9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e

Analysis

max time kernel
166s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Size

448KB
MD5

0176abeb76c17bbb5886212888beae3d
SHA1

2df9bc5c18d927552d00fd78de7e9ac81199b390
SHA256

9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e
SHA512

188d9168aa520844481b64f445eb726c73c4550dc63a305b3482d44b0dce4d1a08c57cbbc0c6f5225650599d056ac229cd2d8235826a038e6eedef6893c06feb
SSDEEP

6144:EuGf/QNYw7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:EuGf/67aOlxzr3cOK3TajRfXFMKNxC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe

Executes dropped EXE 8 IoCs

pid	Process
2108	Gokbgpeg.exe
1700	Jppnpjel.exe
4884	Klndfj32.exe
4592	Kofdhd32.exe
2404	Nhegig32.exe
4924	Ooibkpmi.exe
4444	Pqbala32.exe
4780	Pififb32.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jppnpjel.exe	Gokbgpeg.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Kofdhd32.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Ooibkpmi.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Nhegig32.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Ooibkpmi.exe
File opened for modification	C:\Windows\SysWOW64\Pqbala32.exe	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Jppnpjel.exe	Gokbgpeg.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jppnpjel.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pqbala32.exe
File created	C:\Windows\SysWOW64\Qdhlclpe.dll	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Gokbgpeg.exe	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
File opened for modification	C:\Windows\SysWOW64\Gokbgpeg.exe	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
File created	C:\Windows\SysWOW64\Ecipcemb.dll	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Kofdhd32.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Eiacog32.dll	Gokbgpeg.exe
File opened for modification	C:\Windows\SysWOW64\Kofdhd32.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Ncjakdno.dll	Klndfj32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4476	4780	WerFault.exe	104
5100	4780	WerFault.exe	104

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiacog32.dll"	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll"	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gokbgpeg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2108	2004	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe	97
PID 2004 wrote to memory of 2108	2004	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe	97
PID 2004 wrote to memory of 2108	2004	9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe	97
PID 2108 wrote to memory of 1700	2108	Gokbgpeg.exe	98
PID 2108 wrote to memory of 1700	2108	Gokbgpeg.exe	98
PID 2108 wrote to memory of 1700	2108	Gokbgpeg.exe	98
PID 1700 wrote to memory of 4884	1700	Jppnpjel.exe	99
PID 1700 wrote to memory of 4884	1700	Jppnpjel.exe	99
PID 1700 wrote to memory of 4884	1700	Jppnpjel.exe	99
PID 4884 wrote to memory of 4592	4884	Klndfj32.exe	100
PID 4884 wrote to memory of 4592	4884	Klndfj32.exe	100
PID 4884 wrote to memory of 4592	4884	Klndfj32.exe	100
PID 4592 wrote to memory of 2404	4592	Kofdhd32.exe	101
PID 4592 wrote to memory of 2404	4592	Kofdhd32.exe	101
PID 4592 wrote to memory of 2404	4592	Kofdhd32.exe	101
PID 2404 wrote to memory of 4924	2404	Nhegig32.exe	102
PID 2404 wrote to memory of 4924	2404	Nhegig32.exe	102
PID 2404 wrote to memory of 4924	2404	Nhegig32.exe	102
PID 4924 wrote to memory of 4444	4924	Ooibkpmi.exe	103
PID 4924 wrote to memory of 4444	4924	Ooibkpmi.exe	103
PID 4924 wrote to memory of 4444	4924	Ooibkpmi.exe	103
PID 4444 wrote to memory of 4780	4444	Pqbala32.exe	104
PID 4444 wrote to memory of 4780	4444	Pqbala32.exe	104
PID 4444 wrote to memory of 4780	4444	Pqbala32.exe	104
PID 4780 wrote to memory of 4476	4780	Pififb32.exe	108
PID 4780 wrote to memory of 4476	4780	Pififb32.exe	108
PID 4780 wrote to memory of 4476	4780	Pififb32.exe	108

C:\Users\Admin\AppData\Local\Temp\9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe
"C:\Users\Admin\AppData\Local\Temp\9f36d4a8f93c676ba896f401fecf1ad85f8ea5d11afd0683b9e5db175733967e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\Gokbgpeg.exe
  C:\Windows\system32\Gokbgpeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\Jppnpjel.exe
    C:\Windows\system32\Jppnpjel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\Klndfj32.exe
      C:\Windows\system32\Klndfj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 412
        10⤵
        Program crash
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 412
        10⤵
        Program crash
        
        PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4780 -ip 4780
1⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ghcfpl32.dll

Filesize
7KB

MD5
6640567b19e47640e2a457478fb047c7

SHA1
9db620c9933f2923543f399bbaf251f986b1b6d0

SHA256
6939c73bc3bab5cfe9d08a0e12cd60fed48be526337ef6601676688424b18c16

SHA512
d1f700e451d9b393080b8bc0f0f51936f65b26e8ce50241bbe918f8d1093ba999bd1b963b506f51498b0a36d77ac46054dc4381ca408256bcef0a47b69c28ade

Download Submit
C:\Windows\SysWOW64\Gokbgpeg.exe

Filesize
448KB

MD5
4796b39f3497efe26476eb2f4f5fb887

SHA1
754ed35f66ff70c7a912dc6b814d1f7bee404a21

SHA256
f298e1243247532de94fe289ab4aaa151fdc4d3d781876c51114137cc8e9707d

SHA512
5b23ea02d3ef89bd333f518d615efbe264ea77c0827d7e2f679bd54c897655c0d5312d033ad91de724189713ed3dfa759f7007fd723eebd4d5c8efc4bb757b50

Download Submit
C:\Windows\SysWOW64\Jppnpjel.exe

Filesize
448KB

MD5
ab11cc0983dcd5cee1bede8fd340f563

SHA1
d39935e7438ab3e4e6cea30aa80ec25fb0f39fb3

SHA256
7cb1fac1d1a702f2a6fada418920f45d53e43e1fcf7c4ce0172e4c14a04c76f4

SHA512
fd374d84027679bc278613a42c37a0317033ae46349f6e891c9089aad5629ec7ff5d9ba80fdf37b656fbf8ea74a2bb489c43759bba8e698d407e1985c07dfc3a

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
448KB

MD5
fc614c646285de889e46b19393173de4

SHA1
8b87d07a91db7cb36ea2ebac903344cd6b0eec56

SHA256
db6d96b3953328ca1367a0a4dfa73f4619e06f62886e4f0737681a93d927d402

SHA512
a07320d02360b1f067a3442f3f2d517f90f80c8123dde135fd159e23df450510608dd8f09feff7d64092752d1efdd201ee6b79422dc5f7d54feafcb75aa1e6c8

Download Submit
C:\Windows\SysWOW64\Kofdhd32.exe

Filesize
448KB

MD5
302ddfb832ff43c976e7806a3921ffeb

SHA1
a6f53df20dc229a93c3ec6bbc32ab88ca0dde772

SHA256
18e32942719871f0d99f2393e56139b12e24a695f8de3c4c78b1b40dbbf0ac69

SHA512
36ae7572a1aaaf5cea24625e383a7c259b6d1085dbfcc5f13dac932b1fed8729a4923a46759514ad09a55e279ec66401cd383e85d5e847cc3872cd99bcd1a4a5

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
448KB

MD5
6f9bfd9ab97f9477744df7d9b0910ca5

SHA1
a68798956be38f06a700425dae907c932a07eddd

SHA256
a1015164a9ef3a6eddbe00bd88c9958b380b4cfe221e6f72a2078d1bb15409fd

SHA512
4156166ae01525cfd9ed5d8b763755b51aca91dc116ba287945a5cff99d105c4c6b2d56e40d1ac7d5ee94e99430c479fbbccc50895ef89a054971c4a21f75125

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
448KB

MD5
086e71adb77f30de8a977a0251260871

SHA1
11d36504bacad89d3d3102896fe46739dee20ad0

SHA256
2fc59661f163192111e336fe855d936c09b3e25668bc49dac51a61608b536b1d

SHA512
b16c351f594fd57dfe67c673c0dbe7e08481363d2f2037cc9e4d1bcadf2b67ea5da65477b2f4dfcd793a819b75b394de33b76c390ba6963085b481509a895cb2

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
448KB

MD5
c313550c3b3637b8159b9597d65f05f3

SHA1
fbe146965cfc3480f21f65dc9e107729fc70c9fe

SHA256
06eb23aaf431cbd5dab82fbd12c5699fa667cd0f47584e92513d2fbeb7dea8cd

SHA512
8bd7b3f53f24bd83f80588d68c72616df1eb8f90c0e2349565f267b910afaaa21e124a122861173afb47404a259738225f8ba3033050241ca38b29cbc7ace61a

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
448KB

MD5
ef80e3ef07af7e09708b2cbc74ecaf54

SHA1
8a0033138079c2679e7dc551a4fa92039c3f2ecc

SHA256
3caf11a12db8d5dcc1cff1f37af6f949f8467545f42e3cd4256e3cdf9be462d5

SHA512
887fb39ece1377873f84fbb516eccf1286e491e7e13ca079537931128b814fe19403ecf1305e20ef2a53e48e86984429225a6735a0304a593c50c20eef76c685

Download Submit
memory/1700-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-70-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads