78824f7b0c105ec34ee396626e51e178d8a4261865a97da18f595baec16b77fd

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Size

96KB
MD5

26d50d406fde1bd160d5b51a3de6f85d
SHA1

85456d38e95f3ed61157295dd08cd9032f96889f
SHA256

78824f7b0c105ec34ee396626e51e178d8a4261865a97da18f595baec16b77fd
SHA512

1c2a113218f1ccf9a8d76bd2f81f6034099b49a6c8f4a208d90b047224e96f74addaa10e3c0e36b24c969cd3cac4e56ab6ed79193c34c2bf3f2650e275eefa75
SSDEEP

1536:JpO4sGTA/Hfl1GBUKTvbQGh54BRVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVsWi:J5sGTA/Hfl8Ukh547VqZ2fQkbn1vVAv7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe

Executes dropped EXE 8 IoCs

pid	Process
4612	Cegdnopg.exe
1592	Djdmffnn.exe
4100	Dfknkg32.exe
4960	Dmefhako.exe
1764	Ddonekbl.exe
1560	Dkifae32.exe
2040	Ddakjkqi.exe
3812	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	3812	WerFault.exe	93

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	26d50d406fde1bd160d5b51a3de6f85d_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 4612	936	26d50d406fde1bd160d5b51a3de6f85d_JC.exe	85
PID 936 wrote to memory of 4612	936	26d50d406fde1bd160d5b51a3de6f85d_JC.exe	85
PID 936 wrote to memory of 4612	936	26d50d406fde1bd160d5b51a3de6f85d_JC.exe	85
PID 4612 wrote to memory of 1592	4612	Cegdnopg.exe	86
PID 4612 wrote to memory of 1592	4612	Cegdnopg.exe	86
PID 4612 wrote to memory of 1592	4612	Cegdnopg.exe	86
PID 1592 wrote to memory of 4100	1592	Djdmffnn.exe	87
PID 1592 wrote to memory of 4100	1592	Djdmffnn.exe	87
PID 1592 wrote to memory of 4100	1592	Djdmffnn.exe	87
PID 4100 wrote to memory of 4960	4100	Dfknkg32.exe	89
PID 4100 wrote to memory of 4960	4100	Dfknkg32.exe	89
PID 4100 wrote to memory of 4960	4100	Dfknkg32.exe	89
PID 4960 wrote to memory of 1764	4960	Dmefhako.exe	90
PID 4960 wrote to memory of 1764	4960	Dmefhako.exe	90
PID 4960 wrote to memory of 1764	4960	Dmefhako.exe	90
PID 1764 wrote to memory of 1560	1764	Ddonekbl.exe	91
PID 1764 wrote to memory of 1560	1764	Ddonekbl.exe	91
PID 1764 wrote to memory of 1560	1764	Ddonekbl.exe	91
PID 1560 wrote to memory of 2040	1560	Dkifae32.exe	92
PID 1560 wrote to memory of 2040	1560	Dkifae32.exe	92
PID 1560 wrote to memory of 2040	1560	Dkifae32.exe	92
PID 2040 wrote to memory of 3812	2040	Ddakjkqi.exe	93
PID 2040 wrote to memory of 3812	2040	Ddakjkqi.exe	93
PID 2040 wrote to memory of 3812	2040	Ddakjkqi.exe	93

C:\Users\Admin\AppData\Local\Temp\26d50d406fde1bd160d5b51a3de6f85d_JC.exe
"C:\Users\Admin\AppData\Local\Temp\26d50d406fde1bd160d5b51a3de6f85d_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\Cegdnopg.exe
  C:\Windows\system32\Cegdnopg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\Djdmffnn.exe
    C:\Windows\system32\Djdmffnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\Dfknkg32.exe
      C:\Windows\system32\Dfknkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 396
        10⤵
        Program crash
        
        PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3812 -ip 3812
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
ea246df27d17b0c358f2ebc6eacbc4f7

SHA1
da8ed8da6b983101550b331da08bf9f1182134a2

SHA256
3f089b6aed421e6e465cd01160a543422bd180ff9acfc4db1199b3fe26bd2310

SHA512
a5d16e4faf87b13e3deefb2df117bfc808ff4c899300f4a2b91be6002098bd336b2e46321df414c4901a216825d1f95b2d9e74fac08aa0c1c6b8e69081a51885

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
ea246df27d17b0c358f2ebc6eacbc4f7

SHA1
da8ed8da6b983101550b331da08bf9f1182134a2

SHA256
3f089b6aed421e6e465cd01160a543422bd180ff9acfc4db1199b3fe26bd2310

SHA512
a5d16e4faf87b13e3deefb2df117bfc808ff4c899300f4a2b91be6002098bd336b2e46321df414c4901a216825d1f95b2d9e74fac08aa0c1c6b8e69081a51885

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
fc2527a62f55910de18d3f5f2de6ccd9

SHA1
deaa24ad2d97fc79d89d70b2d203259c76790d19

SHA256
24b2d8c1893fe3cb0b26b11283a3b9509bf1c05733d3e2878cd2fd4369efdd15

SHA512
83e89ab7f38ab8bdeed17a102742f0c898fe24e40afed38f9f2eb6148d0f98cc013031a5a8f46b06968e8950240a0e7549b86d4b805b4a065620c29bbceb5e6f

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
fc2527a62f55910de18d3f5f2de6ccd9

SHA1
deaa24ad2d97fc79d89d70b2d203259c76790d19

SHA256
24b2d8c1893fe3cb0b26b11283a3b9509bf1c05733d3e2878cd2fd4369efdd15

SHA512
83e89ab7f38ab8bdeed17a102742f0c898fe24e40afed38f9f2eb6148d0f98cc013031a5a8f46b06968e8950240a0e7549b86d4b805b4a065620c29bbceb5e6f

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
499890891540de2cb314986d2ee7b9a6

SHA1
cc9b7d36bf4770260c01b24c3149a761101d208a

SHA256
8bd27f720bc5d4b6839debe0b5a06ba84e2c3a8e0afd589d02b350d4937edbd3

SHA512
6888b24702c5a44e1f48985331a522028e070f22ad6d54194546050e3ed60f2c0ea888b15ecc6c736a3f5e2d2c2b008d4e5b4dfe1a7885b598d94c9a29cb8de8

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
499890891540de2cb314986d2ee7b9a6

SHA1
cc9b7d36bf4770260c01b24c3149a761101d208a

SHA256
8bd27f720bc5d4b6839debe0b5a06ba84e2c3a8e0afd589d02b350d4937edbd3

SHA512
6888b24702c5a44e1f48985331a522028e070f22ad6d54194546050e3ed60f2c0ea888b15ecc6c736a3f5e2d2c2b008d4e5b4dfe1a7885b598d94c9a29cb8de8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
799148a7f1f758f73d68932d4ef96ff2

SHA1
eb533939ebaf187b02651e5922581d866f797373

SHA256
e4d8628d6fc33e672474a34418f4182d75eecdb59c8b05d3476c22f4560e6431

SHA512
f02d9b088ec515707afad00995e9b29e99c4551e9292256b8565864aa1307715f0e874e335b00ea5ce465f59b56939ed97bf6f32995f2b05dc6dd0deca976860

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
799148a7f1f758f73d68932d4ef96ff2

SHA1
eb533939ebaf187b02651e5922581d866f797373

SHA256
e4d8628d6fc33e672474a34418f4182d75eecdb59c8b05d3476c22f4560e6431

SHA512
f02d9b088ec515707afad00995e9b29e99c4551e9292256b8565864aa1307715f0e874e335b00ea5ce465f59b56939ed97bf6f32995f2b05dc6dd0deca976860

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
b937bd898c8bd19c1beb618ad2ef0c3b

SHA1
59d7a464a918e857b21f69bda2b19796b783b0e5

SHA256
cfabc6c115250ba05c37b442f5f63e2906bf8aa6ce183457e8d86c15276a1bc5

SHA512
ccf09777aeb8447b49744f4bc9b6a064b01656235b01b0a06d34832a3cd4d04eb0c0f715a5902f7a414090685bac9e4b47cb29dd62fa214c5639dd65a81865e4

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
b937bd898c8bd19c1beb618ad2ef0c3b

SHA1
59d7a464a918e857b21f69bda2b19796b783b0e5

SHA256
cfabc6c115250ba05c37b442f5f63e2906bf8aa6ce183457e8d86c15276a1bc5

SHA512
ccf09777aeb8447b49744f4bc9b6a064b01656235b01b0a06d34832a3cd4d04eb0c0f715a5902f7a414090685bac9e4b47cb29dd62fa214c5639dd65a81865e4

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
64151822e82228be53a4d8f4856bd98d

SHA1
5f5198cfdc8da441724c43a180f65e21de0470df

SHA256
b472893b40323025920c10310b8f0ec0db1b6f63b2a54d086b6adcb1ca8674b7

SHA512
a1e8e2e07a00ef17adfdb008861ea3b5cc3bf98ea004d3a4a778b462c80586ee17e0916325d5d25788691e0e4a3cbae25eaa33b2720cc7b9f7e080bab23770b9

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
64151822e82228be53a4d8f4856bd98d

SHA1
5f5198cfdc8da441724c43a180f65e21de0470df

SHA256
b472893b40323025920c10310b8f0ec0db1b6f63b2a54d086b6adcb1ca8674b7

SHA512
a1e8e2e07a00ef17adfdb008861ea3b5cc3bf98ea004d3a4a778b462c80586ee17e0916325d5d25788691e0e4a3cbae25eaa33b2720cc7b9f7e080bab23770b9

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
3d749c43da47b5653bb4b8e248070926

SHA1
6fd802509ddd7aa5accde23efcaea72aaf196093

SHA256
e4bd08cc7ae76208acb9adbb18b1fd7b2b8b2b9db003b260c9fc199f77703b7d

SHA512
d2ccf1f0816cfec23787ab382d1180015536a6e350d12154e37d447cf1ca290e561739406869a6f3b1df7f03483f7a9d57218bf8cd4d2bacb53fbd71b13d829e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
3d749c43da47b5653bb4b8e248070926

SHA1
6fd802509ddd7aa5accde23efcaea72aaf196093

SHA256
e4bd08cc7ae76208acb9adbb18b1fd7b2b8b2b9db003b260c9fc199f77703b7d

SHA512
d2ccf1f0816cfec23787ab382d1180015536a6e350d12154e37d447cf1ca290e561739406869a6f3b1df7f03483f7a9d57218bf8cd4d2bacb53fbd71b13d829e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a6fd12a9f700799f94ab2b362570c60e

SHA1
20f668861e869d8b37386897aa9194895b94db90

SHA256
89ff848ff044490da13432d0e900d34c05d91e6d2c2b53cb22d56e43f595a584

SHA512
ae58eb85997ce07b019989bfb4d2d0c702ed965e7d05a4095846940fd31fe6333d626f69302d47c414ad4e68f766495f003448d5d447290ca35bc7705efbb136

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a6fd12a9f700799f94ab2b362570c60e

SHA1
20f668861e869d8b37386897aa9194895b94db90

SHA256
89ff848ff044490da13432d0e900d34c05d91e6d2c2b53cb22d56e43f595a584

SHA512
ae58eb85997ce07b019989bfb4d2d0c702ed965e7d05a4095846940fd31fe6333d626f69302d47c414ad4e68f766495f003448d5d447290ca35bc7705efbb136

Download Submit
memory/936-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/936-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/936-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3812-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3812-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4100-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4100-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads