c8e1540d26cc884bc019b839e0379769cc6ffb2faffc3c838c5f014b663191fc

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83240383c671d7c5388e765f82d74700N.exe
Size

320KB
MD5

83240383c671d7c5388e765f82d74700
SHA1

6997c81b14cff55e95adc4c5302826ba4406c0d9
SHA256

c8e1540d26cc884bc019b839e0379769cc6ffb2faffc3c838c5f014b663191fc
SHA512

da6ccde923b8a90d4fdd86d1bac3a9917e4e646ab7adad85b6097271d37a890a6fc15771a4d600fdc5555057f732b24a02b00330de73564f81ee2594c911b469
SSDEEP

6144:pvVlWNCuZlOLAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUaR/N1Id:ptgMulYJ07kE0KoFtw2gu9RxrBIUbPLK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83240383c671d7c5388e765f82d74700N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	83240383c671d7c5388e765f82d74700N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe

Executes dropped EXE 13 IoCs

pid	Process
896	Dfiafg32.exe
3620	Dmcibama.exe
1668	Danecp32.exe
2600	Dejacond.exe
4280	Dhhnpjmh.exe
4316	Dodbbdbb.exe
1580	Deokon32.exe
1840	Dhmgki32.exe
2704	Dfpgffpm.exe
4952	Deagdn32.exe
3356	Dhocqigp.exe
2540	Dknpmdfc.exe
3632	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	83240383c671d7c5388e765f82d74700N.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	83240383c671d7c5388e765f82d74700N.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	83240383c671d7c5388e765f82d74700N.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	3632	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83240383c671d7c5388e765f82d74700N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	83240383c671d7c5388e765f82d74700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	83240383c671d7c5388e765f82d74700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	83240383c671d7c5388e765f82d74700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	83240383c671d7c5388e765f82d74700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	83240383c671d7c5388e765f82d74700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	83240383c671d7c5388e765f82d74700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 896	2280	83240383c671d7c5388e765f82d74700N.exe	84
PID 2280 wrote to memory of 896	2280	83240383c671d7c5388e765f82d74700N.exe	84
PID 2280 wrote to memory of 896	2280	83240383c671d7c5388e765f82d74700N.exe	84
PID 896 wrote to memory of 3620	896	Dfiafg32.exe	85
PID 896 wrote to memory of 3620	896	Dfiafg32.exe	85
PID 896 wrote to memory of 3620	896	Dfiafg32.exe	85
PID 3620 wrote to memory of 1668	3620	Dmcibama.exe	86
PID 3620 wrote to memory of 1668	3620	Dmcibama.exe	86
PID 3620 wrote to memory of 1668	3620	Dmcibama.exe	86
PID 1668 wrote to memory of 2600	1668	Danecp32.exe	87
PID 1668 wrote to memory of 2600	1668	Danecp32.exe	87
PID 1668 wrote to memory of 2600	1668	Danecp32.exe	87
PID 2600 wrote to memory of 4280	2600	Dejacond.exe	88
PID 2600 wrote to memory of 4280	2600	Dejacond.exe	88
PID 2600 wrote to memory of 4280	2600	Dejacond.exe	88
PID 4280 wrote to memory of 4316	4280	Dhhnpjmh.exe	89
PID 4280 wrote to memory of 4316	4280	Dhhnpjmh.exe	89
PID 4280 wrote to memory of 4316	4280	Dhhnpjmh.exe	89
PID 4316 wrote to memory of 1580	4316	Dodbbdbb.exe	90
PID 4316 wrote to memory of 1580	4316	Dodbbdbb.exe	90
PID 4316 wrote to memory of 1580	4316	Dodbbdbb.exe	90
PID 1580 wrote to memory of 1840	1580	Deokon32.exe	91
PID 1580 wrote to memory of 1840	1580	Deokon32.exe	91
PID 1580 wrote to memory of 1840	1580	Deokon32.exe	91
PID 1840 wrote to memory of 2704	1840	Dhmgki32.exe	92
PID 1840 wrote to memory of 2704	1840	Dhmgki32.exe	92
PID 1840 wrote to memory of 2704	1840	Dhmgki32.exe	92
PID 2704 wrote to memory of 4952	2704	Dfpgffpm.exe	93
PID 2704 wrote to memory of 4952	2704	Dfpgffpm.exe	93
PID 2704 wrote to memory of 4952	2704	Dfpgffpm.exe	93
PID 4952 wrote to memory of 3356	4952	Deagdn32.exe	94
PID 4952 wrote to memory of 3356	4952	Deagdn32.exe	94
PID 4952 wrote to memory of 3356	4952	Deagdn32.exe	94
PID 3356 wrote to memory of 2540	3356	Dhocqigp.exe	95
PID 3356 wrote to memory of 2540	3356	Dhocqigp.exe	95
PID 3356 wrote to memory of 2540	3356	Dhocqigp.exe	95
PID 2540 wrote to memory of 3632	2540	Dknpmdfc.exe	96
PID 2540 wrote to memory of 3632	2540	Dknpmdfc.exe	96
PID 2540 wrote to memory of 3632	2540	Dknpmdfc.exe	96

C:\Users\Admin\AppData\Local\Temp\83240383c671d7c5388e765f82d74700N.exe
"C:\Users\Admin\AppData\Local\Temp\83240383c671d7c5388e765f82d74700N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Dfiafg32.exe
  C:\Windows\system32\Dfiafg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\Dmcibama.exe
    C:\Windows\system32\Dmcibama.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\Danecp32.exe
      C:\Windows\system32\Danecp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 408
        15⤵
        Program crash
        
        PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3632 -ip 3632
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danecp32.exe

Filesize
320KB

MD5
08bde342abfcc54b9877f02d8a651af6

SHA1
fa403ea2c6b7cda8f7cf1c5b5a252f8578f8fce7

SHA256
3628fe7b33d4b9d343176822340ec8c47e57c0e7b89e448b75f110079aa4b98c

SHA512
2c997d6a9a4ec92e68d86ba1829475b29cb8ec2fe229ae73318e949dd5292141b4691a11c985a5b0776e8c289d91d898769e2c96abf34712b8e4c5bcfc295317

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
320KB

MD5
3b24f246d6a626bb0dc328422a379dd6

SHA1
deaa95a6b083e9bf4f09a8129a54ea33652b7661

SHA256
92780cad52bc62964e23dc597597fede40e11fd8a2b7cefb0eb8ebf265f5a12c

SHA512
54ca3fc05f50093183593fbe090301153a6f3cf2f6e503a9004eec184cbc80c2b01124159f12c09dcaa22b23890582840784827e8f5089c939338f40766dfb7d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
320KB

MD5
a7862ef842cf931801e6ba7a322301f7

SHA1
0c3647763880fcbba7b41909fc0369690aec9c31

SHA256
a7943cc764f3df0835b866e4de38e98c612fbb8f19bbe60b2621ee95c67fc66e

SHA512
781ea68a96e38580d0758c2cc7d5966fb96e7fd232872626c41d981cfe49ce4c1d040aa20aca16de5ce89350ea2ea79efd7787a9f841637d172730e89b282a57

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
320KB

MD5
93282e87ff462c53e664378c54ad31fa

SHA1
3dd0391f6bbf11438bd0104af4db59e33299544d

SHA256
53b23fa55416dde29ee79d27c01826020ae7ffbd6a2fe84c404b77137b0c42fb

SHA512
ca82bd8a6bac5cace00ed28009670fb854a8d88cab981a7521e04c40881786be6ce921e73653cc5269249b722f03174759a49fca1708f288bb7a1a0f66252f7f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
320KB

MD5
d0af13e805b9f0d487dc6710ea6e68df

SHA1
ae735cbe4f601c4a804328ea06bc41bf86c7a6c8

SHA256
b6f65e5b752ff0ed0607f6757e00407a0486757c00349784b6b369991d152933

SHA512
2452df547d75619d371429088eab6389e379a4f4c996b516fac2dc8fdef9c2c6b40eb2ccf1942c3b2ec8b67495588a052248643dbb7fed2dcbcba844f3b37ddf

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
320KB

MD5
028395550d54ca3e7eca7aff3f21ad55

SHA1
5c7dd26937a80dc2ea32344c9bf79dd3fd433464

SHA256
d0ce96a78c140a1dfc4e482dd5b833d2b58fe081dfcc4cdddf2abc036029ff39

SHA512
c094b5b3cf1393ed5ce7fd4b05efdb7388aecffbc17e656d2ea894559e6564893ac932474d8c34fedadd730a00b104934ea2b3253c1ae0a853bafffa7224252e

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
320KB

MD5
1be5411fdfaab9fd458a03cf5ea71188

SHA1
c06cdb27af212a1a36e951474f8cea26ecbe6589

SHA256
f1562e03dc869546b2dbbc48c32dfaba4f7c6145e18bf5173a52cce1ed55fb1f

SHA512
83da90a08c7b92bcf980b5cf361e8a615a6559f0082387f9d1c964c3573923b50e7e561a377e713670c48acaf5d9ff9fd73c37abdad69f86230556cd22728f2f

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
320KB

MD5
26184395841237692200c254a64619ac

SHA1
88321c5a4a37bcde9f279ed5c9f728fcbb58df1b

SHA256
968bb52582cb6e59cf22dd4cba9893874e74a75cab15e3f6cc0c8d37c2975603

SHA512
ab1a9c9faa5fae22610eba47eae352a441a6179a9df24cb2b42d5beaab4beeefc619fb9ecd99dd5ca3b945ff84e15f5deabdbc17d660cdae44230cf45e636a89

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
320KB

MD5
5320a1d170e592920cfc606f222f7828

SHA1
83e3d3cc5180b03f2466c72250c1fb59788c6120

SHA256
f43495398ca6506c14bd86a17b5a793ba6290e0048f91b3617f9dba464214baa

SHA512
7068d12419b49ba52b787b2fee7e8e935707002c3703fc0a21b05fd07dab4cfb6d324a28eb666ce7396331efb6838a624fd4503934e5bd086be0212b6e8b0983

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
320KB

MD5
d4885da7147b737361f40939f56de651

SHA1
15784981916e8cb144516daba9bdda458c722aed

SHA256
a139ab9a7199c4dbd7d31a463e82e7341045b77d12b8acf5386b755ec40d7f71

SHA512
6fedc68d6f37f9f4d0ddced372528b2fd9f8113f8c58c4e91a5091c573f83b78d88d2ef8e5581ed84680f6af852b941947a22c0e49fea3ba6bcbb57be540014b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
320KB

MD5
aa0e8c22a584eff2f87c25177df76eee

SHA1
e8154377472572a838a4b24905f26ac6da6a3c67

SHA256
1603b27fb3d5585f3a88ec5b5b1ffb69ba782d173b2c63c6f6454fc0ad61b364

SHA512
6a43c935c601c1e12ae0bdf86b8a31729f09c65d679f8241c2ed33470c9d62bffac5a0c610864a8bdd44aa11e6d00d28f7110e552ac2625148149cf00255b486

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
484ba8ffc809376d817072c38da5cbb7

SHA1
681f4dea7e3129a524586ed427305b00a952ebd3

SHA256
b93d92c0850d19ffb707b8d9c031442dd7a1f19bd399a8ef520d0d30fe055dcd

SHA512
9a0b0ad2a0a065bf51f19dda2a805f6ccafc08d6a1bdf13161f426b2f27ba064aea31b370ac7ba47e1abe33488f7c33c87d839b1dcc13d3681e1bf2102646b10

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
19dba7f6790ea8161095ac77848e350c

SHA1
12b2817d2808c057c25218560d81911094143225

SHA256
39037f2ee76ea0f456ee3cd5a98505d1c4beed493410aac9bd0ea6d7c9cd308b

SHA512
2b2243efdd833fc640842fc08f50a6e2c75841933d403707352674639f563201f7b1309a3f346cdcd001eb63f75555bed815bc3cf91b88984f34d9ad6e2f5224

Download Submit
C:\Windows\SysWOW64\Nbgngp32.dll

Filesize
7KB

MD5
fe5a42fb43ce3e3baa18f78b1e64faf7

SHA1
2b76867291eaca6563aa8952e9c5f25c196a05d9

SHA256
1fe98c65e035e85a1e753bb275457314cd14e1d321caca68f033f5ad03e617ae

SHA512
ccc6cb68826671dedba65d9eb0dcfa2baa8dcf09e3fdd49e3eb8decbc3cc48c5c24d5bdfb39d7c55162164561c6b4740a5587128fba2bc2f80b311c369654f40

Download Submit
memory/896-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/896-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1580-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1580-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads