4b284f

SHA256
99ae54a8befcdaa07c70fab5d29aaf7565ce010befbe9ad27d81c67bb90f917d

SHA512
a58a0bddfc4f55d30e81427103afd11cce424528d5b858c61372f3fc02701930a5f363bd06a9669f26d69280602721f14e2078bc0cfbdd0e62b18432ecb0e472

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
346KB

MD5
6b40af753472d5771bf8533b26b35435

SHA1
3aec1ab803edc8e7b485617db25e42b97b8c162c

SHA256
49d1da8a017dce023f02934f8efbbd62bc1b9ff2acd0261dc4e56d5584aef663

SHA512
305ca07c62305b894788e593a0b0dd073318ec880d6d8dff4887ea61e5809db1673ee08f1a242651bfbd58bcffbabe5c0b4208374422ce9096565d2716754f47

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
346KB

MD5
b891a53c11b13b20a560a8c93893f4d8

SHA1
4338011940bee7d2f2b04416ae58abb60226811f

SHA256
1438afe562dd9d4823943cba74f0372ba9504b7f383d0ccfe806194ed90a8de2

SHA512
0469b497af44c56f0a75d0559b6a369bf0b9752e7b408f6783d5d5908647802811fe1e32b9312d8a8ca344f8f48e00373c0625115781ffdcb203e7faffb879af

Download Submit
\Windows\SysWOW64\Ghfbqn32.exe

Filesize
346KB

MD5
c6ee809deab31b3dafd5706aa4aa365b

SHA1
28210a450008ed083f45fcac996f1daff01e2412

SHA256
525d0646578f6a75401252ecb72031b8b63bb48161db235159cc480523baf055

SHA512
f4f65ccb24b38758ad347da4230f82d0d56f2661f3ad73bafef9fcbdcdc92ebe8e398d05311c229dccf30e6377d4f0d0de00602b0d5e6202c82e9d1809e035c1

Download Submit
\Windows\SysWOW64\Hhmepp32.exe

Filesize
346KB

MD5
8939a97f947ad42200c5cf43636d9041

SHA1
49f14ec228900d0f4d4592d0e8fe93622a77ebb4

SHA256
3b6b55e85ef940a4f7db6172c8d5b65b9be9e60d99ac99adce197711787585c5

SHA512
843cd6572428768ecf5a4ea0cd37f57c074c82f50498492608268bdfa654997facc2ef4540082578fd3f403ad153a0570d731b9a292db1f750a3d7b7f3021578

Download Submit
\Windows\SysWOW64\Hmlnoc32.exe

Filesize
346KB

MD5
f457520b19ea36b76809ea4f09a42709

SHA1
781d1a6680edb1f78d87c03e0e407d1ba6cc9253

SHA256
756336517a59823ae57f5e4c20e49b9c46a611ddd0f71efcd4452a9c0c29f0d7

SHA512
340991584b915065e21393eccb05f86443fdd7c04054be6d5eb36071f9c09f8ebdd1fe71f360b2bca1ec9c2ce46e3168ebc677ffae89ee10e92c871c9e7128b8

Download Submit
memory/1096-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-36-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1096-34-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-255-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1432-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-244-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1484-184-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1484-247-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1484-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-248-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1484-185-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1508-224-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1508-222-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1508-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-202-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1632-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-203-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1632-250-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1632-251-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1756-175-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1756-246-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1756-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-6-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2252-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-106-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2252-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-26-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2428-29-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2428-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-82-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2508-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-155-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2508-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-135-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2528-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2532-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-50-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2612-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2820-125-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2820-201-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2820-126-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2820-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads