391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Size

1.7MB
MD5

7d48f606db1fbc78efd38d7643de27b0
SHA1

30aaf022013fabaf02047455ffdb34f3973cbe03
SHA256

391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4
SHA512

b967045c620e381197fb97dabf68ff0ef2b4cf345f6e0e06862ab133d43983ad58e92382b8b6259b30bbf864b24040a01163652a7cedf8eb98ff123e82b2b8a9
SSDEEP

49152:Dix7/ix7yix7/ix7Xcix7/ix7yix7/ix7:DU/UyU/UXcU/UyU/U

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Executes dropped EXE 17 IoCs

pid	Process
3768	Cmnpgb32.exe
4844	Cdhhdlid.exe
1000	Cffdpghg.exe
4628	Dobfld32.exe
216	Delnin32.exe
4172	Dhkjej32.exe
980	Dkifae32.exe
2688	Dmgbnq32.exe
3620	Deokon32.exe
3652	Dhmgki32.exe
1072	Dkkcge32.exe
2632	Dogogcpo.exe
736	Daekdooc.exe
912	Dddhpjof.exe
396	Dgbdlf32.exe
804	Dknpmdfc.exe
4028	Dmllipeg.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process
1884	4028	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3768	1284	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe	86
PID 1284 wrote to memory of 3768	1284	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe	86
PID 1284 wrote to memory of 3768	1284	391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe	86
PID 3768 wrote to memory of 4844	3768	Cmnpgb32.exe	87
PID 3768 wrote to memory of 4844	3768	Cmnpgb32.exe	87
PID 3768 wrote to memory of 4844	3768	Cmnpgb32.exe	87
PID 4844 wrote to memory of 1000	4844	Cdhhdlid.exe	88
PID 4844 wrote to memory of 1000	4844	Cdhhdlid.exe	88
PID 4844 wrote to memory of 1000	4844	Cdhhdlid.exe	88
PID 1000 wrote to memory of 4628	1000	Cffdpghg.exe	89
PID 1000 wrote to memory of 4628	1000	Cffdpghg.exe	89
PID 1000 wrote to memory of 4628	1000	Cffdpghg.exe	89
PID 4628 wrote to memory of 216	4628	Dobfld32.exe	90
PID 4628 wrote to memory of 216	4628	Dobfld32.exe	90
PID 4628 wrote to memory of 216	4628	Dobfld32.exe	90
PID 216 wrote to memory of 4172	216	Delnin32.exe	91
PID 216 wrote to memory of 4172	216	Delnin32.exe	91
PID 216 wrote to memory of 4172	216	Delnin32.exe	91
PID 4172 wrote to memory of 980	4172	Dhkjej32.exe	92
PID 4172 wrote to memory of 980	4172	Dhkjej32.exe	92
PID 4172 wrote to memory of 980	4172	Dhkjej32.exe	92
PID 980 wrote to memory of 2688	980	Dkifae32.exe	93
PID 980 wrote to memory of 2688	980	Dkifae32.exe	93
PID 980 wrote to memory of 2688	980	Dkifae32.exe	93
PID 2688 wrote to memory of 3620	2688	Dmgbnq32.exe	94
PID 2688 wrote to memory of 3620	2688	Dmgbnq32.exe	94
PID 2688 wrote to memory of 3620	2688	Dmgbnq32.exe	94
PID 3620 wrote to memory of 3652	3620	Deokon32.exe	95
PID 3620 wrote to memory of 3652	3620	Deokon32.exe	95
PID 3620 wrote to memory of 3652	3620	Deokon32.exe	95
PID 3652 wrote to memory of 1072	3652	Dhmgki32.exe	96
PID 3652 wrote to memory of 1072	3652	Dhmgki32.exe	96
PID 3652 wrote to memory of 1072	3652	Dhmgki32.exe	96
PID 1072 wrote to memory of 2632	1072	Dkkcge32.exe	97
PID 1072 wrote to memory of 2632	1072	Dkkcge32.exe	97
PID 1072 wrote to memory of 2632	1072	Dkkcge32.exe	97
PID 2632 wrote to memory of 736	2632	Dogogcpo.exe	98
PID 2632 wrote to memory of 736	2632	Dogogcpo.exe	98
PID 2632 wrote to memory of 736	2632	Dogogcpo.exe	98
PID 736 wrote to memory of 912	736	Daekdooc.exe	99
PID 736 wrote to memory of 912	736	Daekdooc.exe	99
PID 736 wrote to memory of 912	736	Daekdooc.exe	99
PID 912 wrote to memory of 396	912	Dddhpjof.exe	100
PID 912 wrote to memory of 396	912	Dddhpjof.exe	100
PID 912 wrote to memory of 396	912	Dddhpjof.exe	100
PID 396 wrote to memory of 804	396	Dgbdlf32.exe	101
PID 396 wrote to memory of 804	396	Dgbdlf32.exe	101
PID 396 wrote to memory of 804	396	Dgbdlf32.exe	101
PID 804 wrote to memory of 4028	804	Dknpmdfc.exe	102
PID 804 wrote to memory of 4028	804	Dknpmdfc.exe	102
PID 804 wrote to memory of 4028	804	Dknpmdfc.exe	102

C:\Users\Admin\AppData\Local\Temp\391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe
"C:\Users\Admin\AppData\Local\Temp\391f33382ce0cef11146d3228dd3438ae42671e7dd3860f3c436fd99dad901b4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\Cmnpgb32.exe
  C:\Windows\system32\Cmnpgb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\Cdhhdlid.exe
    C:\Windows\system32\Cdhhdlid.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Cffdpghg.exe
      C:\Windows\system32\Cffdpghg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 396
        19⤵
        Program crash
        
        PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4028 -ip 4028
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
1.7MB

MD5
b68e4fb9a12abf0f62f3ce488df4d869

SHA1
d58d33b998960cd53da9065aff01871900d85a44

SHA256
d7e1fd1586043f54c07109da1b8da06fb0d09e958adee1197e146b6c816f107d

SHA512
dba4c1575df6f0598355e9ceb8a73a1b54836a04cafacf8c378c618340320e371db35644d39b056815eeabb0975b8a4145822512b5ce971f118654b5c96e11b4

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
1.7MB

MD5
6155f83107bc99f6823962155cacaa6a

SHA1
23a4ed29422fd322b078692694917a8bd55aacec

SHA256
158d90a90c55a72d9effcf7bdc83117dae021ba3513894b8380385ab41dfe287

SHA512
5eaf508f421f588b5086d82f740190118c4ca8e0f71f606f50afa250548c99e20a184fb212cd87992090676add3f8c63e89d8c723242a3116f21fa478ab07d51

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
1.7MB

MD5
81959ba22a69d3bcdc38cdaa9eb84724

SHA1
be2e39762479b9450c67cfcc852dab9b6f13521c

SHA256
f67ffb0f8222fdbb1a9583d3654689fb1f58d3ad5cfc78ccbb710b703c02c7c0

SHA512
06e3858d2b5548673a3ce796ac2346acfe3955cf4896ea290fae78e806c1d189505077774ca056c4c2a5c129d2d18a9da9cb01481fdc888fe81e7881fb4f57a7

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
1.7MB

MD5
ce6f4ec1927b13fab9676ab6ba71116d

SHA1
78eaa8ed1acbaefcff72026865d44316c8d00067

SHA256
a103f0e65a2c18f743971c97352c6e8c60dfba020f5968c17ee4c9ef3b19ec41

SHA512
5a54949ed6d017079407be9268ce9f0feab79ae3fa04ee59f63630ea738df36e487011d729c656df41be9b9c5d4eb2316ed43a3b66ce8fcb0339c7e2ecd3dc92

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
1.7MB

MD5
8ce739f1c7a27f8894a072f1cc6ec87e

SHA1
a24dd52a62711ca3a1fa341b9a508eeba2bb77c2

SHA256
67883bbfb6c92a8a58673b4e64c1f6b9e4b6952cb4e4c24d3e55a8e64d8de7e3

SHA512
7d1bb7d4541f94971900f8de78808a3fd0c861914b7cff5d2baf191155f46fedd965e254c7c399bce80fff2ffc472f8667e8cab35aa54799a711cbadc15a0e08

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
1.7MB

MD5
793d97ce75a9b9bdaf00fc1afbe210da

SHA1
fe34f0ff80024c238dffe692fa8290429ce15871

SHA256
399ac41b046699c415d08257e03e1eca07440b5237e1f98b920bc17c54cdb2e9

SHA512
9854714a81eacaf627036111c14b9d88041ca2492df5d8a06e007204889fac9bb122080033f8a2003767c6b424f83854ee3da0dd4a295c1f4b5fc834d774d93c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
1.7MB

MD5
76202ad8c7b4db66f1c7c9dff269f11d

SHA1
6babb80579df1e93d9065e1cf0a3d8506139ae67

SHA256
08fdb44a4ba277322ea27b395ae888012a6331e2a232ad174b443bcdcc66ed1f

SHA512
bb1e5c9f36d024a3f5332ab47b8c1aaab8778b864e1dca46fceb9585acb03260713588a325b7f325942c41a19031135386bb67a58f61f5d2931bfb9b11d902a1

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
1.7MB

MD5
2ac3559d2a59208e261ff0b670be13dd

SHA1
97ce1da9159c195e57a29a3cb79d8bd39a31dc18

SHA256
080a497baf76d7480c982bd32a7ee0b3b9701f27657c2f6bd2e5143167fc9b82

SHA512
31748380ae5ad6e5c2a536d144e72089bc9dcfcf8d70910112255ce64980f6764c432e40ae7138e9ce65a54c7ae6f8bf30b6e5ecf97a24a31b1f0b08b321176b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
1.7MB

MD5
dcefb040606ccd6dee24cba8cd365924

SHA1
15ba237200a6959c37bfa6016ac47607a5754d53

SHA256
12ad75bb8149f582966ff30cbf8326ffff04eb69b0e76b3fb5f9b698ac9d2b97

SHA512
8842e104481c3309560bbf171d2aeea058d5d836122e9c5ff89a2a3ce8829951bac458d0ee86dd8c585695775e7bc7b79e5e181d6373fb5f42467051816ec6fa

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
1.7MB

MD5
8065589dead75955dd9998b35770673f

SHA1
a2b190326481ff012065a644b4e21cccfc90eb38

SHA256
e4af55b0a418a8eeffa582c9e822133b7ddfea5d4f9ed3f7b3853cf1028ab066

SHA512
427d0820c293a5ddffda17884384f077a78ab2ca92ae649fbc5049be6826463a3090a7e648a03fcfa90af3f19675f70dbebaeb84f5902bbd1539eaf12583e46c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
1.7MB

MD5
00c4fe5ab2150e697ca825cfbf3e304d

SHA1
d9c498d6bbf3aa60b3843f9ac2a5abd2e6d296b4

SHA256
da549878f8640b6116bf3296da585c22e42ae942965138d3816f84b25dc518ca

SHA512
6b4853182391d566e81a0092fea19329e19a1d960738cb4512261313dd31493c6c5657d6f33d9396e36cdf3fcd72ee37dee73b658f8d30f8bc47804621ab6ef8

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
1.7MB

MD5
72ddf817293d0b6d267cca631e4c6d6e

SHA1
caec05c067e758acbce434ebc35379d59ec85aca

SHA256
83cc659bd8c15b0894ef46a6a79f828844516489ffcd4af758b891548444ccb5

SHA512
f40819227985758833ea72862002aeb59b47b1c8c6d53838598c24c085bbf7cb6efcb726af5cea3266a259ae9f76bc4f645586a715120e71f1405b1de0ea7c10

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
1.7MB

MD5
e84f5c8a39e0be3583becd8487a831e7

SHA1
d6dfdec3dc0f23ed5f5c4a909a5675cb2771ac32

SHA256
15a62b6f9d7c673b043000679bf996217b4be9d7554709038d673126f88e1dbe

SHA512
1df3ca4056cb424cbb48ceb67c001eec1325b3fe71faeb1756f6c7594a6c16ba7dd7dfbd780d8783f081eab08177e6c9ff6914adb55dec82890b22271437aa23

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
1.7MB

MD5
1d19c249cb270fb63907704c9cadd33f

SHA1
6301ccc35614170b103e9a78faada64650f9d962

SHA256
47a8038d308a56128e790877f3935107149a356fcff5f6875bcd75e40ad35130

SHA512
983517ecbe87a96cfaa7ac9bc8506394de1df1247d0d87b7579090c01050c1404e09ba16c48727d40b5b55736762c5889991b461c122c87e727730d828886ada

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.7MB

MD5
716947f9d45273212cc017dd52489330

SHA1
5ebda475c89dc82f54cf31c9fcac47f179b7b1cb

SHA256
85a0a1ba91595903708edb8884d8fcf59a0f3b5da19272e4741d2a34e3691d81

SHA512
a90e0900d27f4a47c951355ef74fbee8d473326a1c0a4c174b7c440658c6abb0592541b0ca104277028b2aa9370374a64d25a85272f3366267f729b35a6ca2cd

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
1.7MB

MD5
9e0e14831970065df6aaf92693a6bd36

SHA1
b53410204fa03bcc7c5f12b9aa1732765ebc27f5

SHA256
d6a8760e242ff302e8792c4b82f3722e6ea3a8adc7bff3721742e1ec1c4b9838

SHA512
63fbc806b79aa5c245245c229447f2fe835097884fca8a0487f08a04df46f4217ab6c1fc5f07ddb0f0ac199fd5dc2f9f5f68b8fe5236fffc316d5fefe26981a6

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
1.7MB

MD5
66016243891ede98ac116417e6cd3d13

SHA1
ad4703f5344f3f60c3bd9dbf0b4e5c85afbe12a8

SHA256
a492efec99656e17d93c5f1277457192cc285fba607c1c9ccedb7c34ce1a6546

SHA512
619521553ce6cccef4a74733e8e948259a182193f27d843c0cb83373a935a9a62170a8d8e750441f0dea9756eac14199d0bc967e95c2a5fd2651f798571fe1f3

Download Submit
memory/216-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1284-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads