cb62d1c952edfe3007689a9f87e4394c9c2edd23d9e56538794dd43dea3d48cc

Analysis

max time kernel
35s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Size

96KB
MD5

c0d24b8971c2499fdc7843eb9b3e39e0
SHA1

e178cf4044bdd0bfbce88d013447d3e803190c9c
SHA256

cb62d1c952edfe3007689a9f87e4394c9c2edd23d9e56538794dd43dea3d48cc
SHA512

1cd5df5421c16d069fe1e613152e8458608f0cdc61d0d4dda07deb1689158c546384fd3884401d6092e0288fc8ec85b0e896f9d2a62e739a12a75f217ca011de
SSDEEP

1536:YkXuYph+Z3x+2iHto/QQXL675wvAU43uM22tq74S7V+5pUMv84WMRw8Dkqq:YyugM1x+2iN6jXu754AU4Yii4Sp+7H7c

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caknol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknekeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcadac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe

Executes dropped EXE 29 IoCs

pid	Process
2796	Caknol32.exe
2728	Cghggc32.exe
2960	Cdlgpgef.exe
2584	Dgjclbdi.exe
2124	Dlgldibq.exe
320	Dcadac32.exe
1484	Djklnnaj.exe
3052	Dliijipn.exe
2840	Dccagcgk.exe
2860	Djmicm32.exe
1512	Dknekeef.exe
2928	Dcenlceh.exe
1912	Dhbfdjdp.exe
1700	Dkqbaecc.exe
1872	Ddigjkid.exe
2188	Dkcofe32.exe
1240	Ehgppi32.exe
1616	Ekelld32.exe
2484	Eqbddk32.exe
1556	Ecqqpgli.exe
3040	Emieil32.exe
2536	Eqdajkkb.exe
1504	Edpmjj32.exe
2064	Eojnkg32.exe
2732	Ejobhppq.exe
2800	Eplkpgnh.exe
2748	Echfaf32.exe
2700	Fmpkjkma.exe
2660	Fkckeh32.exe

Loads dropped DLL 62 IoCs

pid	Process
2472	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
2472	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
2796	Caknol32.exe
2796	Caknol32.exe
2728	Cghggc32.exe
2728	Cghggc32.exe
2960	Cdlgpgef.exe
2960	Cdlgpgef.exe
2584	Dgjclbdi.exe
2584	Dgjclbdi.exe
2124	Dlgldibq.exe
2124	Dlgldibq.exe
320	Dcadac32.exe
320	Dcadac32.exe
1484	Djklnnaj.exe
1484	Djklnnaj.exe
3052	Dliijipn.exe
3052	Dliijipn.exe
2840	Dccagcgk.exe
2840	Dccagcgk.exe
2860	Djmicm32.exe
2860	Djmicm32.exe
1512	Dknekeef.exe
1512	Dknekeef.exe
2928	Dcenlceh.exe
2928	Dcenlceh.exe
1912	Dhbfdjdp.exe
1912	Dhbfdjdp.exe
1700	Dkqbaecc.exe
1700	Dkqbaecc.exe
1872	Ddigjkid.exe
1872	Ddigjkid.exe
2188	Dkcofe32.exe
2188	Dkcofe32.exe
1240	Ehgppi32.exe
1240	Ehgppi32.exe
1616	Ekelld32.exe
1616	Ekelld32.exe
2484	Eqbddk32.exe
2484	Eqbddk32.exe
1556	Ecqqpgli.exe
1556	Ecqqpgli.exe
3040	Emieil32.exe
3040	Emieil32.exe
2536	Eqdajkkb.exe
2536	Eqdajkkb.exe
1504	Edpmjj32.exe
1504	Edpmjj32.exe
2064	Eojnkg32.exe
2064	Eojnkg32.exe
2732	Ejobhppq.exe
2732	Ejobhppq.exe
2800	Eplkpgnh.exe
2800	Eplkpgnh.exe
2748	Echfaf32.exe
2748	Echfaf32.exe
2700	Fmpkjkma.exe
2700	Fmpkjkma.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epjomppp.dll	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Lfnjef32.dll	Ekelld32.exe
File created	C:\Windows\SysWOW64\Loinmo32.dll	Cghggc32.exe
File created	C:\Windows\SysWOW64\Dknekeef.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Cdlgpgef.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dknekeef.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Dkcofe32.exe
File created	C:\Windows\SysWOW64\Eqdajkkb.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Cdlgpgef.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dknekeef.exe
File opened for modification	C:\Windows\SysWOW64\Dkqbaecc.exe	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Dccagcgk.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Dkcofe32.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Cdlgpgef.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Dccagcgk.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Dkcofe32.exe	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Abofbl32.dll	Echfaf32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fmpkjkma.exe
File opened for modification	C:\Windows\SysWOW64\Dlgldibq.exe	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Dkcofe32.exe	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Ekelld32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Eojnkg32.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Lkmkpl32.dll	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Dcenlceh.exe	Dknekeef.exe
File created	C:\Windows\SysWOW64\Ddigjkid.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Dliijipn.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Opfdll32.dll	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
File opened for modification	C:\Windows\SysWOW64\Cdlgpgef.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Dgjclbdi.exe	Cdlgpgef.exe
File created	C:\Windows\SysWOW64\Dlgldibq.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Djmicm32.exe	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Egqdeaqb.dll	Djmicm32.exe
File created	C:\Windows\SysWOW64\Cbcodmih.dll	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Caknol32.exe	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Iifjjk32.dll	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dknekeef.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Ekelld32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Eqdajkkb.exe
File opened for modification	C:\Windows\SysWOW64\Dliijipn.exe	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Odifab32.dll	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Dkcofe32.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Eofjhkoj.dll	Dlgldibq.exe
File opened for modification	C:\Windows\SysWOW64\Fmpkjkma.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dkqbaecc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	2660	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknekeef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqbaecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddigjkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dccagcgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecqqpgli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmpkjkma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbfdjdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emieil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caknol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlgpgef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djklnnaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcenlceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpmjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkcofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcadac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcadac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Caknol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll"	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll"	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll"	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll"	Dcadac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c0d24b8971c2499fdc7843eb9b3e39e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll"	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cghggc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2796	2472	c0d24b8971c2499fdc7843eb9b3e39e0N.exe	30
PID 2472 wrote to memory of 2796	2472	c0d24b8971c2499fdc7843eb9b3e39e0N.exe	30
PID 2472 wrote to memory of 2796	2472	c0d24b8971c2499fdc7843eb9b3e39e0N.exe	30
PID 2472 wrote to memory of 2796	2472	c0d24b8971c2499fdc7843eb9b3e39e0N.exe	30
PID 2796 wrote to memory of 2728	2796	Caknol32.exe	31
PID 2796 wrote to memory of 2728	2796	Caknol32.exe	31
PID 2796 wrote to memory of 2728	2796	Caknol32.exe	31
PID 2796 wrote to memory of 2728	2796	Caknol32.exe	31
PID 2728 wrote to memory of 2960	2728	Cghggc32.exe	32
PID 2728 wrote to memory of 2960	2728	Cghggc32.exe	32
PID 2728 wrote to memory of 2960	2728	Cghggc32.exe	32
PID 2728 wrote to memory of 2960	2728	Cghggc32.exe	32
PID 2960 wrote to memory of 2584	2960	Cdlgpgef.exe	33
PID 2960 wrote to memory of 2584	2960	Cdlgpgef.exe	33
PID 2960 wrote to memory of 2584	2960	Cdlgpgef.exe	33
PID 2960 wrote to memory of 2584	2960	Cdlgpgef.exe	33
PID 2584 wrote to memory of 2124	2584	Dgjclbdi.exe	34
PID 2584 wrote to memory of 2124	2584	Dgjclbdi.exe	34
PID 2584 wrote to memory of 2124	2584	Dgjclbdi.exe	34
PID 2584 wrote to memory of 2124	2584	Dgjclbdi.exe	34
PID 2124 wrote to memory of 320	2124	Dlgldibq.exe	35
PID 2124 wrote to memory of 320	2124	Dlgldibq.exe	35
PID 2124 wrote to memory of 320	2124	Dlgldibq.exe	35
PID 2124 wrote to memory of 320	2124	Dlgldibq.exe	35
PID 320 wrote to memory of 1484	320	Dcadac32.exe	36
PID 320 wrote to memory of 1484	320	Dcadac32.exe	36
PID 320 wrote to memory of 1484	320	Dcadac32.exe	36
PID 320 wrote to memory of 1484	320	Dcadac32.exe	36
PID 1484 wrote to memory of 3052	1484	Djklnnaj.exe	37
PID 1484 wrote to memory of 3052	1484	Djklnnaj.exe	37
PID 1484 wrote to memory of 3052	1484	Djklnnaj.exe	37
PID 1484 wrote to memory of 3052	1484	Djklnnaj.exe	37
PID 3052 wrote to memory of 2840	3052	Dliijipn.exe	38
PID 3052 wrote to memory of 2840	3052	Dliijipn.exe	38
PID 3052 wrote to memory of 2840	3052	Dliijipn.exe	38
PID 3052 wrote to memory of 2840	3052	Dliijipn.exe	38
PID 2840 wrote to memory of 2860	2840	Dccagcgk.exe	39
PID 2840 wrote to memory of 2860	2840	Dccagcgk.exe	39
PID 2840 wrote to memory of 2860	2840	Dccagcgk.exe	39
PID 2840 wrote to memory of 2860	2840	Dccagcgk.exe	39
PID 2860 wrote to memory of 1512	2860	Djmicm32.exe	40
PID 2860 wrote to memory of 1512	2860	Djmicm32.exe	40
PID 2860 wrote to memory of 1512	2860	Djmicm32.exe	40
PID 2860 wrote to memory of 1512	2860	Djmicm32.exe	40
PID 1512 wrote to memory of 2928	1512	Dknekeef.exe	41
PID 1512 wrote to memory of 2928	1512	Dknekeef.exe	41
PID 1512 wrote to memory of 2928	1512	Dknekeef.exe	41
PID 1512 wrote to memory of 2928	1512	Dknekeef.exe	41
PID 2928 wrote to memory of 1912	2928	Dcenlceh.exe	42
PID 2928 wrote to memory of 1912	2928	Dcenlceh.exe	42
PID 2928 wrote to memory of 1912	2928	Dcenlceh.exe	42
PID 2928 wrote to memory of 1912	2928	Dcenlceh.exe	42
PID 1912 wrote to memory of 1700	1912	Dhbfdjdp.exe	43
PID 1912 wrote to memory of 1700	1912	Dhbfdjdp.exe	43
PID 1912 wrote to memory of 1700	1912	Dhbfdjdp.exe	43
PID 1912 wrote to memory of 1700	1912	Dhbfdjdp.exe	43
PID 1700 wrote to memory of 1872	1700	Dkqbaecc.exe	44
PID 1700 wrote to memory of 1872	1700	Dkqbaecc.exe	44
PID 1700 wrote to memory of 1872	1700	Dkqbaecc.exe	44
PID 1700 wrote to memory of 1872	1700	Dkqbaecc.exe	44
PID 1872 wrote to memory of 2188	1872	Ddigjkid.exe	45
PID 1872 wrote to memory of 2188	1872	Ddigjkid.exe	45
PID 1872 wrote to memory of 2188	1872	Ddigjkid.exe	45
PID 1872 wrote to memory of 2188	1872	Ddigjkid.exe	45

C:\Users\Admin\AppData\Local\Temp\c0d24b8971c2499fdc7843eb9b3e39e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c0d24b8971c2499fdc7843eb9b3e39e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\Caknol32.exe
  C:\Windows\system32\Caknol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Cghggc32.exe
    C:\Windows\system32\Cghggc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Cdlgpgef.exe
      C:\Windows\system32\Cdlgpgef.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Dcadac32.exe
        
        C:\Windows\system32\Dcadac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Dccagcgk.exe
        
        C:\Windows\system32\Dccagcgk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Dknekeef.exe
        
        C:\Windows\system32\Dknekeef.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Eqbddk32.exe
        
        C:\Windows\system32\Eqbddk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Fmpkjkma.exe
        
        C:\Windows\system32\Fmpkjkma.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caknol32.exe

Filesize
96KB

MD5
145d08579382d870366b0eb068fb26a7

SHA1
07b719d4bfbcb8fb71efa25143962ce4cb539e00

SHA256
7448c24dda59723559e1342ce968da1cb581d0ea4ddd43c9dfa1606d841be6ad

SHA512
59322a0ec6023efff20973a3dd2473c920488f09cf4efefe394376b6719015228137b66c953b2d5ec925decdae7a71902837b2212e917f2f9565942755c1368e

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
96KB

MD5
607e78b9e7ac2df79567dd07e0c45891

SHA1
865a3938e3bb855bc6c54decb32b3697ca3a6357

SHA256
4358754fe58540d0af59aa66577c49a60631e17d79aafa344e2dac1e7c51ff70

SHA512
6a0d0641edf24593311bb74076ef311ae5b3e2590f78d340d5fac549913c870fe3558f68aedfa951d9cd79481507c83f671baa68e64c640473c8356622beedc9

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
96KB

MD5
5026d93f783781bf739a4bf57e5fc8f8

SHA1
4f39379833052162d3c244ed980e00c6dd4653cd

SHA256
a2dac137dd2cb0d4957c15699b1d320e1ee488b1b9320f5fd523a1ebe00780b6

SHA512
6a4335a16aba8d28df9f83bc6f1830297b733af4a3c8338ead56c25d978b2612ad9853de3f4b6b620906b9330ca57bf0a62a3a21cc26787fc00836a014229edd

Download Submit
C:\Windows\SysWOW64\Djmicm32.exe

Filesize
96KB

MD5
95cfc549ec39a2432bf6518e171cb55f

SHA1
3cd80751d642a0d118e377ac31942f5042839e74

SHA256
fc0aa9d4010e41cf8dab51f35a1afc20dbf1e37a5914748ebd52d34cf49a0ae5

SHA512
182e39f8156d926e8e37562d7f0452cc282003e5fbed551a2a08054b2595cb0f1b3ac4feb9abe8a56e1e04699a6d0d16aea0f1f5f52b6a9e6ea758a548fa7f48

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
96KB

MD5
0b7a96237742d47553bb79fd23c8692a

SHA1
a25eaeff09a87e5d802ff76248bc72da22c03c59

SHA256
513485d62fd802d266b4900478b5c01bbbde79d46d38557359ea15e222cf9df7

SHA512
51c5b9417f732a10dfdb7265785c5a7809769b35773879643593b9cce192121919ddf665e81140e13b1d4e9d65b6a31ca4669b88d4490ee8613fb334c1c70037

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
96KB

MD5
8c71d7fe6a1077be8226343b760d5838

SHA1
ce95cc6370938bd0a94290778fa6c28c9908a5e9

SHA256
39f912b3b9da648f21ebf6de6bfe3da4e9ac356b4d31e3172ced7dfffbb8c160

SHA512
ca224397fd619b6e0f8f11871a9e8180dd17efbc93af391e5b81ffcea27c0075c2878148ee84137ffaa85962a980268eda718c84da496bd6a0002c8c19ea32be

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
96KB

MD5
a4d7365be9c74d6fcff5c72b7cdff219

SHA1
c4fece92b4c39f4bad74808f0dca422d877bb6db

SHA256
fcc3691cc570cf22f66b9e9c267555747e8c24a74dd406de9a15a04c05d28370

SHA512
38cfb1602d1b3ca0e3a4d6e5364807e4c80f4efeeb89c0c69707db18e9c6f9a240ddf1aa61f3baf555f116be1b15e682e75ddb790d0678301c251f4c5753ce75

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
96KB

MD5
f99c18964707066895a6e19da23294f5

SHA1
aa16109f8d8f43ad42f3d52d2f18d67b6cab3215

SHA256
9e30ea3c9f44df828986c495a3762370c3a6841a1532a9d6791378c847913e44

SHA512
905527ac81cdbc7edffcaf375d986d5ca6ec69a6a250d7df556a611ce7c6f1bf3aeca7b7a461dd81378e2c105e216db14c4d7e669f2c9ca8856a6aeb94d57040

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
96KB

MD5
962f7cf89561fa2c786e43eed59c0fb3

SHA1
bc31221743bb5678818853fc70788d6b89cf7584

SHA256
4c7dfdb3ca490d19f62aefef0e1871c80eb0b583dcb38616475ee3b92a7585db

SHA512
eb091f910f2c3ebb282c65b7b989d586cde53576325249ac4a9a6a08c3d3ce9033154ea96edc6b47e39580d26ef1a4a86156c5cdeb4c896957c32b4acf083b8a

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
96KB

MD5
c752f433022d6105cc014ec7a5c7dc54

SHA1
91a6365f49550672094a204b83d7185ca251db90

SHA256
ccac60cdf02e04a1a5063e3f3ad6703f02c9fabccaeed9a2985e2c2d6787bcae

SHA512
fc38d671ff6dd81fbba9294d8a335c2f970f775e180134a035a7917609ba16abfff00dedbef8400be29dbf8bad203fdc22ed87dc53072302f94c7f12da79d389

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
96KB

MD5
e9ae81dacf468f6edfd274137098c76b

SHA1
cc1ba1bdf4a8ebd63a3e8644bdbfa8971b54d12b

SHA256
de81439821da3c384e1c5178cd0b960ab2ca8d6c22d9e5792403333f1a03c0b5

SHA512
776f9e803d605d92c023f4d2ffe83fc8f4771c8c95d5c416d70d1a15ce15b682b8f4e61b47fd0e02c5e8cae1c0b0a00c7198d36e5edcfbbfb355185fb2dd3b99

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
96KB

MD5
bb9fea0dea7009b6f54fff8aba0bbbcb

SHA1
ae499bd1751be6ebbe1f4a38f79df8cdef4e5f60

SHA256
c1929a9196c425cd56d2752a48eef806a3ff4f626950f2c72670654db85a9826

SHA512
f01b46a107de40fbf67a0e38ea86ff4125c59b9f742e4b6a05a67ff93f5e10970a6e0e41d815db56b8b0e5074c8846142bca7656c59e5554d8c7eb672b969a20

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
96KB

MD5
cb4ffd1d4ffc7ae8ddb0df80f9f37566

SHA1
99d5500b44547421e2769d576f6f3b00a48a0a87

SHA256
3e2684b6a46829a47bd2c0138ef7ad9c86de1b23287dc4fee0313d2220dfc9c7

SHA512
fc337f5ecf7b3e027235fd8d04a54320537465d16f9ae4ee6d6ddc6bf745fd6be4f7f05f881b04f5b586123d4aec2561d4ce7a7a776ae4810172d5adf6c5bbaf

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
96KB

MD5
fb4bd0e468d15ae78cb6a74f4460d12f

SHA1
41e0f30dd187e1cfb2faccc19f2992e1962dd468

SHA256
f84eeb38f4bb0bc8c5ada4d7e0f97a6d9689c2ac587ebf4525883304b3c27fe3

SHA512
46ccb9dba3ef9f9b66902afa28cfb1fe8491facb3de4eb028205bc9f62025f78c852a8cfaf53e81990b0d964b39da35b8686d3df28d8cebb41911b80c3ed7fe3

Download Submit
C:\Windows\SysWOW64\Eqbddk32.exe

Filesize
96KB

MD5
515cdb1468c5bb47170763077e57a457

SHA1
c18bca64f23c6ae3ce1874384d93090c67a6d2d4

SHA256
7d9ecc0bf16731b630c169ff52ffc4b9b228d9c2849d2ccc010edc594fc908b0

SHA512
dde12a1f698d0d551afbb15205a7ba2d91abb24460169294891f0995a07b0a796a001e5e867cc895ca6b6c76f48b183fae5fd3654855ffb1908ae2079857d566

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
96KB

MD5
274e63b4e36a957576cfc7b18449236c

SHA1
f0a282c2bd5f6b32159b95a845b4aba80d6cd192

SHA256
1c8aa0dfe2060a69272307c9a4296b76d44d44ccae5e4ab751f75b80bc5833d8

SHA512
cf6b61c8caf71267938d0ee04673ee6a5ccf6baf941f258c649337d540e5b3d209e9dd00688f213fd88688c234b2ae53654b92662b35277d93ed4eae5900c723

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
96KB

MD5
16d3c03d9039132177f602e2570ee50e

SHA1
7799fa2d1a3f4c81678c83f2e57980ac632f5a22

SHA256
2e809629a3bde18847ae9a1b686a9c908d4c955f95d382a1b87e84ec484673e2

SHA512
23f3c5c43735293fade21837fe000abbd059ebd1e748588edc3d541d3907f56b84d8914e44adb3702fd6faefc967e3473ecbfbd865b6517ff4d87d9198a7e11f

Download Submit
C:\Windows\SysWOW64\Fmpkjkma.exe

Filesize
96KB

MD5
1256388e0177163d55aa097210f9a082

SHA1
7f7e3fbcb14636e18ff5388ee594822c7d49da9c

SHA256
0e087484c80a12e608049852fc8862e5f91b01f5946a08d4333f0309d956cb56

SHA512
d2b292e97717a5ba631f7dd31f1f24a30a31d3e07dfd6c8c575aa60a4a5aa174d11c5e84b926bdf66951f83ab3f0c6a1b7d712f1d86e171fe48f580257efa745

Download Submit
C:\Windows\SysWOW64\Mfacfkje.dll

Filesize
7KB

MD5
6d2e0a3f5c0e940ddc1a54890832e795

SHA1
c9d879c18a6c64fbc6a4624b7b08fc31debaba61

SHA256
12d016643aec7157631c488fc011dba88a60e4b3c0d7f0d7fcfbe0efa9cec43a

SHA512
3f1b028a00f45355d3db2a3c92bec64c0b5bd354f0df309b85552fec4a404fd3dce85101ed5bf14c19cb8547f66e6a1327d1325764a06ccaed8fa8ca7a075f7f

Download Submit
\Windows\SysWOW64\Cdlgpgef.exe

Filesize
96KB

MD5
faa4ae06efdb6a4cbc83a2ca9101f6f7

SHA1
d24772c98d6aefede2cc011f6c9fefc41d254ee9

SHA256
d50b696fc219f4925e96f9b74ee66c7340b3c071fe191dd62f98695329eaba0a

SHA512
5f264027a0ab0c849d894c7cc0fa68a9654d31d61b026116036cb7ddfa0759f67010ebaff5bafb5ccae6d493b62f5bc186092c2a323e9c1e1f2eca45a24402e1

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
96KB

MD5
1ba937768a76a9c49b32a8e1dbf38c77

SHA1
36de7fd359aaafef0939dacd90883dda68f74755

SHA256
0376fd14dbbd43cbbbb60279d15df1d2c7abe8700b83d5723683503392b09614

SHA512
c1300a43fe4af024541eea705f8156df8818434b88d87f239d6383a28cb18d588ee5498c7f7daf0cfa4099f34fd0ac7009ac15126f4774aeab9cbe2c2a0d4bff

Download Submit
\Windows\SysWOW64\Dccagcgk.exe

Filesize
96KB

MD5
f5b5c40055907818917887da2380c618

SHA1
aa25006747dfe54f8ee2fbf661f02b5be97bfe21

SHA256
b96931e393acc1cc137f6af127e05c9f7905ecc75a7cacacda2a1f1107bf858b

SHA512
15c40eab2b5920625453dece008226ea5df8e1f19dd94c7d4a584dbeda072ddc3303f164033382573c7e9f914d528f017afbfb03b3b089d73ab26e5b28a3b2af

Download Submit
\Windows\SysWOW64\Dcenlceh.exe

Filesize
96KB

MD5
ba283b8272ea3b24c6776d0a8e3445d0

SHA1
bd09a85eee81a6da72c63ad135b84e015a4fd406

SHA256
fed56a5d3e335b68da542f45015a4554804b8ebc71b36de8fb04bdf5ffeb37a4

SHA512
9767c99441ef3d4239baaa65c1595b4fe274d22db18b6614014c1c87c2099de97fc2c5f44b25141f2e773227282b72e9906c757715958ec61e7975b1561f24d9

Download Submit
\Windows\SysWOW64\Ddigjkid.exe

Filesize
96KB

MD5
adf95ef9878d560c0b4d43e8fdbb5af1

SHA1
d28ef0139648469f0b9835e1124fba17ac21f1eb

SHA256
c52a33e2d7bd20e025237d121a93885f24551f9ea360787c4fa97918b0396ea6

SHA512
de67c75223840ff956a4fd152c1fd4ae43b459c43560ff1f37715e4df74ff6fe76f8aee887764882ff94ad168cecaa80ba8e9a6fc4bce3552333d9b87c410857

Download Submit
\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
96KB

MD5
0dfaea54957e621c81e545e2aa06715c

SHA1
050c51416682a0986f97305ff527676aaa40b4fe

SHA256
793ff67b674ed565f704fcd5f840a4e20ddbd3bc77f386aae9aed4cba4c69ee4

SHA512
ba323cb67c8ed6d1ac050df7c0d4c4ecd92c2077226cf5adf74088b3f954a9be32c547ccc0a2d82ffeccb5e6162e231fc4d529cead370e024e07b929991ee756

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
96KB

MD5
1a7d49725bf582b41fb85571ff7177a7

SHA1
2938ae961c70f48767d06cfb43acb0589065b0dc

SHA256
ca681621049e4e63ac492eb8a5adf965e369a276d262f0976e1729868867e9e9

SHA512
f0560c4e3ea047c7ced79b4fd1eb974cda02818972247c33ddc245c6f26c996d46d7b55b052363a0c717435ced40c7883660136042b71ef617f43a0181b85e6f

Download Submit
\Windows\SysWOW64\Dkcofe32.exe

Filesize
96KB

MD5
b98f5169eb52062924193bfff3a9e328

SHA1
844c73a05d736f93238d6aa540d4247692cb2c2f

SHA256
4e07bddecb9f6ff2dbc7ec76a0e2bc8ee01531ae3a9c94e6b988a555f3f0fa25

SHA512
dacda508af74b7a1b1f9be17dcce30abba600094263deb6506bb8e3a3aa83d14d9f0dcddf26c858b6be9df464eedfd897bdc02a56a2d548ee858be4c1d97aa9b

Download Submit
\Windows\SysWOW64\Dknekeef.exe

Filesize
96KB

MD5
422ed78c8915f67b648cea45aa965c3c

SHA1
b77fb0b0b7a43a4f0a8aa162de317551f29cc45b

SHA256
0700c204beb2355a093c9c263644e8aa937373697bb6f2d42af6dc675d1a96d3

SHA512
833212113fc434d2767d35dac119a446e511d2d5a61092fe3ad8a395912b34ef37b149f9ab60fd56890747c54e188b1f0cb28c84616575d6579656f40fb7b009

Download Submit
\Windows\SysWOW64\Dlgldibq.exe

Filesize
96KB

MD5
5ace7c061103172a44662ba92ee12c5a

SHA1
bdc13eaedc0c483a16270182548745826e3270cc

SHA256
20362b310df72a9d248134e0fc0ecec360eefae18f9a6f53f10a43db44d729eb

SHA512
1f6a7fa538121fba12c4731e0d05ce8d35ef14f79d4d2ca3479a545bcb3232e1207cd73d452835c612f44ed2785dd824b505c2a3d71142f5f04d157481bdf1f7

Download Submit
\Windows\SysWOW64\Dliijipn.exe

Filesize
96KB

MD5
4ead1eff2c00306e87415c30a2b1822f

SHA1
5c4becbfb4f5f04e995ea16677d035f8a35cd259

SHA256
24378b8587e9ddd16831c194963291ebd24a4d46deec120ee7cc9dfe21731062

SHA512
f35ae85dfdbecf07e2137972a9a3ec3f3c5a637ba17d2beaecbcff69bf50646dc3fa307bb35f6494f3f858997ac4f046047b5e60f1205dc3c04f23f1faa993bf

Download Submit
memory/320-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-372-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-228-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1240-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-232-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1484-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-295-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1504-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-296-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1512-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1512-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-263-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1556-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-264-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1616-241-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1616-242-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1616-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-193-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1700-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2064-306-0x00000000004B0000-0x00000000004EF000-memory.dmp

Filesize
252KB

Download
memory/2064-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2064-307-0x00000000004B0000-0x00000000004EF000-memory.dmp

Filesize
252KB

Download
memory/2064-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2124-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2472-353-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2472-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2472-12-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2472-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2484-252-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2484-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2484-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2484-253-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2536-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-281-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2584-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-60-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2584-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-350-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2700-349-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2700-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-33-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2732-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-318-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2732-317-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2748-338-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2748-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-339-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2796-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-355-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2796-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-328-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2800-329-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2840-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-278-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3040-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-277-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3052-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-118-0x0000000001F90000-0x0000000001FCF000-memory.dmp

Filesize
252KB

Download
memory/3052-113-0x0000000001F90000-0x0000000001FCF000-memory.dmp

Filesize
252KB

Download
memory/3052-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-363-0x0000000001F90000-0x0000000001FCF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads