xmrig | 6b91b3886d16079b12939c1f63bda1318b2a7723cbd03df628716285ce905b23

Analysis

max time kernel
127s
max time network
16s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72958732_by_Libranalysis.exe
Size

7.5MB
MD5

729587324c077801ddb6380abd0f67d2
SHA1

f9a1481753c0b8d5648fc3863eb0970b9630b808
SHA256

6b91b3886d16079b12939c1f63bda1318b2a7723cbd03df628716285ce905b23
SHA512

d40a0e78dc5752aa8fd1b27966b39809f29bf2a291848bb2b112e326a02fd3f637b2473f3aa11533f2bbdc6a1132ce2f11b67c9c1a637e80233319f6a4354834

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 16 IoCs

Processes:

Pgdlfc32.exeQijbij32.exeAdmfpgaa.exeFcdakgkk.exeGbcabb32.exeImcdbb32.exeIhkeeknm.exeIlpgdnoj.exeJaaihd32.exeMehqheel.exeMaanbeim.exeNhbmpo32.exeOoekkm32.exePnfghh32.exePolmko32.exeHffhfb32.exe

pid	process
2008	Pgdlfc32.exe
1484	Qijbij32.exe
1964	Admfpgaa.exe
1844	Fcdakgkk.exe
1740	Gbcabb32.exe
1808	Imcdbb32.exe
1776	Ihkeeknm.exe
824	Ilpgdnoj.exe
1352	Jaaihd32.exe
968	Mehqheel.exe
816	Maanbeim.exe
464	Nhbmpo32.exe
1940	Ooekkm32.exe
736	Pnfghh32.exe
1232	Polmko32.exe
1608	Hffhfb32.exe

Loads dropped DLL 36 IoCs

Processes:

72958732_by_Libranalysis.exePgdlfc32.exeQijbij32.exeAdmfpgaa.exeFcdakgkk.exeGbcabb32.exeImcdbb32.exeIhkeeknm.exeIlpgdnoj.exeJaaihd32.exeMehqheel.exeMaanbeim.exeNhbmpo32.exeOoekkm32.exePnfghh32.exePolmko32.exeWerFault.exe

pid	process
540	72958732_by_Libranalysis.exe
540	72958732_by_Libranalysis.exe
2008	Pgdlfc32.exe
2008	Pgdlfc32.exe
1484	Qijbij32.exe
1484	Qijbij32.exe
1964	Admfpgaa.exe
1964	Admfpgaa.exe
1844	Fcdakgkk.exe
1844	Fcdakgkk.exe
1740	Gbcabb32.exe
1740	Gbcabb32.exe
1808	Imcdbb32.exe
1808	Imcdbb32.exe
1776	Ihkeeknm.exe
1776	Ihkeeknm.exe
824	Ilpgdnoj.exe
824	Ilpgdnoj.exe
1352	Jaaihd32.exe
1352	Jaaihd32.exe
968	Mehqheel.exe
968	Mehqheel.exe
816	Maanbeim.exe
816	Maanbeim.exe
464	Nhbmpo32.exe
464	Nhbmpo32.exe
1940	Ooekkm32.exe
1940	Ooekkm32.exe
736	Pnfghh32.exe
736	Pnfghh32.exe
1232	Polmko32.exe
1232	Polmko32.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe

Drops file in System32 directory 48 IoCs

Processes:

Ilpgdnoj.exeMehqheel.exe72958732_by_Libranalysis.exeQijbij32.exeAdmfpgaa.exeNhbmpo32.exeOoekkm32.exeImcdbb32.exeMaanbeim.exeFcdakgkk.exeGbcabb32.exeJaaihd32.exePgdlfc32.exePnfghh32.exeIhkeeknm.exePolmko32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Jaaihd32.exe	Ilpgdnoj.exe
File created	C:\Windows\SysWOW64\Hmofkjjk.dll	Ilpgdnoj.exe
File created	C:\Windows\SysWOW64\Maanbeim.exe	Mehqheel.exe
File opened for modification	C:\Windows\SysWOW64\Pgdlfc32.exe	72958732_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\Admfpgaa.exe	Qijbij32.exe
File opened for modification	C:\Windows\SysWOW64\Admfpgaa.exe	Qijbij32.exe
File created	C:\Windows\SysWOW64\Fcdakgkk.exe	Admfpgaa.exe
File opened for modification	C:\Windows\SysWOW64\Ooekkm32.exe	Nhbmpo32.exe
File created	C:\Windows\SysWOW64\Jedgkh32.dll	Nhbmpo32.exe
File created	C:\Windows\SysWOW64\Mgjabf32.dll	Ooekkm32.exe
File created	C:\Windows\SysWOW64\Pdpiee32.dll	Admfpgaa.exe
File opened for modification	C:\Windows\SysWOW64\Ihkeeknm.exe	Imcdbb32.exe
File created	C:\Windows\SysWOW64\Djljkh32.dll	Maanbeim.exe
File created	C:\Windows\SysWOW64\Ooekkm32.exe	Nhbmpo32.exe
File created	C:\Windows\SysWOW64\Aidkgigf.dll	Fcdakgkk.exe
File created	C:\Windows\SysWOW64\Imcdbb32.exe	Gbcabb32.exe
File created	C:\Windows\SysWOW64\Mehqheel.exe	Jaaihd32.exe
File created	C:\Windows\SysWOW64\Pgdlfc32.exe	72958732_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\Qijbij32.exe	Pgdlfc32.exe
File created	C:\Windows\SysWOW64\Becggm32.dll	Qijbij32.exe
File created	C:\Windows\SysWOW64\Gbcabb32.exe	Fcdakgkk.exe
File created	C:\Windows\SysWOW64\Nhbmpo32.exe	Maanbeim.exe
File created	C:\Windows\SysWOW64\Polmko32.exe	Pnfghh32.exe
File opened for modification	C:\Windows\SysWOW64\Polmko32.exe	Pnfghh32.exe
File created	C:\Windows\SysWOW64\Kaeidh32.dll	Pnfghh32.exe
File created	C:\Windows\SysWOW64\Nmfgjl32.dll	72958732_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\Imcdbb32.exe	Gbcabb32.exe
File created	C:\Windows\SysWOW64\Ncloeedk.dll	Gbcabb32.exe
File created	C:\Windows\SysWOW64\Ihkeeknm.exe	Imcdbb32.exe
File opened for modification	C:\Windows\SysWOW64\Maanbeim.exe	Mehqheel.exe
File created	C:\Windows\SysWOW64\Pnfghh32.exe	Ooekkm32.exe
File created	C:\Windows\SysWOW64\Mdccimej.dll	Imcdbb32.exe
File created	C:\Windows\SysWOW64\Eooiikdm.dll	Ihkeeknm.exe
File opened for modification	C:\Windows\SysWOW64\Mehqheel.exe	Jaaihd32.exe
File created	C:\Windows\SysWOW64\Cdnfnbic.dll	Jaaihd32.exe
File created	C:\Windows\SysWOW64\Hffhfb32.exe	Polmko32.exe
File opened for modification	C:\Windows\SysWOW64\Hffhfb32.exe	Polmko32.exe
File created	C:\Windows\SysWOW64\Ilpgdnoj.exe	Ihkeeknm.exe
File created	C:\Windows\SysWOW64\Lllqbg32.dll	Mehqheel.exe
File opened for modification	C:\Windows\SysWOW64\Nhbmpo32.exe	Maanbeim.exe
File opened for modification	C:\Windows\SysWOW64\Pnfghh32.exe	Ooekkm32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcabb32.exe	Fcdakgkk.exe
File created	C:\Windows\SysWOW64\Jaaihd32.exe	Ilpgdnoj.exe
File created	C:\Windows\SysWOW64\Beqldoic.dll	Polmko32.exe
File created	C:\Windows\SysWOW64\Qijbij32.exe	Pgdlfc32.exe
File created	C:\Windows\SysWOW64\Lnbeip32.dll	Pgdlfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fcdakgkk.exe	Admfpgaa.exe
File opened for modification	C:\Windows\SysWOW64\Ilpgdnoj.exe	Ihkeeknm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1360 1608 WerFault.exe Hffhfb32.exe

pid	pid_target	process	target process
1360	1608	WerFault.exe	Hffhfb32.exe

Modifies registry class 51 IoCs

Processes:

Ilpgdnoj.exePnfghh32.exe72958732_by_Libranalysis.exePgdlfc32.exeQijbij32.exeGbcabb32.exeImcdbb32.exeIhkeeknm.exeMehqheel.exeOoekkm32.exeNhbmpo32.exePolmko32.exeAdmfpgaa.exeJaaihd32.exeMaanbeim.exeFcdakgkk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilpgdnoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilpgdnoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaeidh32.dll"	Pnfghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	72958732_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgdlfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becggm32.dll"	Qijbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloeedk.dll"	Gbcabb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imcdbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdccimej.dll"	Imcdbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihkeeknm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcabb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mehqheel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooekkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcabb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imcdbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmofkjjk.dll"	Ilpgdnoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lllqbg32.dll"	Mehqheel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedgkh32.dll"	Nhbmpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eooiikdm.dll"	Ihkeeknm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooekkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjabf32.dll"	Ooekkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Polmko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Polmko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	72958732_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	72958732_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgjl32.dll"	72958732_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpiee32.dll"	Admfpgaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Admfpgaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaaihd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaaihd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mehqheel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maanbeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maanbeim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhbmpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhbmpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beqldoic.dll"	Polmko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	72958732_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgdlfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbeip32.dll"	Pgdlfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	72958732_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijbij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Admfpgaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcdakgkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidkgigf.dll"	Fcdakgkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcdakgkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihkeeknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnfnbic.dll"	Jaaihd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djljkh32.dll"	Maanbeim.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

WerFault.exe

pid process

1360 WerFault.exe
1360 WerFault.exe
1360 WerFault.exe
1360 WerFault.exe
1360 WerFault.exe
1360 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1360 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1360 WerFault.exe

pid	process
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe
1360	WerFault.exe

pid	process
1360	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1360	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 540 wrote to memory of 2008	540	72958732_by_Libranalysis.exe	Pgdlfc32.exe
PID 540 wrote to memory of 2008	540	72958732_by_Libranalysis.exe	Pgdlfc32.exe
PID 540 wrote to memory of 2008	540	72958732_by_Libranalysis.exe	Pgdlfc32.exe
PID 540 wrote to memory of 2008	540	72958732_by_Libranalysis.exe	Pgdlfc32.exe
PID 2008 wrote to memory of 1484	2008	Pgdlfc32.exe	Qijbij32.exe
PID 2008 wrote to memory of 1484	2008	Pgdlfc32.exe	Qijbij32.exe
PID 2008 wrote to memory of 1484	2008	Pgdlfc32.exe	Qijbij32.exe
PID 2008 wrote to memory of 1484	2008	Pgdlfc32.exe	Qijbij32.exe
PID 1484 wrote to memory of 1964	1484	Qijbij32.exe	Admfpgaa.exe
PID 1484 wrote to memory of 1964	1484	Qijbij32.exe	Admfpgaa.exe
PID 1484 wrote to memory of 1964	1484	Qijbij32.exe	Admfpgaa.exe
PID 1484 wrote to memory of 1964	1484	Qijbij32.exe	Admfpgaa.exe
PID 1964 wrote to memory of 1844	1964	Admfpgaa.exe	Fcdakgkk.exe
PID 1964 wrote to memory of 1844	1964	Admfpgaa.exe	Fcdakgkk.exe
PID 1964 wrote to memory of 1844	1964	Admfpgaa.exe	Fcdakgkk.exe
PID 1964 wrote to memory of 1844	1964	Admfpgaa.exe	Fcdakgkk.exe
PID 1844 wrote to memory of 1740	1844	Fcdakgkk.exe	Gbcabb32.exe
PID 1844 wrote to memory of 1740	1844	Fcdakgkk.exe	Gbcabb32.exe
PID 1844 wrote to memory of 1740	1844	Fcdakgkk.exe	Gbcabb32.exe
PID 1844 wrote to memory of 1740	1844	Fcdakgkk.exe	Gbcabb32.exe
PID 1740 wrote to memory of 1808	1740	Gbcabb32.exe	Imcdbb32.exe
PID 1740 wrote to memory of 1808	1740	Gbcabb32.exe	Imcdbb32.exe
PID 1740 wrote to memory of 1808	1740	Gbcabb32.exe	Imcdbb32.exe
PID 1740 wrote to memory of 1808	1740	Gbcabb32.exe	Imcdbb32.exe
PID 1808 wrote to memory of 1776	1808	Imcdbb32.exe	Ihkeeknm.exe
PID 1808 wrote to memory of 1776	1808	Imcdbb32.exe	Ihkeeknm.exe
PID 1808 wrote to memory of 1776	1808	Imcdbb32.exe	Ihkeeknm.exe
PID 1808 wrote to memory of 1776	1808	Imcdbb32.exe	Ihkeeknm.exe
PID 1776 wrote to memory of 824	1776	Ihkeeknm.exe	Ilpgdnoj.exe
PID 1776 wrote to memory of 824	1776	Ihkeeknm.exe	Ilpgdnoj.exe
PID 1776 wrote to memory of 824	1776	Ihkeeknm.exe	Ilpgdnoj.exe
PID 1776 wrote to memory of 824	1776	Ihkeeknm.exe	Ilpgdnoj.exe
PID 824 wrote to memory of 1352	824	Ilpgdnoj.exe	Jaaihd32.exe
PID 824 wrote to memory of 1352	824	Ilpgdnoj.exe	Jaaihd32.exe
PID 824 wrote to memory of 1352	824	Ilpgdnoj.exe	Jaaihd32.exe
PID 824 wrote to memory of 1352	824	Ilpgdnoj.exe	Jaaihd32.exe
PID 1352 wrote to memory of 968	1352	Jaaihd32.exe	Mehqheel.exe
PID 1352 wrote to memory of 968	1352	Jaaihd32.exe	Mehqheel.exe
PID 1352 wrote to memory of 968	1352	Jaaihd32.exe	Mehqheel.exe
PID 1352 wrote to memory of 968	1352	Jaaihd32.exe	Mehqheel.exe
PID 968 wrote to memory of 816	968	Mehqheel.exe	Maanbeim.exe
PID 968 wrote to memory of 816	968	Mehqheel.exe	Maanbeim.exe
PID 968 wrote to memory of 816	968	Mehqheel.exe	Maanbeim.exe
PID 968 wrote to memory of 816	968	Mehqheel.exe	Maanbeim.exe
PID 816 wrote to memory of 464	816	Maanbeim.exe	Nhbmpo32.exe
PID 816 wrote to memory of 464	816	Maanbeim.exe	Nhbmpo32.exe
PID 816 wrote to memory of 464	816	Maanbeim.exe	Nhbmpo32.exe
PID 816 wrote to memory of 464	816	Maanbeim.exe	Nhbmpo32.exe
PID 464 wrote to memory of 1940	464	Nhbmpo32.exe	Ooekkm32.exe
PID 464 wrote to memory of 1940	464	Nhbmpo32.exe	Ooekkm32.exe
PID 464 wrote to memory of 1940	464	Nhbmpo32.exe	Ooekkm32.exe
PID 464 wrote to memory of 1940	464	Nhbmpo32.exe	Ooekkm32.exe
PID 1940 wrote to memory of 736	1940	Ooekkm32.exe	Pnfghh32.exe
PID 1940 wrote to memory of 736	1940	Ooekkm32.exe	Pnfghh32.exe
PID 1940 wrote to memory of 736	1940	Ooekkm32.exe	Pnfghh32.exe
PID 1940 wrote to memory of 736	1940	Ooekkm32.exe	Pnfghh32.exe
PID 736 wrote to memory of 1232	736	Pnfghh32.exe	Polmko32.exe
PID 736 wrote to memory of 1232	736	Pnfghh32.exe	Polmko32.exe
PID 736 wrote to memory of 1232	736	Pnfghh32.exe	Polmko32.exe
PID 736 wrote to memory of 1232	736	Pnfghh32.exe	Polmko32.exe
PID 1232 wrote to memory of 1608	1232	Polmko32.exe	Hffhfb32.exe
PID 1232 wrote to memory of 1608	1232	Polmko32.exe	Hffhfb32.exe
PID 1232 wrote to memory of 1608	1232	Polmko32.exe	Hffhfb32.exe
PID 1232 wrote to memory of 1608	1232	Polmko32.exe	Hffhfb32.exe

C:\Users\Admin\AppData\Local\Temp\72958732_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\72958732_by_Libranalysis.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\Pgdlfc32.exe
C:\Windows\system32\Pgdlfc32.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\Qijbij32.exe
C:\Windows\system32\Qijbij32.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\Admfpgaa.exe
C:\Windows\system32\Admfpgaa.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\Fcdakgkk.exe
C:\Windows\system32\Fcdakgkk.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\Gbcabb32.exe
C:\Windows\system32\Gbcabb32.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\Imcdbb32.exe
C:\Windows\system32\Imcdbb32.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\Ihkeeknm.exe
C:\Windows\system32\Ihkeeknm.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\Ilpgdnoj.exe
C:\Windows\system32\Ilpgdnoj.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\Jaaihd32.exe
C:\Windows\system32\Jaaihd32.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\Mehqheel.exe
C:\Windows\system32\Mehqheel.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\Maanbeim.exe
C:\Windows\system32\Maanbeim.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\Nhbmpo32.exe
C:\Windows\system32\Nhbmpo32.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\Ooekkm32.exe
C:\Windows\system32\Ooekkm32.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\Pnfghh32.exe
C:\Windows\system32\Pnfghh32.exe
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\Polmko32.exe
C:\Windows\system32\Polmko32.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\Hffhfb32.exe
C:\Windows\system32\Hffhfb32.exe
17⤵
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 140
18⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Admfpgaa.exe
MD5
520ea479b73414e5387eecffea779639

SHA1
624c672b37e659e73e3a76d3934ebfb9788128c6

SHA256
6cc04f5200008fcadc43bfb186035bfdc00805d24375330500458318f4ce2008

SHA512
2ad7a30d43a927b1c5b0c99ec9c47e765d14cedd90c2091751326c1e9de30393f13c01e6f247a7d1162a0c8ee1e6a52f7980b5fb2768a7b1b55d36f4f4d62aa4

Download Submit
C:\Windows\SysWOW64\Admfpgaa.exe
MD5
520ea479b73414e5387eecffea779639

SHA1
624c672b37e659e73e3a76d3934ebfb9788128c6

SHA256
6cc04f5200008fcadc43bfb186035bfdc00805d24375330500458318f4ce2008

SHA512
2ad7a30d43a927b1c5b0c99ec9c47e765d14cedd90c2091751326c1e9de30393f13c01e6f247a7d1162a0c8ee1e6a52f7980b5fb2768a7b1b55d36f4f4d62aa4

Download Submit
C:\Windows\SysWOW64\Fcdakgkk.exe
MD5
fa3e059556153332c5ac6a3505bf557f

SHA1
84dd36b307fc319c2e7614d08c5b14c189639a09

SHA256
18d4e827f79476bb4c81221e1801c99f2d545e8a7d6c653e4e10a24877d1026f

SHA512
f403f9f379bff99a1b6193c44cd223ee9133c1d418f24f05bec47796fd594c9c05b303b5161995a9c7e9132bb6c6af92ce8851e5e68f64eaa8bfc7fa655a6677

Download Submit
C:\Windows\SysWOW64\Fcdakgkk.exe
MD5
fa3e059556153332c5ac6a3505bf557f

SHA1
84dd36b307fc319c2e7614d08c5b14c189639a09

SHA256
18d4e827f79476bb4c81221e1801c99f2d545e8a7d6c653e4e10a24877d1026f

SHA512
f403f9f379bff99a1b6193c44cd223ee9133c1d418f24f05bec47796fd594c9c05b303b5161995a9c7e9132bb6c6af92ce8851e5e68f64eaa8bfc7fa655a6677

Download Submit
C:\Windows\SysWOW64\Gbcabb32.exe
MD5
ca4ca78fa928fdcd5780fd911849bc26

SHA1
9eeebf2c8ae9bd2182756be18bdd9db09992cdf3

SHA256
cbbda36cffd45e685873cc99fe60506adc213896b745ed9258bdc88dc3e9272f

SHA512
315c3deafa172ee70d0b25a6e2805038d52fb1281b46eb722327bae14088d749e660af670321328cf069cd6a1d4f07ecc9cfb099cff5fd018957e3f46020af9c

Download Submit
C:\Windows\SysWOW64\Gbcabb32.exe
MD5
ca4ca78fa928fdcd5780fd911849bc26

SHA1
9eeebf2c8ae9bd2182756be18bdd9db09992cdf3

SHA256
cbbda36cffd45e685873cc99fe60506adc213896b745ed9258bdc88dc3e9272f

SHA512
315c3deafa172ee70d0b25a6e2805038d52fb1281b46eb722327bae14088d749e660af670321328cf069cd6a1d4f07ecc9cfb099cff5fd018957e3f46020af9c

Download Submit
C:\Windows\SysWOW64\Hffhfb32.exe
MD5
6430f82d6150e3113a12bd903e277deb

SHA1
369ba1989e4f6e7b2d2ceeb4ff67433de3e464bc

SHA256
dcfb3d7b3f6924cac6344e6574a7248c0cf55564e1c8fc8462594eea24d389b4

SHA512
0c90ab09fcb85090236285ce99c7879b9eae3a26d038bc80bfc92b39afd64e2cd956f32c5688f1b6ba136102066fc45d0655f6c56b61f187580182247b2026d0

Download Submit
C:\Windows\SysWOW64\Hffhfb32.exe
MD5
6430f82d6150e3113a12bd903e277deb

SHA1
369ba1989e4f6e7b2d2ceeb4ff67433de3e464bc

SHA256
dcfb3d7b3f6924cac6344e6574a7248c0cf55564e1c8fc8462594eea24d389b4

SHA512
0c90ab09fcb85090236285ce99c7879b9eae3a26d038bc80bfc92b39afd64e2cd956f32c5688f1b6ba136102066fc45d0655f6c56b61f187580182247b2026d0

Download Submit
C:\Windows\SysWOW64\Ihkeeknm.exe
MD5
263bde6ba8551d6e6991de8950dc3e84

SHA1
6f6725d8c4a084b2593b4c68e902c9152b9e8c3e

SHA256
ccdc3690fef74ed730ab6971ea40d28ef2e82a22a0c6100559a761b9101adfca

SHA512
f41012e3f0b80e045bc85adca605677bfcf18bf36713f7f2827c5736b33691b297e642b40263e5aedae0ecaeb5400fa7ef3571f022202c2a13b8af6f9f8cbbdb

Download Submit
C:\Windows\SysWOW64\Ihkeeknm.exe
MD5
263bde6ba8551d6e6991de8950dc3e84

SHA1
6f6725d8c4a084b2593b4c68e902c9152b9e8c3e

SHA256
ccdc3690fef74ed730ab6971ea40d28ef2e82a22a0c6100559a761b9101adfca

SHA512
f41012e3f0b80e045bc85adca605677bfcf18bf36713f7f2827c5736b33691b297e642b40263e5aedae0ecaeb5400fa7ef3571f022202c2a13b8af6f9f8cbbdb

Download Submit
C:\Windows\SysWOW64\Ilpgdnoj.exe
MD5
f0f938862746f5d4d49274efff989663

SHA1
b7f3b5d374b1dd53231da9e3a0b1886b000dd23a

SHA256
a7cdcc1f255cb785e4778dc1f66e3bdba9e56b19026968a1b0ab3642fa37d51b

SHA512
051383dbea23423bf6016c2fc1688052e8c5e82b150942b8763d0cf4b88cbf24a23ec6a7c077f11948d2abb197c263feac4e2d98160dc6c5427ceeb9934b5f4a

Download Submit
C:\Windows\SysWOW64\Ilpgdnoj.exe
MD5
f0f938862746f5d4d49274efff989663

SHA1
b7f3b5d374b1dd53231da9e3a0b1886b000dd23a

SHA256
a7cdcc1f255cb785e4778dc1f66e3bdba9e56b19026968a1b0ab3642fa37d51b

SHA512
051383dbea23423bf6016c2fc1688052e8c5e82b150942b8763d0cf4b88cbf24a23ec6a7c077f11948d2abb197c263feac4e2d98160dc6c5427ceeb9934b5f4a

Download Submit
C:\Windows\SysWOW64\Imcdbb32.exe
MD5
f97e3bce06c98198d756308a6187ed35

SHA1
99d0d1d00d8a5ae810c083a88289871069111acd

SHA256
ca3b5c7431d2e653689b4dfa125ffaf1b7dc42b9d4e4d56c63195f725db17977

SHA512
f4a0f840d690f34c29c1e4844787f5532214b5d8ca3a230f88fc0c35029ce8cffe7b3ca9c5bcecc5d5a22990e8f791a17fcc1e3e984f336a8a15bb30a290da33

Download Submit
C:\Windows\SysWOW64\Imcdbb32.exe
MD5
f97e3bce06c98198d756308a6187ed35

SHA1
99d0d1d00d8a5ae810c083a88289871069111acd

SHA256
ca3b5c7431d2e653689b4dfa125ffaf1b7dc42b9d4e4d56c63195f725db17977

SHA512
f4a0f840d690f34c29c1e4844787f5532214b5d8ca3a230f88fc0c35029ce8cffe7b3ca9c5bcecc5d5a22990e8f791a17fcc1e3e984f336a8a15bb30a290da33

Download Submit
C:\Windows\SysWOW64\Jaaihd32.exe
MD5
1cb4e300ddb50863faebf5dce1fed0fd

SHA1
d270e7a2b166a7ffd767d3e895ebeec994fd1f21

SHA256
3c6eeb7f64d918db3d538a3bc2466494c7fb960cbaf596fa1c58e843cd204c9b

SHA512
62178ac6e4fda670f3c470431c834097658a070a1d692ce9a6ccf5af6e973a17712f2d8847d74e7f24314daafb090153a92344a8245bcfda174d70d777dee228

Download Submit
C:\Windows\SysWOW64\Jaaihd32.exe
MD5
1cb4e300ddb50863faebf5dce1fed0fd

SHA1
d270e7a2b166a7ffd767d3e895ebeec994fd1f21

SHA256
3c6eeb7f64d918db3d538a3bc2466494c7fb960cbaf596fa1c58e843cd204c9b

SHA512
62178ac6e4fda670f3c470431c834097658a070a1d692ce9a6ccf5af6e973a17712f2d8847d74e7f24314daafb090153a92344a8245bcfda174d70d777dee228

Download Submit
C:\Windows\SysWOW64\Maanbeim.exe
MD5
f1f7fd9f6ec41aff661a7b27c0018ff7

SHA1
e1f6f1c3d72ba2a240a5437b4956ffc8606a269e

SHA256
d998c9a449c0df861025c1244917829be89b6a63b395dd4e43a1857872493a7c

SHA512
b0bc7632eb928007624315b926c0d5a2d8e0fba68c79fb168ded4237f7131bb2112ae755f4ce745b3eec531f4222c8083083e3d6c56c078ea958ee8cf00db6a1

Download Submit
C:\Windows\SysWOW64\Maanbeim.exe
MD5
f1f7fd9f6ec41aff661a7b27c0018ff7

SHA1
e1f6f1c3d72ba2a240a5437b4956ffc8606a269e

SHA256
d998c9a449c0df861025c1244917829be89b6a63b395dd4e43a1857872493a7c

SHA512
b0bc7632eb928007624315b926c0d5a2d8e0fba68c79fb168ded4237f7131bb2112ae755f4ce745b3eec531f4222c8083083e3d6c56c078ea958ee8cf00db6a1

Download Submit
C:\Windows\SysWOW64\Mehqheel.exe
MD5
f4f7d6ae48156b752556b862db139927

SHA1
bef755e2d3ec5e7798b689bbd63cec6e898db484

SHA256
9d23cf21ea4b82e53b44513bbfc5844164b64ad182fe31f4def25f27affa15dd

SHA512
3d9077ecee3b7dd88771216035d7db3f82598b52a6f5de97fe0eab2de24b2c0109f80866419b59a1fddc3efec993ed70e67a0a4e8a9042091349440aa2ce8e89

Download Submit
C:\Windows\SysWOW64\Mehqheel.exe
MD5
f4f7d6ae48156b752556b862db139927

SHA1
bef755e2d3ec5e7798b689bbd63cec6e898db484

SHA256
9d23cf21ea4b82e53b44513bbfc5844164b64ad182fe31f4def25f27affa15dd

SHA512
3d9077ecee3b7dd88771216035d7db3f82598b52a6f5de97fe0eab2de24b2c0109f80866419b59a1fddc3efec993ed70e67a0a4e8a9042091349440aa2ce8e89

Download Submit
C:\Windows\SysWOW64\Nhbmpo32.exe
MD5
39709e7c982dc56e3dfe08c0b908f14e

SHA1
392fae1d1aa35963c29f71c4d62cfa1314f780a6

SHA256
59eab36a603f70d55cbdeea8ba06055d59730d10d06b4ee9902a3c43bc1cb911

SHA512
3128ad560235e807d131bd47d17c37547fad41739414e965e389a35f43fc4e8d05fb36d3ccf11aa66b78e488c5f11aeaee3855075bb64ae0f769c0bed207f43d

Download Submit
C:\Windows\SysWOW64\Nhbmpo32.exe
MD5
39709e7c982dc56e3dfe08c0b908f14e

SHA1
392fae1d1aa35963c29f71c4d62cfa1314f780a6

SHA256
59eab36a603f70d55cbdeea8ba06055d59730d10d06b4ee9902a3c43bc1cb911

SHA512
3128ad560235e807d131bd47d17c37547fad41739414e965e389a35f43fc4e8d05fb36d3ccf11aa66b78e488c5f11aeaee3855075bb64ae0f769c0bed207f43d

Download Submit
C:\Windows\SysWOW64\Ooekkm32.exe
MD5
8d01cb32fe6d44e8fe1f4a62467f4f68

SHA1
a24fecace60a0db5488bf8cf0bc97348c92bb3e9

SHA256
22a7722c1de7a72cf378f1d391ba9011382a75358a99e32538ba48b8ca71df10

SHA512
ad6e3ade45db6d9a8a0f2b26a5836e6be5f80ebd6944a72821c9abe1978f3175e10b5257118caf043a5cae0ea61bb6479729d3657acb5ea40db903d058cc2106

Download Submit
C:\Windows\SysWOW64\Ooekkm32.exe
MD5
8d01cb32fe6d44e8fe1f4a62467f4f68

SHA1
a24fecace60a0db5488bf8cf0bc97348c92bb3e9

SHA256
22a7722c1de7a72cf378f1d391ba9011382a75358a99e32538ba48b8ca71df10

SHA512
ad6e3ade45db6d9a8a0f2b26a5836e6be5f80ebd6944a72821c9abe1978f3175e10b5257118caf043a5cae0ea61bb6479729d3657acb5ea40db903d058cc2106

Download Submit
C:\Windows\SysWOW64\Pgdlfc32.exe
MD5
31a28d0482f10d1f066e710680348dc6

SHA1
fdc739dad33acf917dc230fefef7a5a77cf433cb

SHA256
a8e196cbc1124540ab667a6d27c30b218015a261dc320411d7d274e0d0a4a0ba

SHA512
06a2b93af6947aa66e5529b9c4f4ec505a32039c13b04a537e0d31ee7df5c1eb14737896ce086d2f9cea2d26603d5abb162ff1e058e735f5e51ff0248abea75c

Download Submit
C:\Windows\SysWOW64\Pgdlfc32.exe
MD5
31a28d0482f10d1f066e710680348dc6

SHA1
fdc739dad33acf917dc230fefef7a5a77cf433cb

SHA256
a8e196cbc1124540ab667a6d27c30b218015a261dc320411d7d274e0d0a4a0ba

SHA512
06a2b93af6947aa66e5529b9c4f4ec505a32039c13b04a537e0d31ee7df5c1eb14737896ce086d2f9cea2d26603d5abb162ff1e058e735f5e51ff0248abea75c

Download Submit
C:\Windows\SysWOW64\Pnfghh32.exe
MD5
9c6ee666e104bb66f92565e1c1584041

SHA1
2648541ccd1d72bd6e89381a33ab926599a4ae8f

SHA256
d0fad5f0619300ba5f0a6aa139a600c5452e1ea575f423bb2e8186a3e192adc1

SHA512
65da7f47c187ef144c460466af562353e57bd9abf6188f332fbf055768f09b3a86da9fd1c20450d5ecf55f220ff9b52873cc5469306479dd7a042ceab14967a6

Download Submit
C:\Windows\SysWOW64\Pnfghh32.exe
MD5
9c6ee666e104bb66f92565e1c1584041

SHA1
2648541ccd1d72bd6e89381a33ab926599a4ae8f

SHA256
d0fad5f0619300ba5f0a6aa139a600c5452e1ea575f423bb2e8186a3e192adc1

SHA512
65da7f47c187ef144c460466af562353e57bd9abf6188f332fbf055768f09b3a86da9fd1c20450d5ecf55f220ff9b52873cc5469306479dd7a042ceab14967a6

Download Submit
C:\Windows\SysWOW64\Polmko32.exe
MD5
b38116a3eafea32aff3ff5faef6bf252

SHA1
628b2bb8e52c5c3bf0ce6631a06b8e564d9a9173

SHA256
8e7987ba983af9170f3f033d2c191fb90b645d30f903e20729b52e7cb8b3e106

SHA512
9a395dffe6f8bfcf39c2f0ee9e8d37dd436498d12e4d2d45985617d8afec532b927b9792d1e38ee3f560f314d1f45db2b514d9a94afaaec97412285a337620c0

Download Submit
C:\Windows\SysWOW64\Polmko32.exe
MD5
b38116a3eafea32aff3ff5faef6bf252

SHA1
628b2bb8e52c5c3bf0ce6631a06b8e564d9a9173

SHA256
8e7987ba983af9170f3f033d2c191fb90b645d30f903e20729b52e7cb8b3e106

SHA512
9a395dffe6f8bfcf39c2f0ee9e8d37dd436498d12e4d2d45985617d8afec532b927b9792d1e38ee3f560f314d1f45db2b514d9a94afaaec97412285a337620c0

Download Submit
C:\Windows\SysWOW64\Qijbij32.exe
MD5
a5b758a3be0bbf346874fdc8642f6461

SHA1
4d1cb6e2f8e8326ed85306f51c900010d9126179

SHA256
4a2e259fe91cee62e0c86a1b5bfae4cbd7fe64875df480e7ac8a308b6a68a3c6

SHA512
3e16734d0060e7db27f480bdaf159c57b08c1991d3d7168ce96df4993480537f254a9123ccbca4434d9555846e58d238aea613950564c0cac09534a6ca40f1ef

Download Submit
C:\Windows\SysWOW64\Qijbij32.exe
MD5
a5b758a3be0bbf346874fdc8642f6461

SHA1
4d1cb6e2f8e8326ed85306f51c900010d9126179

SHA256
4a2e259fe91cee62e0c86a1b5bfae4cbd7fe64875df480e7ac8a308b6a68a3c6

SHA512
3e16734d0060e7db27f480bdaf159c57b08c1991d3d7168ce96df4993480537f254a9123ccbca4434d9555846e58d238aea613950564c0cac09534a6ca40f1ef

Download Submit
\Windows\SysWOW64\Admfpgaa.exe
MD5
520ea479b73414e5387eecffea779639

SHA1
624c672b37e659e73e3a76d3934ebfb9788128c6

SHA256
6cc04f5200008fcadc43bfb186035bfdc00805d24375330500458318f4ce2008

SHA512
2ad7a30d43a927b1c5b0c99ec9c47e765d14cedd90c2091751326c1e9de30393f13c01e6f247a7d1162a0c8ee1e6a52f7980b5fb2768a7b1b55d36f4f4d62aa4

Download Submit
\Windows\SysWOW64\Admfpgaa.exe
MD5
520ea479b73414e5387eecffea779639

SHA1
624c672b37e659e73e3a76d3934ebfb9788128c6

SHA256
6cc04f5200008fcadc43bfb186035bfdc00805d24375330500458318f4ce2008

SHA512
2ad7a30d43a927b1c5b0c99ec9c47e765d14cedd90c2091751326c1e9de30393f13c01e6f247a7d1162a0c8ee1e6a52f7980b5fb2768a7b1b55d36f4f4d62aa4

Download Submit
\Windows\SysWOW64\Fcdakgkk.exe
MD5
fa3e059556153332c5ac6a3505bf557f

SHA1
84dd36b307fc319c2e7614d08c5b14c189639a09

SHA256
18d4e827f79476bb4c81221e1801c99f2d545e8a7d6c653e4e10a24877d1026f

SHA512
f403f9f379bff99a1b6193c44cd223ee9133c1d418f24f05bec47796fd594c9c05b303b5161995a9c7e9132bb6c6af92ce8851e5e68f64eaa8bfc7fa655a6677

Download Submit
\Windows\SysWOW64\Fcdakgkk.exe
MD5
fa3e059556153332c5ac6a3505bf557f

SHA1
84dd36b307fc319c2e7614d08c5b14c189639a09

SHA256
18d4e827f79476bb4c81221e1801c99f2d545e8a7d6c653e4e10a24877d1026f

SHA512
f403f9f379bff99a1b6193c44cd223ee9133c1d418f24f05bec47796fd594c9c05b303b5161995a9c7e9132bb6c6af92ce8851e5e68f64eaa8bfc7fa655a6677

Download Submit
\Windows\SysWOW64\Gbcabb32.exe
MD5
ca4ca78fa928fdcd5780fd911849bc26

SHA1
9eeebf2c8ae9bd2182756be18bdd9db09992cdf3

SHA256
cbbda36cffd45e685873cc99fe60506adc213896b745ed9258bdc88dc3e9272f

SHA512
315c3deafa172ee70d0b25a6e2805038d52fb1281b46eb722327bae14088d749e660af670321328cf069cd6a1d4f07ecc9cfb099cff5fd018957e3f46020af9c

Download Submit
\Windows\SysWOW64\Gbcabb32.exe
MD5
ca4ca78fa928fdcd5780fd911849bc26

SHA1
9eeebf2c8ae9bd2182756be18bdd9db09992cdf3

SHA256
cbbda36cffd45e685873cc99fe60506adc213896b745ed9258bdc88dc3e9272f

SHA512
315c3deafa172ee70d0b25a6e2805038d52fb1281b46eb722327bae14088d749e660af670321328cf069cd6a1d4f07ecc9cfb099cff5fd018957e3f46020af9c

Download Submit
\Windows\SysWOW64\Hffhfb32.exe
MD5
6430f82d6150e3113a12bd903e277deb

SHA1
369ba1989e4f6e7b2d2ceeb4ff67433de3e464bc

SHA256
dcfb3d7b3f6924cac6344e6574a7248c0cf55564e1c8fc8462594eea24d389b4

SHA512
0c90ab09fcb85090236285ce99c7879b9eae3a26d038bc80bfc92b39afd64e2cd956f32c5688f1b6ba136102066fc45d0655f6c56b61f187580182247b2026d0

Download Submit
\Windows\SysWOW64\Hffhfb32.exe
MD5
6430f82d6150e3113a12bd903e277deb

SHA1
369ba1989e4f6e7b2d2ceeb4ff67433de3e464bc

SHA256
dcfb3d7b3f6924cac6344e6574a7248c0cf55564e1c8fc8462594eea24d389b4

SHA512
0c90ab09fcb85090236285ce99c7879b9eae3a26d038bc80bfc92b39afd64e2cd956f32c5688f1b6ba136102066fc45d0655f6c56b61f187580182247b2026d0

Download Submit
\Windows\SysWOW64\Ihkeeknm.exe
MD5
263bde6ba8551d6e6991de8950dc3e84

SHA1
6f6725d8c4a084b2593b4c68e902c9152b9e8c3e

SHA256
ccdc3690fef74ed730ab6971ea40d28ef2e82a22a0c6100559a761b9101adfca

SHA512
f41012e3f0b80e045bc85adca605677bfcf18bf36713f7f2827c5736b33691b297e642b40263e5aedae0ecaeb5400fa7ef3571f022202c2a13b8af6f9f8cbbdb

Download Submit
\Windows\SysWOW64\Ihkeeknm.exe
MD5
263bde6ba8551d6e6991de8950dc3e84

SHA1
6f6725d8c4a084b2593b4c68e902c9152b9e8c3e

SHA256
ccdc3690fef74ed730ab6971ea40d28ef2e82a22a0c6100559a761b9101adfca

SHA512
f41012e3f0b80e045bc85adca605677bfcf18bf36713f7f2827c5736b33691b297e642b40263e5aedae0ecaeb5400fa7ef3571f022202c2a13b8af6f9f8cbbdb

Download Submit
\Windows\SysWOW64\Ilpgdnoj.exe
MD5
f0f938862746f5d4d49274efff989663

SHA1
b7f3b5d374b1dd53231da9e3a0b1886b000dd23a

SHA256
a7cdcc1f255cb785e4778dc1f66e3bdba9e56b19026968a1b0ab3642fa37d51b

SHA512
051383dbea23423bf6016c2fc1688052e8c5e82b150942b8763d0cf4b88cbf24a23ec6a7c077f11948d2abb197c263feac4e2d98160dc6c5427ceeb9934b5f4a

Download Submit
\Windows\SysWOW64\Ilpgdnoj.exe
MD5
f0f938862746f5d4d49274efff989663

SHA1
b7f3b5d374b1dd53231da9e3a0b1886b000dd23a

SHA256
a7cdcc1f255cb785e4778dc1f66e3bdba9e56b19026968a1b0ab3642fa37d51b

SHA512
051383dbea23423bf6016c2fc1688052e8c5e82b150942b8763d0cf4b88cbf24a23ec6a7c077f11948d2abb197c263feac4e2d98160dc6c5427ceeb9934b5f4a

Download Submit
\Windows\SysWOW64\Imcdbb32.exe
MD5
f97e3bce06c98198d756308a6187ed35

SHA1
99d0d1d00d8a5ae810c083a88289871069111acd

SHA256
ca3b5c7431d2e653689b4dfa125ffaf1b7dc42b9d4e4d56c63195f725db17977

SHA512
f4a0f840d690f34c29c1e4844787f5532214b5d8ca3a230f88fc0c35029ce8cffe7b3ca9c5bcecc5d5a22990e8f791a17fcc1e3e984f336a8a15bb30a290da33

Download Submit
\Windows\SysWOW64\Imcdbb32.exe
MD5
f97e3bce06c98198d756308a6187ed35

SHA1
99d0d1d00d8a5ae810c083a88289871069111acd

SHA256
ca3b5c7431d2e653689b4dfa125ffaf1b7dc42b9d4e4d56c63195f725db17977

SHA512
f4a0f840d690f34c29c1e4844787f5532214b5d8ca3a230f88fc0c35029ce8cffe7b3ca9c5bcecc5d5a22990e8f791a17fcc1e3e984f336a8a15bb30a290da33

Download Submit
\Windows\SysWOW64\Jaaihd32.exe
MD5
1cb4e300ddb50863faebf5dce1fed0fd

SHA1
d270e7a2b166a7ffd767d3e895ebeec994fd1f21

SHA256
3c6eeb7f64d918db3d538a3bc2466494c7fb960cbaf596fa1c58e843cd204c9b

SHA512
62178ac6e4fda670f3c470431c834097658a070a1d692ce9a6ccf5af6e973a17712f2d8847d74e7f24314daafb090153a92344a8245bcfda174d70d777dee228

Download Submit
\Windows\SysWOW64\Jaaihd32.exe
MD5
1cb4e300ddb50863faebf5dce1fed0fd

SHA1
d270e7a2b166a7ffd767d3e895ebeec994fd1f21

SHA256
3c6eeb7f64d918db3d538a3bc2466494c7fb960cbaf596fa1c58e843cd204c9b

SHA512
62178ac6e4fda670f3c470431c834097658a070a1d692ce9a6ccf5af6e973a17712f2d8847d74e7f24314daafb090153a92344a8245bcfda174d70d777dee228

Download Submit
\Windows\SysWOW64\Maanbeim.exe
MD5
f1f7fd9f6ec41aff661a7b27c0018ff7

SHA1
e1f6f1c3d72ba2a240a5437b4956ffc8606a269e

SHA256
d998c9a449c0df861025c1244917829be89b6a63b395dd4e43a1857872493a7c

SHA512
b0bc7632eb928007624315b926c0d5a2d8e0fba68c79fb168ded4237f7131bb2112ae755f4ce745b3eec531f4222c8083083e3d6c56c078ea958ee8cf00db6a1

Download Submit
\Windows\SysWOW64\Maanbeim.exe
MD5
f1f7fd9f6ec41aff661a7b27c0018ff7

SHA1
e1f6f1c3d72ba2a240a5437b4956ffc8606a269e

SHA256
d998c9a449c0df861025c1244917829be89b6a63b395dd4e43a1857872493a7c

SHA512
b0bc7632eb928007624315b926c0d5a2d8e0fba68c79fb168ded4237f7131bb2112ae755f4ce745b3eec531f4222c8083083e3d6c56c078ea958ee8cf00db6a1

Download Submit
\Windows\SysWOW64\Mehqheel.exe
MD5
f4f7d6ae48156b752556b862db139927

SHA1
bef755e2d3ec5e7798b689bbd63cec6e898db484

SHA256
9d23cf21ea4b82e53b44513bbfc5844164b64ad182fe31f4def25f27affa15dd

SHA512
3d9077ecee3b7dd88771216035d7db3f82598b52a6f5de97fe0eab2de24b2c0109f80866419b59a1fddc3efec993ed70e67a0a4e8a9042091349440aa2ce8e89

Download Submit
\Windows\SysWOW64\Mehqheel.exe
MD5
f4f7d6ae48156b752556b862db139927

SHA1
bef755e2d3ec5e7798b689bbd63cec6e898db484

SHA256
9d23cf21ea4b82e53b44513bbfc5844164b64ad182fe31f4def25f27affa15dd

SHA512
3d9077ecee3b7dd88771216035d7db3f82598b52a6f5de97fe0eab2de24b2c0109f80866419b59a1fddc3efec993ed70e67a0a4e8a9042091349440aa2ce8e89

Download Submit
\Windows\SysWOW64\Nhbmpo32.exe
MD5
39709e7c982dc56e3dfe08c0b908f14e

SHA1
392fae1d1aa35963c29f71c4d62cfa1314f780a6

SHA256
59eab36a603f70d55cbdeea8ba06055d59730d10d06b4ee9902a3c43bc1cb911

SHA512
3128ad560235e807d131bd47d17c37547fad41739414e965e389a35f43fc4e8d05fb36d3ccf11aa66b78e488c5f11aeaee3855075bb64ae0f769c0bed207f43d

Download Submit
\Windows\SysWOW64\Nhbmpo32.exe
MD5
39709e7c982dc56e3dfe08c0b908f14e

SHA1
392fae1d1aa35963c29f71c4d62cfa1314f780a6

SHA256
59eab36a603f70d55cbdeea8ba06055d59730d10d06b4ee9902a3c43bc1cb911

SHA512
3128ad560235e807d131bd47d17c37547fad41739414e965e389a35f43fc4e8d05fb36d3ccf11aa66b78e488c5f11aeaee3855075bb64ae0f769c0bed207f43d

Download Submit
\Windows\SysWOW64\Ooekkm32.exe
MD5
8d01cb32fe6d44e8fe1f4a62467f4f68

SHA1
a24fecace60a0db5488bf8cf0bc97348c92bb3e9

SHA256
22a7722c1de7a72cf378f1d391ba9011382a75358a99e32538ba48b8ca71df10

SHA512
ad6e3ade45db6d9a8a0f2b26a5836e6be5f80ebd6944a72821c9abe1978f3175e10b5257118caf043a5cae0ea61bb6479729d3657acb5ea40db903d058cc2106

Download Submit
\Windows\SysWOW64\Ooekkm32.exe
MD5
8d01cb32fe6d44e8fe1f4a62467f4f68

SHA1
a24fecace60a0db5488bf8cf0bc97348c92bb3e9

SHA256
22a7722c1de7a72cf378f1d391ba9011382a75358a99e32538ba48b8ca71df10

SHA512
ad6e3ade45db6d9a8a0f2b26a5836e6be5f80ebd6944a72821c9abe1978f3175e10b5257118caf043a5cae0ea61bb6479729d3657acb5ea40db903d058cc2106

Download Submit
\Windows\SysWOW64\Pgdlfc32.exe
MD5
31a28d0482f10d1f066e710680348dc6

SHA1
fdc739dad33acf917dc230fefef7a5a77cf433cb

SHA256
a8e196cbc1124540ab667a6d27c30b218015a261dc320411d7d274e0d0a4a0ba

SHA512
06a2b93af6947aa66e5529b9c4f4ec505a32039c13b04a537e0d31ee7df5c1eb14737896ce086d2f9cea2d26603d5abb162ff1e058e735f5e51ff0248abea75c

Download Submit
\Windows\SysWOW64\Pgdlfc32.exe
MD5
31a28d0482f10d1f066e710680348dc6

SHA1
fdc739dad33acf917dc230fefef7a5a77cf433cb

SHA256
a8e196cbc1124540ab667a6d27c30b218015a261dc320411d7d274e0d0a4a0ba

SHA512
06a2b93af6947aa66e5529b9c4f4ec505a32039c13b04a537e0d31ee7df5c1eb14737896ce086d2f9cea2d26603d5abb162ff1e058e735f5e51ff0248abea75c

Download Submit
\Windows\SysWOW64\Pnfghh32.exe
MD5
9c6ee666e104bb66f92565e1c1584041

SHA1
2648541ccd1d72bd6e89381a33ab926599a4ae8f

SHA256
d0fad5f0619300ba5f0a6aa139a600c5452e1ea575f423bb2e8186a3e192adc1

SHA512
65da7f47c187ef144c460466af562353e57bd9abf6188f332fbf055768f09b3a86da9fd1c20450d5ecf55f220ff9b52873cc5469306479dd7a042ceab14967a6

Download Submit
\Windows\SysWOW64\Pnfghh32.exe
MD5
9c6ee666e104bb66f92565e1c1584041

SHA1
2648541ccd1d72bd6e89381a33ab926599a4ae8f

SHA256
d0fad5f0619300ba5f0a6aa139a600c5452e1ea575f423bb2e8186a3e192adc1

SHA512
65da7f47c187ef144c460466af562353e57bd9abf6188f332fbf055768f09b3a86da9fd1c20450d5ecf55f220ff9b52873cc5469306479dd7a042ceab14967a6

Download Submit
\Windows\SysWOW64\Polmko32.exe
MD5
b38116a3eafea32aff3ff5faef6bf252

SHA1
628b2bb8e52c5c3bf0ce6631a06b8e564d9a9173

SHA256
8e7987ba983af9170f3f033d2c191fb90b645d30f903e20729b52e7cb8b3e106

SHA512
9a395dffe6f8bfcf39c2f0ee9e8d37dd436498d12e4d2d45985617d8afec532b927b9792d1e38ee3f560f314d1f45db2b514d9a94afaaec97412285a337620c0

Download Submit
\Windows\SysWOW64\Polmko32.exe
MD5
b38116a3eafea32aff3ff5faef6bf252

SHA1
628b2bb8e52c5c3bf0ce6631a06b8e564d9a9173

SHA256
8e7987ba983af9170f3f033d2c191fb90b645d30f903e20729b52e7cb8b3e106

SHA512
9a395dffe6f8bfcf39c2f0ee9e8d37dd436498d12e4d2d45985617d8afec532b927b9792d1e38ee3f560f314d1f45db2b514d9a94afaaec97412285a337620c0

Download Submit
\Windows\SysWOW64\Qijbij32.exe
MD5
a5b758a3be0bbf346874fdc8642f6461

SHA1
4d1cb6e2f8e8326ed85306f51c900010d9126179

SHA256
4a2e259fe91cee62e0c86a1b5bfae4cbd7fe64875df480e7ac8a308b6a68a3c6

SHA512
3e16734d0060e7db27f480bdaf159c57b08c1991d3d7168ce96df4993480537f254a9123ccbca4434d9555846e58d238aea613950564c0cac09534a6ca40f1ef

Download Submit
\Windows\SysWOW64\Qijbij32.exe
MD5
a5b758a3be0bbf346874fdc8642f6461

SHA1
4d1cb6e2f8e8326ed85306f51c900010d9126179

SHA256
4a2e259fe91cee62e0c86a1b5bfae4cbd7fe64875df480e7ac8a308b6a68a3c6

SHA512
3e16734d0060e7db27f480bdaf159c57b08c1991d3d7168ce96df4993480537f254a9123ccbca4434d9555846e58d238aea613950564c0cac09534a6ca40f1ef

Download Submit
memory/464-116-0x0000000000000000-mapping.dmp

Download
memory/736-126-0x0000000000000000-mapping.dmp

Download
memory/816-111-0x0000000000000000-mapping.dmp

Download
memory/824-96-0x0000000000000000-mapping.dmp

Download
memory/968-106-0x0000000000000000-mapping.dmp

Download
memory/1232-131-0x0000000000000000-mapping.dmp

Download
memory/1352-101-0x0000000000000000-mapping.dmp

Download
memory/1360-138-0x0000000000000000-mapping.dmp

Download
memory/1360-140-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1484-66-0x0000000000000000-mapping.dmp

Download
memory/1608-136-0x0000000000000000-mapping.dmp

Download
memory/1740-81-0x0000000000000000-mapping.dmp

Download
memory/1776-91-0x0000000000000000-mapping.dmp

Download
memory/1808-86-0x0000000000000000-mapping.dmp

Download
memory/1844-76-0x0000000000000000-mapping.dmp

Download
memory/1940-121-0x0000000000000000-mapping.dmp

Download
memory/1964-71-0x0000000000000000-mapping.dmp

Download
memory/2008-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads