d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Size

79KB
MD5

cae8945789e4998478be3e468a69f994
SHA1

5adb70cc77fb5a37d32836314ad5287326c157f7
SHA256

d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac
SHA512

f5430757f7c75cba3300a3fbaeeb1f283bbd9c70ffd6944ec11cdd89d6fb93ec059c2ee1187f3b8d0c2d4f346c3e8e758a3d4a33d6e6d6835e4e2b1012860857
SSDEEP

1536:dMpHttFNs0aaLwVPrG6zzUloxYbUEU0iFkSIgiItKq9v6DK:uNLK02jXPuoxYbUEXixtBtKq9vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe

Executes dropped EXE 16 IoCs

pid	Process
1200	Ghkllmoi.exe
2668	Geolea32.exe
2640	Gkkemh32.exe
2412	Gmjaic32.exe
2384	Gddifnbk.exe
2988	Hknach32.exe
1832	Hdfflm32.exe
2700	Hgdbhi32.exe
2272	Hdhbam32.exe
1568	Hnagjbdf.exe
2276	Hobcak32.exe
672	Hlfdkoin.exe
1736	Hcplhi32.exe
880	Hkkalk32.exe
2796	Ihoafpmp.exe
2368	Iagfoe32.exe

Loads dropped DLL 36 IoCs

pid	Process
2180	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
2180	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
1200	Ghkllmoi.exe
1200	Ghkllmoi.exe
2668	Geolea32.exe
2668	Geolea32.exe
2640	Gkkemh32.exe
2640	Gkkemh32.exe
2412	Gmjaic32.exe
2412	Gmjaic32.exe
2384	Gddifnbk.exe
2384	Gddifnbk.exe
2988	Hknach32.exe
2988	Hknach32.exe
1832	Hdfflm32.exe
1832	Hdfflm32.exe
2700	Hgdbhi32.exe
2700	Hgdbhi32.exe
2272	Hdhbam32.exe
2272	Hdhbam32.exe
1568	Hnagjbdf.exe
1568	Hnagjbdf.exe
2276	Hobcak32.exe
2276	Hobcak32.exe
672	Hlfdkoin.exe
672	Hlfdkoin.exe
1736	Hcplhi32.exe
1736	Hcplhi32.exe
880	Hkkalk32.exe
880	Hkkalk32.exe
2796	Ihoafpmp.exe
2796	Ihoafpmp.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	2368	WerFault.exe	43

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hlfdkoin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1200	2180	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe	28
PID 2180 wrote to memory of 1200	2180	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe	28
PID 2180 wrote to memory of 1200	2180	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe	28
PID 2180 wrote to memory of 1200	2180	d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe	28
PID 1200 wrote to memory of 2668	1200	Ghkllmoi.exe	29
PID 1200 wrote to memory of 2668	1200	Ghkllmoi.exe	29
PID 1200 wrote to memory of 2668	1200	Ghkllmoi.exe	29
PID 1200 wrote to memory of 2668	1200	Ghkllmoi.exe	29
PID 2668 wrote to memory of 2640	2668	Geolea32.exe	30
PID 2668 wrote to memory of 2640	2668	Geolea32.exe	30
PID 2668 wrote to memory of 2640	2668	Geolea32.exe	30
PID 2668 wrote to memory of 2640	2668	Geolea32.exe	30
PID 2640 wrote to memory of 2412	2640	Gkkemh32.exe	31
PID 2640 wrote to memory of 2412	2640	Gkkemh32.exe	31
PID 2640 wrote to memory of 2412	2640	Gkkemh32.exe	31
PID 2640 wrote to memory of 2412	2640	Gkkemh32.exe	31
PID 2412 wrote to memory of 2384	2412	Gmjaic32.exe	32
PID 2412 wrote to memory of 2384	2412	Gmjaic32.exe	32
PID 2412 wrote to memory of 2384	2412	Gmjaic32.exe	32
PID 2412 wrote to memory of 2384	2412	Gmjaic32.exe	32
PID 2384 wrote to memory of 2988	2384	Gddifnbk.exe	33
PID 2384 wrote to memory of 2988	2384	Gddifnbk.exe	33
PID 2384 wrote to memory of 2988	2384	Gddifnbk.exe	33
PID 2384 wrote to memory of 2988	2384	Gddifnbk.exe	33
PID 2988 wrote to memory of 1832	2988	Hknach32.exe	34
PID 2988 wrote to memory of 1832	2988	Hknach32.exe	34
PID 2988 wrote to memory of 1832	2988	Hknach32.exe	34
PID 2988 wrote to memory of 1832	2988	Hknach32.exe	34
PID 1832 wrote to memory of 2700	1832	Hdfflm32.exe	35
PID 1832 wrote to memory of 2700	1832	Hdfflm32.exe	35
PID 1832 wrote to memory of 2700	1832	Hdfflm32.exe	35
PID 1832 wrote to memory of 2700	1832	Hdfflm32.exe	35
PID 2700 wrote to memory of 2272	2700	Hgdbhi32.exe	36
PID 2700 wrote to memory of 2272	2700	Hgdbhi32.exe	36
PID 2700 wrote to memory of 2272	2700	Hgdbhi32.exe	36
PID 2700 wrote to memory of 2272	2700	Hgdbhi32.exe	36
PID 2272 wrote to memory of 1568	2272	Hdhbam32.exe	37
PID 2272 wrote to memory of 1568	2272	Hdhbam32.exe	37
PID 2272 wrote to memory of 1568	2272	Hdhbam32.exe	37
PID 2272 wrote to memory of 1568	2272	Hdhbam32.exe	37
PID 1568 wrote to memory of 2276	1568	Hnagjbdf.exe	38
PID 1568 wrote to memory of 2276	1568	Hnagjbdf.exe	38
PID 1568 wrote to memory of 2276	1568	Hnagjbdf.exe	38
PID 1568 wrote to memory of 2276	1568	Hnagjbdf.exe	38
PID 2276 wrote to memory of 672	2276	Hobcak32.exe	39
PID 2276 wrote to memory of 672	2276	Hobcak32.exe	39
PID 2276 wrote to memory of 672	2276	Hobcak32.exe	39
PID 2276 wrote to memory of 672	2276	Hobcak32.exe	39
PID 672 wrote to memory of 1736	672	Hlfdkoin.exe	40
PID 672 wrote to memory of 1736	672	Hlfdkoin.exe	40
PID 672 wrote to memory of 1736	672	Hlfdkoin.exe	40
PID 672 wrote to memory of 1736	672	Hlfdkoin.exe	40
PID 1736 wrote to memory of 880	1736	Hcplhi32.exe	41
PID 1736 wrote to memory of 880	1736	Hcplhi32.exe	41
PID 1736 wrote to memory of 880	1736	Hcplhi32.exe	41
PID 1736 wrote to memory of 880	1736	Hcplhi32.exe	41
PID 880 wrote to memory of 2796	880	Hkkalk32.exe	42
PID 880 wrote to memory of 2796	880	Hkkalk32.exe	42
PID 880 wrote to memory of 2796	880	Hkkalk32.exe	42
PID 880 wrote to memory of 2796	880	Hkkalk32.exe	42
PID 2796 wrote to memory of 2368	2796	Ihoafpmp.exe	43
PID 2796 wrote to memory of 2368	2796	Ihoafpmp.exe	43
PID 2796 wrote to memory of 2368	2796	Ihoafpmp.exe	43
PID 2796 wrote to memory of 2368	2796	Ihoafpmp.exe	43

C:\Users\Admin\AppData\Local\Temp\d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe
"C:\Users\Admin\AppData\Local\Temp\d507d8936e58817efd1f961e24d4fdc4949f7e429bb86efd6c5bea4e3667f1ac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\Ghkllmoi.exe
  C:\Windows\system32\Ghkllmoi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\Geolea32.exe
    C:\Windows\system32\Geolea32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Gkkemh32.exe
      C:\Windows\system32\Gkkemh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        17⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
79KB

MD5
e83df332a18e97be30169e8e53cf4650

SHA1
0954974b9c1cb089553a7d35365bb7e8886a5411

SHA256
2c7c305b84fbc60df88b8c1249bee42c621224cd5646b378a66b5734596d0195

SHA512
761df0f105000260087748102590aeead8abbaad07c0c41072fc4b68c850bd7af42dc07820e5fbbf6755a657495fba18a3bc91302fbde3ebc8d506ab74ec87c5

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
79KB

MD5
696776c458874bd2d844747fc4292017

SHA1
995cb5251d1a233efad8c4eda74947dd477804ae

SHA256
34e703d1d82468aec2bc0fcb4066005afb7845cc9eb2084fe8b9e537e11415e9

SHA512
2809652d9aa898d4b11b57c745fcf1b8bd9995b04e493b8430abb1666b8df41197b2d24d2cbef5cdf7b6eac19caeb84ee3bbc0fcf80e4019684c0f3712212841

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
79KB

MD5
c0a066687a7c2bb0f9e509132ca2f0bf

SHA1
cbbd1201e271799ea4927f5785e5a3ff05f20730

SHA256
4e34cae55a2d286ebe2ca81e8ffd89d0e9b315b48187fe1e25c0e94330758fda

SHA512
119895805d4f7b65fac582ac374f5c18a1abfe541f144269c102ca4788503dbafc8e0b17d2d0f4e537be3b5fb1b39f68b77f6e8129932f83a298c096b56ae169

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
79KB

MD5
fcd79575055e6f7b8986c0ea943be6dc

SHA1
1351d2536f48e452d06ed6e6241366ec891bec2b

SHA256
4e1344573a5177c94696b92189fec5864fd2fba7364da9322adc8f3d62c7dd77

SHA512
0bd4e75247fab33945ed85acc452c989c628d300091f0ade8b9150c298297858572e063eb7ff2f9b9d3e9b2034cfcbc4dccafb413d2e651361bd4949460d30b3

Download Submit
\Windows\SysWOW64\Geolea32.exe

Filesize
79KB

MD5
0f38bd35b9cb4c1de22f2d9b1789941f

SHA1
c70ff3c0d01d4fb26382fbb08490c0c9bbeb815f

SHA256
ce58376a5ae7badd3c100f0767a296b9d0d664b746f37d8985d42ff443a894dd

SHA512
81c7e21db3d230932b441d5f97af726e9e33bb0504b0caa5b5b77bc0708bf9a47f5cd8daed1c206d02b3917fdcadbbc390b42972a2a70a5818fa8f2cf74da101

Download Submit
\Windows\SysWOW64\Ghkllmoi.exe

Filesize
79KB

MD5
2e91386ca5815383b5f603ac66fc9ab5

SHA1
1ffd9fb815b3109011a85b4cb9cb52ca01286e45

SHA256
cafc7c73464fe1e1aab82378f57bd678500ea9dff897e8b816aadaf9a607be23

SHA512
c1a5ad6e0df7d0171b8d89a92d9f2358f58ce3e59894bf842df66c57f3335089916de38367e9c0e6f9bb4fe250e4effd262b72997a4bcaf303d8b326ccae9c49

Download Submit
\Windows\SysWOW64\Gkkemh32.exe

Filesize
79KB

MD5
499fcd637593b09f93254a48972fb797

SHA1
ca168c7e9bd2b9c16c7dad02ef2260b8f0177f13

SHA256
636d3f7dbbd3ac47d865585f7d41eb523cafa3ca8815c9e7d9a28376645bf2ae

SHA512
c18d2e0b737a8df502997cb2edf5bc8151767c69b599786ef7318b694701d5b870ec0394af23be5685c69d3a09c4777b510216683314d81664f9a47e399a3355

Download Submit
\Windows\SysWOW64\Hcplhi32.exe

Filesize
79KB

MD5
a32ed307cf52e7b01f94a7988114aefa

SHA1
fa08df96c24a59dffefb647ec549c414de541913

SHA256
1d9bddc4f53a6986fb637f34b795a78c931856be1dc27f2ef889c923d2a65f51

SHA512
bed884e0859e08cd2aa567a3cffd93390d2d4349356ba07cb1748c12eea5fa3f78f96a26b79d831e471f6987248ea755cf376da4f74f4a97bbd519ef48cb8479

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
79KB

MD5
b13b0589793e1f5c0d518b5da25a821c

SHA1
063fb2e790be4cbbc5ea8e1753ad2d6c4764acd4

SHA256
25cfd476c3b93af6134fb739c10313b9c14b204b700f23a7bbe617cb1b041cc6

SHA512
ca3c6ed781923878469ae996c5ee844dae8d0590bb4be405dbd7b8dde1b226cab29f31e58d7ec1c753a71b70bf2e15c53438dbe94a3157cc23de8112f9c4a40f

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
79KB

MD5
150f73a7c4c35fb022f45aa0f112fcbd

SHA1
e0eadc638f0a394e05635595f69186dae02513a7

SHA256
c16d5a1821bfd75310cbcd7cf4fa334093ec3b7a0ba825692cdaea4beed14b69

SHA512
1e8f78fb57ca8b0fb537d1ff2bd944e99723bd6b586887596514ec077341825037ea1d73962e8c16389e5cb0357aeb8f75f545669abac3bfccf9e3f7e2168b5d

Download Submit
\Windows\SysWOW64\Hkkalk32.exe

Filesize
79KB

MD5
5aa2be15aba7334c2e49bf5b55d2b3ef

SHA1
280e0fa1a44d82d84798068592b1a4914e6e224d

SHA256
1a591d96f2b3d0a9b81103cd0fbe82eaee0fd5c12eb4ab7be7628920b50fc775

SHA512
cc3c507ea1e3c427be5543b5ae0eeb8c99dd3339e7891f96e9c9584bedbe354b4bf71aa06531ba8994da7a32a106b1df959290d4d75a7f46944ff27b2571f4d0

Download Submit
\Windows\SysWOW64\Hlfdkoin.exe

Filesize
79KB

MD5
2c5725af14f1076632bc977a09b50fdf

SHA1
90b6b88e193c85918e7ab8448a114fe109a9005b

SHA256
d1f6ccc2703e3b10aecc70feaeb3c648a7fcbeb7b63dcd5ba1907b63a312577b

SHA512
06ca467cd9cc5c3db9ddcb973784da8c20c7394d0ca4cc9afaea3f12a92eba6964d8e45b373e7ca1c62bdadd5d5e2eda5c967931af2548e57b0c5f88090dba4d

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe

Filesize
79KB

MD5
d5ee3fd151e724c68304774e4389d3ce

SHA1
46dd83dddd349f82ff1225b67fbb8e3dbf40b253

SHA256
5a25f618b032b8d28f78a64d712a5f676cb0a74d4ca538096db9743d84386f8d

SHA512
9219aa8462d79813e40e7d24a86ee2b4e12a27ea2b51d5b676987528b374fd2e2281c2cd38cd75d33289f0cc0c81f3c414e685d26fa67a91c057750b0b1530ca

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
79KB

MD5
3046426879be9296828e8edb7e081233

SHA1
6c4ea23060c0926129ee304ebb4bb747e727183b

SHA256
8c7eecda5babf169e6c13911a32f6f97279b0ce7cdb8626112d8de2a86924302

SHA512
835c08cc722b6925af1f404dc6da196b6979f30d5b3aea91b36d186d1b8a3049df46013106332c3fe621137fb5448b7a31be0813ec5625229020d918e61a87d2

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
79KB

MD5
5cc3232f4d2f2cdbb53353f3eb271eb2

SHA1
afe53dfbb335b43c1820d9008bef793acc4839ee

SHA256
debfdfa935b2edf7178ef17d419d45509f5409c1d6adc9dcd1f2d613d10381c9

SHA512
924c433c8c49c94d3d1175096eeeb8ad58ab76d0f57bdca3ce31768caf8cfdc99cc6b7bdd11da9b88bc9a4cd9359078ceae30458886e7ee9e696fb90222dce95

Download Submit
\Windows\SysWOW64\Ihoafpmp.exe

Filesize
79KB

MD5
e9d2704d75bbb001c60368e55bc049e4

SHA1
4d86997777eacb6ac99f2ff2911c8e337ff064c2

SHA256
cd089838209f5be20b895ddc179e5614e745cd733883cbf335fe1f9ebf260e57

SHA512
31615b2b2e174e3d2a2255178e6fc39e69254db1c2d1e085457a0e0dc91241e85e8f0c264347c27d406444efc568e287a6cb4c4c3f6f9a42e989e565db7cf827

Download Submit
memory/672-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-20-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1200-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-146-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1568-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-183-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1736-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-6-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2272-132-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2272-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-160-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2276-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-52-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2640-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-120-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2796-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-210-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2796-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-92-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2988-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-93-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2988-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads