a6207e6dd8862763e37e3011673b0346895ce8ee60d9be7fe697b04acf809123

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

484faebc45f33d374b3e10631bf909b0N.exe
Size

1024KB
MD5

484faebc45f33d374b3e10631bf909b0
SHA1

e296ceeea18b68cc039ac5070fe2f98c3fa1ec87
SHA256

a6207e6dd8862763e37e3011673b0346895ce8ee60d9be7fe697b04acf809123
SHA512

a6859eaecbf266f2eb5c04aaf0e2562d2853a7e218a4662c824a83689dee76801c56f30ca4ea9d06af317e334057c3d2164e65661e8b1d2392d9090612f4f3ac
SSDEEP

24576:ptaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:vaSHFaZRBEYyqmS2DiHPKQgmN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	484faebc45f33d374b3e10631bf909b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	484faebc45f33d374b3e10631bf909b0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Executes dropped EXE 9 IoCs

pid	Process
1980	Dfiafg32.exe
3792	Dhhnpjmh.exe
4652	Daqbip32.exe
3560	Ddakjkqi.exe
1864	Dmjocp32.exe
1288	Dddhpjof.exe
4756	Dgbdlf32.exe
3000	Doilmc32.exe
3276	Dmllipeg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfiafg32.exe	484faebc45f33d374b3e10631bf909b0N.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	484faebc45f33d374b3e10631bf909b0N.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	484faebc45f33d374b3e10631bf909b0N.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	3276	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	484faebc45f33d374b3e10631bf909b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	484faebc45f33d374b3e10631bf909b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	484faebc45f33d374b3e10631bf909b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	484faebc45f33d374b3e10631bf909b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	484faebc45f33d374b3e10631bf909b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	484faebc45f33d374b3e10631bf909b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	484faebc45f33d374b3e10631bf909b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1980	1388	484faebc45f33d374b3e10631bf909b0N.exe	84
PID 1388 wrote to memory of 1980	1388	484faebc45f33d374b3e10631bf909b0N.exe	84
PID 1388 wrote to memory of 1980	1388	484faebc45f33d374b3e10631bf909b0N.exe	84
PID 1980 wrote to memory of 3792	1980	Dfiafg32.exe	85
PID 1980 wrote to memory of 3792	1980	Dfiafg32.exe	85
PID 1980 wrote to memory of 3792	1980	Dfiafg32.exe	85
PID 3792 wrote to memory of 4652	3792	Dhhnpjmh.exe	86
PID 3792 wrote to memory of 4652	3792	Dhhnpjmh.exe	86
PID 3792 wrote to memory of 4652	3792	Dhhnpjmh.exe	86
PID 4652 wrote to memory of 3560	4652	Daqbip32.exe	87
PID 4652 wrote to memory of 3560	4652	Daqbip32.exe	87
PID 4652 wrote to memory of 3560	4652	Daqbip32.exe	87
PID 3560 wrote to memory of 1864	3560	Ddakjkqi.exe	88
PID 3560 wrote to memory of 1864	3560	Ddakjkqi.exe	88
PID 3560 wrote to memory of 1864	3560	Ddakjkqi.exe	88
PID 1864 wrote to memory of 1288	1864	Dmjocp32.exe	89
PID 1864 wrote to memory of 1288	1864	Dmjocp32.exe	89
PID 1864 wrote to memory of 1288	1864	Dmjocp32.exe	89
PID 1288 wrote to memory of 4756	1288	Dddhpjof.exe	90
PID 1288 wrote to memory of 4756	1288	Dddhpjof.exe	90
PID 1288 wrote to memory of 4756	1288	Dddhpjof.exe	90
PID 4756 wrote to memory of 3000	4756	Dgbdlf32.exe	91
PID 4756 wrote to memory of 3000	4756	Dgbdlf32.exe	91
PID 4756 wrote to memory of 3000	4756	Dgbdlf32.exe	91
PID 3000 wrote to memory of 3276	3000	Doilmc32.exe	92
PID 3000 wrote to memory of 3276	3000	Doilmc32.exe	92
PID 3000 wrote to memory of 3276	3000	Doilmc32.exe	92

C:\Users\Admin\AppData\Local\Temp\484faebc45f33d374b3e10631bf909b0N.exe
"C:\Users\Admin\AppData\Local\Temp\484faebc45f33d374b3e10631bf909b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\Dfiafg32.exe
  C:\Windows\system32\Dfiafg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Dhhnpjmh.exe
    C:\Windows\system32\Dhhnpjmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\Daqbip32.exe
      C:\Windows\system32\Daqbip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 396
        11⤵
        Program crash
        
        PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3276 -ip 3276
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daqbip32.exe

Filesize
1024KB

MD5
7c5295b37e9989a93996cff166e9fa74

SHA1
f229499f00e73c509e6cc929826d62da85923bac

SHA256
c56403e3f5bd268be8590aec1c7fb010dc83410171d146f17830e46727f44a69

SHA512
a5ca8a35d9685f349ae478edaecf93fd225c07cf7b6cab8fd51993154162b247fe70a1d0d1a9d6acef0aaa6494764e79e5280abd4cc1ac20f6f84fe64b0d5b6d

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
1024KB

MD5
33843cea3c0a1e55dfbc883b1d77acf3

SHA1
d628a9e2547636db271481281c7793a8e9b312de

SHA256
bfa784f5705ea013115eef40c765ee6659dff11a5833bd6e736a4be3daf82b88

SHA512
211f8924d69e228cf5d281ab19ff70ae83910c910cb9b3170eb3e13cb4389b18987c8b800dbdc29a10625878fa71024bfd3ad2b1b29a6be25aadb6fd6cccdfa4

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
1024KB

MD5
e8c91895bd46d22b344d8bd832791e83

SHA1
3ba4ad748b0b76d941496ba93154ede74b624a96

SHA256
f8a0641f0c29e0654c41b53cb42bae0814996c47c839a3540ec2d6b7f4ff7539

SHA512
9036d28e24e1c22e0d77ff243d641d11503e43f3b95f5a873bc2f704f20f7672073da9114b5b1fec0a664ec9b2f42230822e30898a3a374c84a8ff72a53ac552

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
1024KB

MD5
b13d8d7342e43e23ef44b450ad7aa5e1

SHA1
ba7bd5eab96f934043b8dd34c40d02fa9fb8c291

SHA256
86915b98d24486234893b4235dec25efa0badcae27f36da5c64f2423de5c8270

SHA512
243860bc76fae30d0331e61115cb99d2962e704bcccf5bad4bd5412b33130ac0ed59d194df51728ef28c5bfe3ccccf32fdea29038ffc394abb2ccbb60fdaf6df

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
1024KB

MD5
d4a6a2087c21db8794dff194a569df97

SHA1
0b2f889368a9789f807851416ee8c01e0dada92b

SHA256
854c572869efff6b70307edfa585086bed694a39388172dbd05e77c0b7abadc3

SHA512
36224a1471679df13be26d9f514cb519b841beb95e79068fdf5f1144630a338a772b7b664d299fbf4262d6060b5631cdbc94de8e187020219fbb33802e6a3d19

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
1024KB

MD5
aed4c44fbf9f6894a1273e18a4be0ab9

SHA1
4d5261596aff319babb9b62c18ba359d0cd17f28

SHA256
a1413fb89a122ba5c307fa109fa69fcb4dddcf84467fd4b75106c4eacdad7dac

SHA512
85d606263d5ad70f94c8e996874636e6fc70f09897da5a98bf92c196b50fbbdb1ba17617f1898b6b658cf0023830645c3f802fdaf7874868b656eaebaf7d1cb5

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
1024KB

MD5
efa9549b2629fb2ee6ef9ac04418e5ea

SHA1
73e1eb3451ec7062179b82dc32ce6dc2866eec6c

SHA256
599b68b9ebab8ad177151a37b1faa78bdc43d90c47653c1789f807b8f004d470

SHA512
1745cc28f3b0431684104a2abf815eb9598e65970c17dc5a6ec2f5e0ef20c1db5d1ded5b5007af051175584bea86ec17a758d138372a41ae02a1c5c7e434844f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1024KB

MD5
d77c9d3733ec5ebfdaa6d42e60062800

SHA1
afa4c4f854aa1d258013c3c3450687507b6aec5a

SHA256
b4356010ebb4625dc58c50385479af4567ad4fd1c0553020a537809c42248d04

SHA512
9b5d3d7bd1a43691a80a1db0a6357f49d7257776ab54348d3b2bebb5f8ef8aadf269e4fe67da368e0744e2816dd077ab5950b1a81662d4a484296b75014c4b0d

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
1024KB

MD5
78046da6fdb1cd7263923675c7d4e07f

SHA1
18fa5ee383e65583adfb20ada3fbfc98fbc213fe

SHA256
3173f9d209f99d0fcea41fecf4717632967c295f28041c18f911c0cc05c2a277

SHA512
a3fb3d8f27ae71b0340aa46a497e07f209ae06fcbaec876982309f848fa9322f5f87f4de9215dbf53525da5ecaea6f2501361b09dde639c1f8e5cb8c2fb44d8d

Download Submit
memory/1288-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1864-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads