350e8778c26fd02ff345645c14782dd534e0751b400c54a297b938e271d7739d

Analysis

max time kernel
161s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59bd892fe12963edd6e2ce0dc75e864.exe
Size

1.3MB
MD5

b59bd892fe12963edd6e2ce0dc75e864
SHA1

98b0c4c733fd37303544b00300ad3654f19f7bd3
SHA256

350e8778c26fd02ff345645c14782dd534e0751b400c54a297b938e271d7739d
SHA512

54b2b044c6823f31655eb707dc2808d3216a4deade5d93c2c9ea2b533e1e680e64b6721670f1e781afc9d7c5f60d9b835548e2631e5895d12d40bd6e39cb0043
SSDEEP

24576:/BR6Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oW:5WbazR0vKLXZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b59bd892fe12963edd6e2ce0dc75e864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b59bd892fe12963edd6e2ce0dc75e864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfppoa32.exe

Executes dropped EXE 11 IoCs

pid	Process
3000	Cgfbbb32.exe
3444	Dpmcmf32.exe
1584	Gdiakp32.exe
3964	Hqghqpnl.exe
4888	Ibgmaqfl.exe
4772	Jldkeeig.exe
968	Kongmo32.exe
1372	Mddkbbfg.exe
2788	Oheienli.exe
4212	Pfppoa32.exe
3240	Amhdmi32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmehgibj.dll	Hqghqpnl.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	b59bd892fe12963edd6e2ce0dc75e864.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Hqghqpnl.exe	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Ibgmaqfl.exe	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Ojglddfj.dll	Ibgmaqfl.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Gdiakp32.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Cifiamoa.dll	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Gfomcn32.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	b59bd892fe12963edd6e2ce0dc75e864.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Pfppoa32.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Hqghqpnl.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Mddkbbfg.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	b59bd892fe12963edd6e2ce0dc75e864.exe
File created	C:\Windows\SysWOW64\Ibgmaqfl.exe	Hqghqpnl.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Kongmo32.exe	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Mhfdfbqe.dll	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Mddkbbfg.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	b59bd892fe12963edd6e2ce0dc75e864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b59bd892fe12963edd6e2ce0dc75e864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgmaqfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b59bd892fe12963edd6e2ce0dc75e864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmehgibj.dll"	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b59bd892fe12963edd6e2ce0dc75e864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b59bd892fe12963edd6e2ce0dc75e864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b59bd892fe12963edd6e2ce0dc75e864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfomcn32.dll"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3000	4596	b59bd892fe12963edd6e2ce0dc75e864.exe	90
PID 4596 wrote to memory of 3000	4596	b59bd892fe12963edd6e2ce0dc75e864.exe	90
PID 4596 wrote to memory of 3000	4596	b59bd892fe12963edd6e2ce0dc75e864.exe	90
PID 3000 wrote to memory of 3444	3000	Cgfbbb32.exe	91
PID 3000 wrote to memory of 3444	3000	Cgfbbb32.exe	91
PID 3000 wrote to memory of 3444	3000	Cgfbbb32.exe	91
PID 3444 wrote to memory of 1584	3444	Dpmcmf32.exe	92
PID 3444 wrote to memory of 1584	3444	Dpmcmf32.exe	92
PID 3444 wrote to memory of 1584	3444	Dpmcmf32.exe	92
PID 1584 wrote to memory of 3964	1584	Gdiakp32.exe	93
PID 1584 wrote to memory of 3964	1584	Gdiakp32.exe	93
PID 1584 wrote to memory of 3964	1584	Gdiakp32.exe	93
PID 3964 wrote to memory of 4888	3964	Hqghqpnl.exe	94
PID 3964 wrote to memory of 4888	3964	Hqghqpnl.exe	94
PID 3964 wrote to memory of 4888	3964	Hqghqpnl.exe	94
PID 4888 wrote to memory of 4772	4888	Ibgmaqfl.exe	95
PID 4888 wrote to memory of 4772	4888	Ibgmaqfl.exe	95
PID 4888 wrote to memory of 4772	4888	Ibgmaqfl.exe	95
PID 4772 wrote to memory of 968	4772	Jldkeeig.exe	96
PID 4772 wrote to memory of 968	4772	Jldkeeig.exe	96
PID 4772 wrote to memory of 968	4772	Jldkeeig.exe	96
PID 968 wrote to memory of 1372	968	Kongmo32.exe	97
PID 968 wrote to memory of 1372	968	Kongmo32.exe	97
PID 968 wrote to memory of 1372	968	Kongmo32.exe	97
PID 1372 wrote to memory of 2788	1372	Mddkbbfg.exe	98
PID 1372 wrote to memory of 2788	1372	Mddkbbfg.exe	98
PID 1372 wrote to memory of 2788	1372	Mddkbbfg.exe	98
PID 2788 wrote to memory of 4212	2788	Oheienli.exe	99
PID 2788 wrote to memory of 4212	2788	Oheienli.exe	99
PID 2788 wrote to memory of 4212	2788	Oheienli.exe	99
PID 4212 wrote to memory of 3240	4212	Pfppoa32.exe	100
PID 4212 wrote to memory of 3240	4212	Pfppoa32.exe	100
PID 4212 wrote to memory of 3240	4212	Pfppoa32.exe	100

C:\Users\Admin\AppData\Local\Temp\b59bd892fe12963edd6e2ce0dc75e864.exe
"C:\Users\Admin\AppData\Local\Temp\b59bd892fe12963edd6e2ce0dc75e864.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\Cgfbbb32.exe
  C:\Windows\system32\Cgfbbb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\Dpmcmf32.exe
    C:\Windows\system32\Dpmcmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\Gdiakp32.exe
      C:\Windows\system32\Gdiakp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        12⤵
        Executes dropped EXE
        
        PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
1.3MB

MD5
4dc34bfd90218ad8e338288296724fc8

SHA1
1b10209cdd6e2f9923fad97897cf83ea4a020eaf

SHA256
6a3e7d2ca10a0941e36c1580e32cf5a68fea49de2d08930a7f322a7d2dd2232f

SHA512
b704059b6bedbe365a3f3de7585d4f9777b04e359a70f0db42941240adb38432079e3e821d9dd53d971c66d7c6b96ba766686b6cfdaddaa2bed3b99f116dd6ae

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
1.3MB

MD5
bcee9ca89e1052faa9199f7c01db3ff8

SHA1
7c8bf27f899671ede338cf8debf8e4bf77ebfc54

SHA256
d2e373e669c6184793f472f692560d87ede18bbce348d5c368a98f98ac12c49a

SHA512
2ddd7244d17728f46ba7788dcd6b6e476927553fec0204d679a4d5bdd630922385a85b968cacec6786b55f44abdf24877beffec51af23b2b4e6ba682857f9a8c

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
256KB

MD5
41a0bbaff4ed1b15e5c985259d2302c7

SHA1
775e9462de5753c86e71d81275740990c0b32631

SHA256
cb48ffd900c6f06594a73ce7df0120b471de8ec0db9a70ec3a05b2f78d2f4497

SHA512
38270666778a2602dbece7e3eee7574ab988df1cd12ded4d47a7f86da5f995757f4f33c97a3ca9e5126594310bce62bbf9f7b7c3f4bf469541f40e995bb9eea0

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
1.3MB

MD5
fe9edf59c6d0826a688143f3b914b95a

SHA1
70a3aebfe0f0de68be23ec174e3da2efa38d3cc8

SHA256
ff6a4c4cfdf4fc029a21794dc2172343f071e9821c1462d27b317df143336c7c

SHA512
d27e14bb00dd72238432fff9ddabe286578f2b55bb1f5048aadb5478417edb550e474855b765a2d7fb8a0de2b8473dea2a95cc7f1c67ef1432bb4383e291e1b4

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
1.3MB

MD5
0981be4768db0d573ddfed1e21f700ab

SHA1
c65d36409ea1285eeb1acf81076701cd7b2ae631

SHA256
9e36b8ad9f000e5a2b8cec1a8e0fa0b09c77ffb9bbe352739280e52c13c8676f

SHA512
3c1ae81883b4ae2066d6fa634d277953745217cd44b4661448be42e974c409e9b1724a54f8313ff12f81bcfce67fcd8804b529682e254722b40d81cb305dabfe

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
1.3MB

MD5
459f8469bf3ec2a6254b8620f216d2ce

SHA1
f50f59e282f4f159453e6e060e04ea4fac352245

SHA256
f62e8dfbe9f467757dca9756bf9bac0a8127a52ce039661e31373ba71e0500fa

SHA512
f405ea4ef2af252771ebc819d364d30475087f3679d77bda31a1cd69c69ec49d0df4bee87d84af6e4bf42e34ac719e65cef1c4633341fd1bc9d122a02d50c664

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
1.3MB

MD5
57988d7ae1d3434c9c9ae92998fb1d92

SHA1
eb0876ff96c51930ff545a411d54ba181bd3aa82

SHA256
d63b8bc2ae5c3803ac56b53e1e8aabda6a5e5d5407ad6161ffc69b591fd17401

SHA512
f49eccbe4e1718b30f11915e0b319b98e6c558b05f1fca521900973517daef3fb1b3542f76dfb3efe548cd6698c1e086e578f07e0a9e130b4e8420ea5dadbfbf

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
1.3MB

MD5
a1d8726ecc29fd73c6451c3ab7a1d481

SHA1
d40510f81528c25a6541de2dd3b8e425d5de43c5

SHA256
26404e442dae4f683db78d973cc0ad07d78218d0c046dd869d3657e1d5c442ec

SHA512
e1bc663d39cbbec219a0041214d129d961942d8661c6bd492a1c605a3d4de0c24b59e2d47d71816613b48cec22d07863d218c463f2f4e00bfaea619d4433c812

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
960KB

MD5
9b971fb300454dc47876347479576ba2

SHA1
907de93f92acd684c99eb8fd1a2b9d0e373c7c9e

SHA256
ba791ce24536fbbb277f0f7e5e82ff256afc4460fbff6a2947ddc2d18874f894

SHA512
fe53b0d4b5a08ebe1b315aac5297f69e1e57e17e42f4036e0b92a96f720f3bc5785d5165cfb17acd851b017eda4b99f6a53b997dddd883dee0d488d4ec46dd67

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
1.3MB

MD5
361fcfff6880b1a1818c9a1a8c22eff3

SHA1
c51ade42d60f666f13487a8ddc837f7b3156eb87

SHA256
02a5b5dcb2d22606073f2b76b58fa1413e45ffde3facf631e995f49b50a7058b

SHA512
26c15aa65dbac6fc781aca3ea86e2d7d9ba1ec2c3a237fe92f57dfecee4b4e848381ba485764ca063c710e8fd440e26fb5657ce864619b0bed938ad27b044dd0

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
73KB

MD5
ac8126fa63ddfc71346806eb42ef8cee

SHA1
dca82f0f1ae06fe15d61d621e4268db20f1ff494

SHA256
e60692c01b6fd608588e4a18bc98d64fe16f5fa5c1192348e3b3332d4bcc15d2

SHA512
940092fbc746f72043e2639527d7792ab841f6e30cb81bc4308d2fbced99762b68b88bc1245609eda0db27afe746644131dddc94d86d9ae5b9f6ad6318fc048f

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
1.3MB

MD5
81dfd8b1505c44f66f6cd60eaf3d7511

SHA1
ced3e87f88ebae9e6c45c6c7a5d5f77595e8e117

SHA256
88bb6e2cda9d4518af2eba325d1afe1ec7141223788b472dc05302abf0f1cb32

SHA512
7989e34c2329087fb53451829afe48df742cf4c2c3ae3af0c2a93523aca51974edeac7eb3c6bb4e19b6373df4bf731b8822c212af76e7303c71cd9537400c42b

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
1.3MB

MD5
62fa1c70f377222b5cdf3cf4d2e1d576

SHA1
08a7e7bc1ed780cb683557b8509c0fc8ee492de2

SHA256
76920d069a60419e7584b9dbffe0fd588a2125d58c540f32c7080c21e3daabb0

SHA512
eb12c1dc4901af116c8d51e556794d34e489181be7a83d9c2bfa87e03fc25e70135037c1827da65ef861ce7c927fa4be5303253a602205b41f742cd438bca04b

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
1.3MB

MD5
14e15b521f64e588a939c3b7b765bbb9

SHA1
78e619d59bc7f8997fb87381b3908a22040a7064

SHA256
4ec0fa41884539372a66b7b65c520041969b4036bf2714848bc5e93a34703e20

SHA512
24cd8dba52b7e28a5a539b23e87f49d639b0fe516f17f29314d4ebc7e7344e7f145acfd707f198c42f1c9165524a9cb21e3d89cfc28e4eedd3c4a0946408b745

Download Submit
memory/968-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads