acfead83f1ee42c06310d2c814052a2ec28fff0bf15c482935fbbf1c3bb7de76

Analysis

max time kernel
133s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d20e34a8c60961ef73db5c6056770b6a.exe
Size

407KB
MD5

d20e34a8c60961ef73db5c6056770b6a
SHA1

d458c592da5cc06d4aa5f368cebe4153d97cc154
SHA256

acfead83f1ee42c06310d2c814052a2ec28fff0bf15c482935fbbf1c3bb7de76
SHA512

ac7fc87f8958dbafba0554da50eb97b2798dd87381a24e9aaef0b99a3b6cd07808305299473fc004b7b674ae24135f8eff0f4a793b1adf4b6f54fe74693ed36d
SSDEEP

6144:Vz9h86uEumflqgM8ipui6yYPaIGcjDpui6yYPaIGckSU05836pui6yYPaIGckN:19h86uVpV6yYP3pV6yYPg058KpV6yYPS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inidkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d20e34a8c60961ef73db5c6056770b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d20e34a8c60961ef73db5c6056770b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggjjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggjjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjolie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe

Executes dropped EXE 12 IoCs

pid	Process
376	Dcffnbee.exe
968	Fcbnpnme.exe
2184	Gdgdeppb.exe
4656	Ggjjlk32.exe
1324	Hjolie32.exe
764	Hkaeih32.exe
4832	Icachjbb.exe
784	Inidkb32.exe
3252	Idhiii32.exe
232	Jhmhpfmi.exe
3580	Lklnconj.exe
3712	Ldikgdpe.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idhiii32.exe	Inidkb32.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	Ggjjlk32.exe
File created	C:\Windows\SysWOW64\Icachjbb.exe	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Ggjjlk32.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Clhgbgki.dll	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Bbjlpn32.dll	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Hkaeih32.exe	Hjolie32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Icachjbb.exe	Hkaeih32.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Inidkb32.exe
File created	C:\Windows\SysWOW64\Jhmhpfmi.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Jhmhpfmi.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Fljloomi.dll	Ggjjlk32.exe
File created	C:\Windows\SysWOW64\Bmaoca32.dll	Hjolie32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	d20e34a8c60961ef73db5c6056770b6a.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	d20e34a8c60961ef73db5c6056770b6a.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Hjolie32.exe	Ggjjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Inidkb32.exe	Icachjbb.exe
File opened for modification	C:\Windows\SysWOW64\Hkaeih32.exe	Hjolie32.exe
File created	C:\Windows\SysWOW64\Jooeqo32.dll	Hkaeih32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	d20e34a8c60961ef73db5c6056770b6a.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Ggjjlk32.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Inidkb32.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Denlcd32.dll	Icachjbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
420	3712	WerFault.exe	100

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	d20e34a8c60961ef73db5c6056770b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	Ggjjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Inidkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggjjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhgbgki.dll"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d20e34a8c60961ef73db5c6056770b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d20e34a8c60961ef73db5c6056770b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icajjnkn.dll"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ggjjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoca32.dll"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d20e34a8c60961ef73db5c6056770b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjolie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	d20e34a8c60961ef73db5c6056770b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d20e34a8c60961ef73db5c6056770b6a.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 376	4220	d20e34a8c60961ef73db5c6056770b6a.exe	89
PID 4220 wrote to memory of 376	4220	d20e34a8c60961ef73db5c6056770b6a.exe	89
PID 4220 wrote to memory of 376	4220	d20e34a8c60961ef73db5c6056770b6a.exe	89
PID 376 wrote to memory of 968	376	Dcffnbee.exe	90
PID 376 wrote to memory of 968	376	Dcffnbee.exe	90
PID 376 wrote to memory of 968	376	Dcffnbee.exe	90
PID 968 wrote to memory of 2184	968	Fcbnpnme.exe	91
PID 968 wrote to memory of 2184	968	Fcbnpnme.exe	91
PID 968 wrote to memory of 2184	968	Fcbnpnme.exe	91
PID 2184 wrote to memory of 4656	2184	Gdgdeppb.exe	92
PID 2184 wrote to memory of 4656	2184	Gdgdeppb.exe	92
PID 2184 wrote to memory of 4656	2184	Gdgdeppb.exe	92
PID 4656 wrote to memory of 1324	4656	Ggjjlk32.exe	93
PID 4656 wrote to memory of 1324	4656	Ggjjlk32.exe	93
PID 4656 wrote to memory of 1324	4656	Ggjjlk32.exe	93
PID 1324 wrote to memory of 764	1324	Hjolie32.exe	94
PID 1324 wrote to memory of 764	1324	Hjolie32.exe	94
PID 1324 wrote to memory of 764	1324	Hjolie32.exe	94
PID 764 wrote to memory of 4832	764	Hkaeih32.exe	95
PID 764 wrote to memory of 4832	764	Hkaeih32.exe	95
PID 764 wrote to memory of 4832	764	Hkaeih32.exe	95
PID 4832 wrote to memory of 784	4832	Icachjbb.exe	96
PID 4832 wrote to memory of 784	4832	Icachjbb.exe	96
PID 4832 wrote to memory of 784	4832	Icachjbb.exe	96
PID 784 wrote to memory of 3252	784	Inidkb32.exe	97
PID 784 wrote to memory of 3252	784	Inidkb32.exe	97
PID 784 wrote to memory of 3252	784	Inidkb32.exe	97
PID 3252 wrote to memory of 232	3252	Idhiii32.exe	98
PID 3252 wrote to memory of 232	3252	Idhiii32.exe	98
PID 3252 wrote to memory of 232	3252	Idhiii32.exe	98
PID 232 wrote to memory of 3580	232	Jhmhpfmi.exe	99
PID 232 wrote to memory of 3580	232	Jhmhpfmi.exe	99
PID 232 wrote to memory of 3580	232	Jhmhpfmi.exe	99
PID 3580 wrote to memory of 3712	3580	Lklnconj.exe	100
PID 3580 wrote to memory of 3712	3580	Lklnconj.exe	100
PID 3580 wrote to memory of 3712	3580	Lklnconj.exe	100

C:\Users\Admin\AppData\Local\Temp\d20e34a8c60961ef73db5c6056770b6a.exe
"C:\Users\Admin\AppData\Local\Temp\d20e34a8c60961ef73db5c6056770b6a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\Dcffnbee.exe
  C:\Windows\system32\Dcffnbee.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\Fcbnpnme.exe
    C:\Windows\system32\Fcbnpnme.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\Gdgdeppb.exe
      C:\Windows\system32\Gdgdeppb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        13⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 416
        14⤵
        Program crash
        
        PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3712 -ip 3712
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
407KB

MD5
bf8b709144d3d7ea3fef941d3c9a2bee

SHA1
f8923b17ba9a16b22cf47426293cc3809b88cfbb

SHA256
a78568d9e1a0aba30a9e7d39b283891fd17daa1a0355fe26d87f647bd2d2769a

SHA512
d3cc47dd09e4b59e1caaf788e8db7087ab0ba66853beea9953e4868338f11adf9d87b23c94f1abb2cec2529ed2e242a749803cbf74fa4454ecafc618d5090727

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
407KB

MD5
087fd7f8030726a20dedd3479637ee61

SHA1
f038decf5a13480c99b93c32e9573147349c089f

SHA256
ea73d2a502fa33502019ad1b5be84842edad9a4f5c30d40c3b4095ced480f382

SHA512
dff3185a26baddbb9473826fe62ce7c5689ac500566a670eaa117eb04fbde3ddaa1a0b4a94caac0ea840f31c5953ab57fb7d77c35ec93830db6be4305acdfbe0

Download Submit
C:\Windows\SysWOW64\Fljloomi.dll

Filesize
7KB

MD5
f7006ca76df75b49f51c4e14e4dca12a

SHA1
f707ca4e62648e4c9a0ef45b27004ca36294b9f9

SHA256
869363701874984667ee290f6eca424f4ed90ecec48a114a132597cf85b38b90

SHA512
e9433020d4c66e5554a64ab9c52f7a4c76d3630798be53f40ee4909ac93f9ecd8056c93d74e1f1f5d3572354417da178b4c280910dba4a618abe3d892ac67d48

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
407KB

MD5
f7e5da3c17824e38ada715945d28cb79

SHA1
e4ff287fdd9d33ded5a14671a00acd4129e6f7a8

SHA256
15a5a592f1125e86b8ae4cd557cea9ea49fc6aa565173ec33d6916b79e55541c

SHA512
20ab81ed40472bac1a6c7791375348623f82cf9ea59195220191ae520b1e8c9efbddc34d6861dab62aa07abb6d2c3be94196d9c614f544ddf48677d5e7a2f8ff

Download Submit
C:\Windows\SysWOW64\Ggjjlk32.exe

Filesize
407KB

MD5
1397625e1d1373cb8775b611d3d4dfea

SHA1
12090989b89468179daf3a554f873341066502a9

SHA256
9e3df71f07c7449e06e63fea317bce5139ca21e90224b48345275bde2accc6b8

SHA512
21935d8ee2b94fbfa1245598a937ea0caaccd6edff0a5ed43f5bc969546c922cf7cecb068ae807f0523c00a08c66f3d28e7e1074ea6693d63d9010e3096adc6f

Download Submit
C:\Windows\SysWOW64\Hjolie32.exe

Filesize
407KB

MD5
158154f757aa449b4d2557bb120e2875

SHA1
f823d5bd561c5b686e5300c0a64aac03be76e91c

SHA256
b64c7d2aab459e0e30d5733925b811ce9fff10e2114fb8cdb02db5f17dcc7824

SHA512
7692c70cc559ffab1c37b88cdda61cc1f0049e99f81e3b47ed14c3b37ca0963f8552e5a40e575a7421e4edbeed52f66274351e3eea1b4c5607b6662f37f83c85

Download Submit
C:\Windows\SysWOW64\Hkaeih32.exe

Filesize
407KB

MD5
0baf96e791f04eac5b6a46614bd2d389

SHA1
265e32eceb21c94c474161839839d8fe486c9901

SHA256
c5af4abfe5f50fc59a0ec6bc238e17f6ef9d90c1855ff299210099f515a39859

SHA512
0069ef252cfce57e869a44706a65621a5048aceccb6fd493cb4615bf87c529c374e4c3272e13a7d59f608175a350c9ac4b0bbdbd56a619b4706861dfc394eda6

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
407KB

MD5
721c850c3ea61558d22bb58be5afd6b5

SHA1
2a582c5d867394a6dba2ab7ca4b81503e2c12d8e

SHA256
a7b52f45ccd39655a928a0b2ed62b055ad0c0b78660d552c8781d59ebdaa0ac7

SHA512
2ed718da98d6a4ed81c2bfaa0b369c416ec74d85ee3b35459f036126b065f8310f44b21308bd8e3207c5e2eaaabb890e424df27f0d3d10108e5368f1cfe19b99

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
407KB

MD5
a7821fa757f0aa21921bb7c05e129a2f

SHA1
138ff5201f663838453f19bf44e8066b66e30c62

SHA256
beb692625dec29444e42b5f221ddaa44dbc702a4cf98bfc1e9b9adf11edd09b0

SHA512
f476681d4267fb3f39d0fa07a1ab4f056e406fb3cb5bfb837d707db72c2a95a9c6409c9fb023cc0a84aa5434901b8199325038b3e134b2e65fbe458fe6db8d63

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
407KB

MD5
186cc5562a28bd368bc1dc942585ea8f

SHA1
8802e4348b4a3f9b108060e27c17ef9319aa5148

SHA256
7d2b71f8a7a0c344f7bb055691c61e2b1ed46992b72b2696e02e86c5c633d3f3

SHA512
5046268265687137544904dce28c7dc2b266a1fe100bb0cb2011ace4862cc71b7b3913a3ce84708cb43fdef6bc3a05944437470b188489c92555f6eb74e1eee3

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
407KB

MD5
b3dd8b3055f4b42177d6c340b0d50765

SHA1
d6493643ecde39c17cce9eb8168df75e8589ac3d

SHA256
fd427e5346296779275e28e21806db7266a3830a2f338a28ca54344c87a231e9

SHA512
4d5a97651030eee472ab4af70ef0f30f7e8d305edc16f2919423395615be0ebdeab7213234fef1c729cd87b47d35f0d1a0cb4523454719855451a280f1cd3134

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
407KB

MD5
513cb01ae49b5426c5a1bc2f1a24a5f1

SHA1
8d83e7d32eeb8ccf9fa292c04d96c3b309c663b9

SHA256
a5f16191bfdab44c693df860694abd945849730b6cc1e45e7101630239087d62

SHA512
d0071028dfefb29d77b74eeca6899e0b0e9bb11e4970c1bdbbd03a92db7e6fbc3cd568a9841584e78ca1dc5f53e0eddfface5b124b9dba0960b65264e8832e58

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
407KB

MD5
360a858cfe8bd13dcfb2715cfc24706d

SHA1
65c45210c307ced830ce178136e4a2ded9fe6ca9

SHA256
7d9c1058a3737fb925d326dfbd54fff02aca88c9fcc7f2757170a421228e1f19

SHA512
366f47a6c598fd05970aa3ca91aa1008ded264ba16a3086ac5ee3998a68312c4c3e70ebb6e4c630cca0f80ee4130f6f1a3135255c61c4e75ac682bd891fd1862

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
407KB

MD5
42f5daf04c0ae8ad91c73ee1106915d2

SHA1
9f858c0fe83274a50ce2d4103ea4d851d6634404

SHA256
6760fa9acd2fcb1a33a388c4f132b0468fe5f387f92cd76d834f91bdabd69469

SHA512
cc7f5dd52a8f7f1f29eff1b8463c7d350ef16bb25a584ae8ce473ca5078b5d759583c2a63276da068178122b5759c962288f57daae720991cb48277f0b02d867

Download Submit
memory/232-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads