2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Size

80KB
MD5

833c472a0c2d9d9c35a32e35552fb56d
SHA1

5f5341bd8afdccbc2abbdc769992ef76f2e96f72
SHA256

2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189
SHA512

951243fb9d2efd3bcc231218677ab77d965e7c75017804d581de228e61cdcc0c0cce1672ac5cf4dd21a45762bb5646b6c3fd4ba92c451cbaf52e353c1be807b7
SSDEEP

1536:JXqpeJo3dCdsgMUh2NxI9Kr2vAYQD5YMkhohBE8VGh:lqpeJoNk9Kr2YYQlUAEQGh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe

Executes dropped EXE 18 IoCs

pid	Process
1744	Gddifnbk.exe
2592	Hiqbndpb.exe
2552	Hpkjko32.exe
2784	Hgdbhi32.exe
2584	Hnojdcfi.exe
2492	Hpmgqnfl.exe
2892	Hejoiedd.exe
2624	Hnagjbdf.exe
2180	Hcnpbi32.exe
2188	Hellne32.exe
2024	Hhjhkq32.exe
2104	Hacmcfge.exe
1776	Hjjddchg.exe
2280	Hkkalk32.exe
2432	Iaeiieeb.exe
2100	Idceea32.exe
572	Ioijbj32.exe
656	Iagfoe32.exe

Loads dropped DLL 40 IoCs

pid	Process
1312	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
1312	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
1744	Gddifnbk.exe
1744	Gddifnbk.exe
2592	Hiqbndpb.exe
2592	Hiqbndpb.exe
2552	Hpkjko32.exe
2552	Hpkjko32.exe
2784	Hgdbhi32.exe
2784	Hgdbhi32.exe
2584	Hnojdcfi.exe
2584	Hnojdcfi.exe
2492	Hpmgqnfl.exe
2492	Hpmgqnfl.exe
2892	Hejoiedd.exe
2892	Hejoiedd.exe
2624	Hnagjbdf.exe
2624	Hnagjbdf.exe
2180	Hcnpbi32.exe
2180	Hcnpbi32.exe
2188	Hellne32.exe
2188	Hellne32.exe
2024	Hhjhkq32.exe
2024	Hhjhkq32.exe
2104	Hacmcfge.exe
2104	Hacmcfge.exe
1776	Hjjddchg.exe
1776	Hjjddchg.exe
2280	Hkkalk32.exe
2280	Hkkalk32.exe
2432	Iaeiieeb.exe
2432	Iaeiieeb.exe
2100	Idceea32.exe
2100	Idceea32.exe
572	Ioijbj32.exe
572	Ioijbj32.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	656	WerFault.exe	45

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hiqbndpb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1744	1312	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe	28
PID 1312 wrote to memory of 1744	1312	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe	28
PID 1312 wrote to memory of 1744	1312	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe	28
PID 1312 wrote to memory of 1744	1312	2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe	28
PID 1744 wrote to memory of 2592	1744	Gddifnbk.exe	29
PID 1744 wrote to memory of 2592	1744	Gddifnbk.exe	29
PID 1744 wrote to memory of 2592	1744	Gddifnbk.exe	29
PID 1744 wrote to memory of 2592	1744	Gddifnbk.exe	29
PID 2592 wrote to memory of 2552	2592	Hiqbndpb.exe	30
PID 2592 wrote to memory of 2552	2592	Hiqbndpb.exe	30
PID 2592 wrote to memory of 2552	2592	Hiqbndpb.exe	30
PID 2592 wrote to memory of 2552	2592	Hiqbndpb.exe	30
PID 2552 wrote to memory of 2784	2552	Hpkjko32.exe	31
PID 2552 wrote to memory of 2784	2552	Hpkjko32.exe	31
PID 2552 wrote to memory of 2784	2552	Hpkjko32.exe	31
PID 2552 wrote to memory of 2784	2552	Hpkjko32.exe	31
PID 2784 wrote to memory of 2584	2784	Hgdbhi32.exe	32
PID 2784 wrote to memory of 2584	2784	Hgdbhi32.exe	32
PID 2784 wrote to memory of 2584	2784	Hgdbhi32.exe	32
PID 2784 wrote to memory of 2584	2784	Hgdbhi32.exe	32
PID 2584 wrote to memory of 2492	2584	Hnojdcfi.exe	33
PID 2584 wrote to memory of 2492	2584	Hnojdcfi.exe	33
PID 2584 wrote to memory of 2492	2584	Hnojdcfi.exe	33
PID 2584 wrote to memory of 2492	2584	Hnojdcfi.exe	33
PID 2492 wrote to memory of 2892	2492	Hpmgqnfl.exe	34
PID 2492 wrote to memory of 2892	2492	Hpmgqnfl.exe	34
PID 2492 wrote to memory of 2892	2492	Hpmgqnfl.exe	34
PID 2492 wrote to memory of 2892	2492	Hpmgqnfl.exe	34
PID 2892 wrote to memory of 2624	2892	Hejoiedd.exe	35
PID 2892 wrote to memory of 2624	2892	Hejoiedd.exe	35
PID 2892 wrote to memory of 2624	2892	Hejoiedd.exe	35
PID 2892 wrote to memory of 2624	2892	Hejoiedd.exe	35
PID 2624 wrote to memory of 2180	2624	Hnagjbdf.exe	36
PID 2624 wrote to memory of 2180	2624	Hnagjbdf.exe	36
PID 2624 wrote to memory of 2180	2624	Hnagjbdf.exe	36
PID 2624 wrote to memory of 2180	2624	Hnagjbdf.exe	36
PID 2180 wrote to memory of 2188	2180	Hcnpbi32.exe	37
PID 2180 wrote to memory of 2188	2180	Hcnpbi32.exe	37
PID 2180 wrote to memory of 2188	2180	Hcnpbi32.exe	37
PID 2180 wrote to memory of 2188	2180	Hcnpbi32.exe	37
PID 2188 wrote to memory of 2024	2188	Hellne32.exe	38
PID 2188 wrote to memory of 2024	2188	Hellne32.exe	38
PID 2188 wrote to memory of 2024	2188	Hellne32.exe	38
PID 2188 wrote to memory of 2024	2188	Hellne32.exe	38
PID 2024 wrote to memory of 2104	2024	Hhjhkq32.exe	39
PID 2024 wrote to memory of 2104	2024	Hhjhkq32.exe	39
PID 2024 wrote to memory of 2104	2024	Hhjhkq32.exe	39
PID 2024 wrote to memory of 2104	2024	Hhjhkq32.exe	39
PID 2104 wrote to memory of 1776	2104	Hacmcfge.exe	40
PID 2104 wrote to memory of 1776	2104	Hacmcfge.exe	40
PID 2104 wrote to memory of 1776	2104	Hacmcfge.exe	40
PID 2104 wrote to memory of 1776	2104	Hacmcfge.exe	40
PID 1776 wrote to memory of 2280	1776	Hjjddchg.exe	41
PID 1776 wrote to memory of 2280	1776	Hjjddchg.exe	41
PID 1776 wrote to memory of 2280	1776	Hjjddchg.exe	41
PID 1776 wrote to memory of 2280	1776	Hjjddchg.exe	41
PID 2280 wrote to memory of 2432	2280	Hkkalk32.exe	42
PID 2280 wrote to memory of 2432	2280	Hkkalk32.exe	42
PID 2280 wrote to memory of 2432	2280	Hkkalk32.exe	42
PID 2280 wrote to memory of 2432	2280	Hkkalk32.exe	42
PID 2432 wrote to memory of 2100	2432	Iaeiieeb.exe	43
PID 2432 wrote to memory of 2100	2432	Iaeiieeb.exe	43
PID 2432 wrote to memory of 2100	2432	Iaeiieeb.exe	43
PID 2432 wrote to memory of 2100	2432	Iaeiieeb.exe	43

C:\Users\Admin\AppData\Local\Temp\2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe
"C:\Users\Admin\AppData\Local\Temp\2790e59c1625437f6351f5320f773c1333d2fcc6bbe14cb793540b35c8751189.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\Gddifnbk.exe
  C:\Windows\system32\Gddifnbk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Hiqbndpb.exe
    C:\Windows\system32\Hiqbndpb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Hpkjko32.exe
      C:\Windows\system32\Hpkjko32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        19⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
80KB

MD5
f7ba2c9c74390133521dfe2dd2f4017d

SHA1
713dcd22b9ac99cbe26f950a752485d44460dc74

SHA256
13904bbd731ad0d23e73a6560fd1192b92eab59a373c7571f1f3e7cbc3ae8ae8

SHA512
7624218e695df123860b2ac4b2eebbd31de0bf0c68b07cf56affa356bf4175a356f2809abffd3203e42477baca79edb3121823619bef88325af404fecbe3bb40

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
80KB

MD5
c367d298e78765b6e6c1cef3123c18a8

SHA1
e3a89dea82787496f057f7eedf6e2b69c583e613

SHA256
f9bb2a3cd48f1332f2b527b65b9d000445d9fbad5412160c809d15caac3de55e

SHA512
822a11b188862bfe7925bb48ebd2d4b30f7f3d3372ccef2a6d589940ec90834cc8d43401b26a6634091f2d6606c131525d8c74a04e99185ed57dcce7ce372bec

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
80KB

MD5
10f86031e118aa305ce2414497cd716a

SHA1
fda29c4830781437be944ebf039d00705c21afc5

SHA256
0dd8b5f856b1ad51f55eaf8b2aebc70935ecc609880b265143fa6ac4ba7471f5

SHA512
2b44dd0b77e05813b86b24c333a99718359f1ae4d01e33ace69c5f67105b0e4d9d8880d43c8fb1f9571da1932f7f265222b48e6fbed1f85a8f9260ac1f1a36c2

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
80KB

MD5
deaf147f15b2164c774c70b37ae67a48

SHA1
85798e6c747f06b02f71f4a1bad5f72cef8cd746

SHA256
6720d0a38bc104b8a7b29e0c88f5658c50871c5aa6c32ce6bf65b7dd57887ef2

SHA512
fb16f9d8e3fb11d0b7adccdd343b160c6f06387c971201a9710d9b02bb12488ff338c4086f77d0d3b60c3b539b48cf0a980365a36afc983a4e46bae1de3132e9

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
80KB

MD5
dd368aa230640b1aea1d2323507c417f

SHA1
ac7f8b9f7d1894324d3d76ca0fc4ad79885e130c

SHA256
ae9fe87af0296de5b3ac99fdb6b7f9bb0dfa115d9b31268be155dc0af51e7d67

SHA512
8141a5045be774e2d3779c539f14aba4bd0fabd34521c10fc7d73319da3707b38d75c847bbcd1feb757fdc3b9948b9d10840130df61b22f6c77da6e68e61590e

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
80KB

MD5
bc33377e7f1ca3ce4011790e257e15e3

SHA1
0dca2c6d8c797aa06de9cebe06442cedd73f3df2

SHA256
831f00056a49373ee1e3257b3072945e1f116acb468f8367debf81451d4f3462

SHA512
eaf7cdd6fcbdd7ed70f325826f69ece12307577eff60d5b9bdffee90dd2ed5ef6617b5d26378e03b01b1d4a95953b8b18a710c007d864715e1143dc246f73a94

Download Submit
\Windows\SysWOW64\Hacmcfge.exe

Filesize
80KB

MD5
acaecc57c34c00467d26d291dafa95f8

SHA1
fc24a6a46c6a41f3ddac87bb635916aa20ae7fa9

SHA256
48fc226f4463c12c5261fbe81a564b6f00173c445456e3c4221cd6c8449bc5a9

SHA512
7f28007433ff1dd8678b589fe4d6d5c03fbbc79526319be9326a853d94100a774979a398e4b59a7593bab7ed0968dbfbca6d52e09460300b066d656c32ca987c

Download Submit
\Windows\SysWOW64\Hcnpbi32.exe

Filesize
80KB

MD5
f30274bba3d7af840ba0d57a9ddc8a9c

SHA1
d3afb4871c793f0a945bbafd1f32a0a1095087c2

SHA256
7fa9391f4dc315133737da1ed69c7fde4511a7e994a5c351f57edb5ff2a4bcee

SHA512
308db5a109280fa152c7bc89813bf1e41c1068a9b77c1373c59c1bcdeebaad796cae2a28a45209be2e3bfdcf2164f0bd21e3ce61b0462afe07cc93cdbbc13205

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
80KB

MD5
300035c2839c829209bac7091ccafdcf

SHA1
0c9d327189aec304fa87f9437d06031f49018a86

SHA256
68208adbd710788f2b8801b4188b625c998cb134a4c6d993f40fb4eee02987ea

SHA512
bc1ece5d40b2a2a9a18b434410a45f07424d84dbd385a93c093a131078d052ed55f8b2862b64336d878386102bb49eb856fcb18064555f0c9cf78adfb97d4e8f

Download Submit
\Windows\SysWOW64\Hellne32.exe

Filesize
80KB

MD5
62d9c3b24a1c30dbd6ccca5ee6b3c76e

SHA1
d57091b3e6bbe2107cbee9af2d856487a765d7bf

SHA256
a3484c8a5e65b5d75c9e8752b5bb0326d9baf78acc5e344348f8e0668ad7d08d

SHA512
8529c095aee3bac39774a60a253f62f20dba76f31689153575028af16a918d907fc99052b4d8fac20c1621fb8b26365b4a0662eb26721390444cb9ef54c4a34f

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
80KB

MD5
c35533699c19e9f32286ad86612b70ad

SHA1
9e9dc92749f1a5d08d87f03573b9db3623d981da

SHA256
b339204f1c5764f3c7f075234f60ffa2c8797797f61f0f6898ae3067ff499f2d

SHA512
461644f2f1f16d29700f55fb945922dc1b6f7a8a16ace48b3ed47cf49abead542a5893dc32e14e065b6543da4a61f37c7e80e0f33ca76c70629b2844df5940a4

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
80KB

MD5
08e4958b3cf45d9167fc2d5d6ffb715a

SHA1
8097522beee6848ffbfe0989c87710ac8273a966

SHA256
6d30c673f04bc136ab91f3c13e1f4e73f74ac05464f1b33859ae4d246d496089

SHA512
cee2f6bc7850e00771c64c6e260c76edf7014c646d845ae1698261d82bb7f09dbb11b9d0608b812a71896a0fcfcae3252d01af7f455cfa57c7ee1eaa29068062

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe

Filesize
80KB

MD5
f817aae6468c51bb71c5ca56d07ac8cc

SHA1
85a5de9315fd489b406be68a46ae0669259f1d88

SHA256
19b676df2938c1d93f5faa9e53bf7be2a34990491d620a9b5c7b738cb5b19a6d

SHA512
66a04d68829fac40b0dc0508590e686f1b1e10c6a1627125663dd7101f56257870cd9ba70b630298c668bc8364950a1d59b259ace65cfcb2a0acd4ce5cc4a364

Download Submit
\Windows\SysWOW64\Hjjddchg.exe

Filesize
80KB

MD5
78e2bd394c84a7e3a906250f63eb0d53

SHA1
a8562bf7304c59e2a5d15e4b317289bd17302f75

SHA256
99dc049c555f685affa9e8306895757088d93868e60e8cd0da93da0572e20fec

SHA512
e24449b07072ecac1ffda6a5f0383beab52892f8e345ac8b1a1169cf5b0b506ecfade75f33ae02f675cad24707ab15dd8f7a87519630a72a6d1c71769699cf73

Download Submit
\Windows\SysWOW64\Hkkalk32.exe

Filesize
80KB

MD5
c60ef43bf574fbf1513c6a2b4a95b98f

SHA1
4c3d7869f1d8e3b56517c852c09ae5831f163e80

SHA256
2b2e02d04f80092bc128d8a4ea3563a38eedfa18324cc81721cd3390c6f5305b

SHA512
4d9e88c24ae15e1ca41cf23bee98f5b8ba5dbe4bd95dadab3c8c8572591f57f62136e7660060bea31fa673315583a4a533a42b9aaf550c01d59dd4ebf0cf79f1

Download Submit
\Windows\SysWOW64\Hnojdcfi.exe

Filesize
80KB

MD5
17883b12deebcb756207fc59ffd78ca4

SHA1
5dae9e17de1401892cc0f21348f9c56b8c0f44d7

SHA256
2f3be285a5042fb9a3882e85ee1a70dcd6c76014f851ee5856f702b6c0d079ff

SHA512
425a62703cd8644904516e51f3700f9b73be342fb480a051e92b4bef2d021022d1e79d87d870e87a2aaa4f56319a555e8d6864ea130b88ddef5326b249635649

Download Submit
\Windows\SysWOW64\Hpkjko32.exe

Filesize
80KB

MD5
42f2b584a207cfbdc80c75e9200fa256

SHA1
49ed931d7d4c5450a85f18290342cc19302496fe

SHA256
890e81584f6fcd2b5a3192cbcde9427820de2b3fa134f7002eef392820187751

SHA512
8e482cf8d45c7fbe8be7d149ae50b080c031316f1433b634c7ad05d0cda51039d8957483a27688b63f752d8d3c8d8027387a889f6ec45d652085ef5fdeb0c45a

Download Submit
\Windows\SysWOW64\Iaeiieeb.exe

Filesize
80KB

MD5
39b5a86c5c086b5ee46116b9d6d1f023

SHA1
f1802c15fd6f59bd256bd7117cdcbeb32d9315c6

SHA256
a73db08addfcfa05e67de01e40bebbfdc17020eb81f208721c9a6d2fc220b33a

SHA512
52b4dcf97fd8c3ef4b14b79da1b4badee6fa38c3d277a0c8b322eb61c2ac9f9ee3dd813539d6cf1cf9f4cea532780f54c9e63aaa787b4f452ee9942d4c7bce0e

Download Submit
memory/572-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/656-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-6-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1312-13-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1312-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-172-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2104-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-93-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2552-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2552-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-77-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2592-234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-119-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2784-236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-59-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2784-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-107-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2892-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads