c2c01ffcba12802f0f88c360330b8e6777c14d532adc7ad5bf9fd97e4e5b750f

Analysis

max time kernel
106s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f73cd85c248746ce404a8704ee0730N.exe
Size

62KB
MD5

e7f73cd85c248746ce404a8704ee0730
SHA1

34ca52c579509b0c58d7364f7c769992ecab7e13
SHA256

c2c01ffcba12802f0f88c360330b8e6777c14d532adc7ad5bf9fd97e4e5b750f
SHA512

d753533d69a82356f28cb691e2efb23e0654da03733c3f913b56bdd3abc50ee76234086f18652b5ff9ab81b912b712fcdcf02f5ddba2993e272aa2839cf09260
SSDEEP

1536:sUjzZPICovzaM2WHpzaqXw01R1Q2BZ5b+hPPA2ivy9ve8Cy:r3ZPIC6z0Eaqg0P1QaZ5b+Nagve8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e7f73cd85c248746ce404a8704ee0730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e7f73cd85c248746ce404a8704ee0730N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Executes dropped EXE 18 IoCs

pid	Process
1840	Ddjejl32.exe
1912	Dfiafg32.exe
4380	Dopigd32.exe
704	Dmcibama.exe
960	Ddmaok32.exe
3288	Dhhnpjmh.exe
4756	Dobfld32.exe
3000	Daqbip32.exe
3276	Ddonekbl.exe
2380	Dhkjej32.exe
2868	Dkifae32.exe
4032	Dmgbnq32.exe
5024	Deokon32.exe
1880	Dfpgffpm.exe
5044	Dogogcpo.exe
1688	Dddhpjof.exe
3748	Dgbdlf32.exe
1900	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	e7f73cd85c248746ce404a8704ee0730N.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	e7f73cd85c248746ce404a8704ee0730N.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	e7f73cd85c248746ce404a8704ee0730N.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4212	1900	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7f73cd85c248746ce404a8704ee0730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e7f73cd85c248746ce404a8704ee0730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e7f73cd85c248746ce404a8704ee0730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e7f73cd85c248746ce404a8704ee0730N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e7f73cd85c248746ce404a8704ee0730N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e7f73cd85c248746ce404a8704ee0730N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	e7f73cd85c248746ce404a8704ee0730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1840	4732	e7f73cd85c248746ce404a8704ee0730N.exe	84
PID 4732 wrote to memory of 1840	4732	e7f73cd85c248746ce404a8704ee0730N.exe	84
PID 4732 wrote to memory of 1840	4732	e7f73cd85c248746ce404a8704ee0730N.exe	84
PID 1840 wrote to memory of 1912	1840	Ddjejl32.exe	85
PID 1840 wrote to memory of 1912	1840	Ddjejl32.exe	85
PID 1840 wrote to memory of 1912	1840	Ddjejl32.exe	85
PID 1912 wrote to memory of 4380	1912	Dfiafg32.exe	86
PID 1912 wrote to memory of 4380	1912	Dfiafg32.exe	86
PID 1912 wrote to memory of 4380	1912	Dfiafg32.exe	86
PID 4380 wrote to memory of 704	4380	Dopigd32.exe	87
PID 4380 wrote to memory of 704	4380	Dopigd32.exe	87
PID 4380 wrote to memory of 704	4380	Dopigd32.exe	87
PID 704 wrote to memory of 960	704	Dmcibama.exe	88
PID 704 wrote to memory of 960	704	Dmcibama.exe	88
PID 704 wrote to memory of 960	704	Dmcibama.exe	88
PID 960 wrote to memory of 3288	960	Ddmaok32.exe	89
PID 960 wrote to memory of 3288	960	Ddmaok32.exe	89
PID 960 wrote to memory of 3288	960	Ddmaok32.exe	89
PID 3288 wrote to memory of 4756	3288	Dhhnpjmh.exe	90
PID 3288 wrote to memory of 4756	3288	Dhhnpjmh.exe	90
PID 3288 wrote to memory of 4756	3288	Dhhnpjmh.exe	90
PID 4756 wrote to memory of 3000	4756	Dobfld32.exe	91
PID 4756 wrote to memory of 3000	4756	Dobfld32.exe	91
PID 4756 wrote to memory of 3000	4756	Dobfld32.exe	91
PID 3000 wrote to memory of 3276	3000	Daqbip32.exe	92
PID 3000 wrote to memory of 3276	3000	Daqbip32.exe	92
PID 3000 wrote to memory of 3276	3000	Daqbip32.exe	92
PID 3276 wrote to memory of 2380	3276	Ddonekbl.exe	93
PID 3276 wrote to memory of 2380	3276	Ddonekbl.exe	93
PID 3276 wrote to memory of 2380	3276	Ddonekbl.exe	93
PID 2380 wrote to memory of 2868	2380	Dhkjej32.exe	94
PID 2380 wrote to memory of 2868	2380	Dhkjej32.exe	94
PID 2380 wrote to memory of 2868	2380	Dhkjej32.exe	94
PID 2868 wrote to memory of 4032	2868	Dkifae32.exe	96
PID 2868 wrote to memory of 4032	2868	Dkifae32.exe	96
PID 2868 wrote to memory of 4032	2868	Dkifae32.exe	96
PID 4032 wrote to memory of 5024	4032	Dmgbnq32.exe	97
PID 4032 wrote to memory of 5024	4032	Dmgbnq32.exe	97
PID 4032 wrote to memory of 5024	4032	Dmgbnq32.exe	97
PID 5024 wrote to memory of 1880	5024	Deokon32.exe	98
PID 5024 wrote to memory of 1880	5024	Deokon32.exe	98
PID 5024 wrote to memory of 1880	5024	Deokon32.exe	98
PID 1880 wrote to memory of 5044	1880	Dfpgffpm.exe	99
PID 1880 wrote to memory of 5044	1880	Dfpgffpm.exe	99
PID 1880 wrote to memory of 5044	1880	Dfpgffpm.exe	99
PID 5044 wrote to memory of 1688	5044	Dogogcpo.exe	100
PID 5044 wrote to memory of 1688	5044	Dogogcpo.exe	100
PID 5044 wrote to memory of 1688	5044	Dogogcpo.exe	100
PID 1688 wrote to memory of 3748	1688	Dddhpjof.exe	101
PID 1688 wrote to memory of 3748	1688	Dddhpjof.exe	101
PID 1688 wrote to memory of 3748	1688	Dddhpjof.exe	101
PID 3748 wrote to memory of 1900	3748	Dgbdlf32.exe	102
PID 3748 wrote to memory of 1900	3748	Dgbdlf32.exe	102
PID 3748 wrote to memory of 1900	3748	Dgbdlf32.exe	102

C:\Users\Admin\AppData\Local\Temp\e7f73cd85c248746ce404a8704ee0730N.exe
"C:\Users\Admin\AppData\Local\Temp\e7f73cd85c248746ce404a8704ee0730N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\SysWOW64\Ddjejl32.exe
  C:\Windows\system32\Ddjejl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\Dfiafg32.exe
    C:\Windows\system32\Dfiafg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Dopigd32.exe
      C:\Windows\system32\Dopigd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
      - C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 396
        20⤵
        Program crash
        
        PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1900 -ip 1900
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daqbip32.exe

Filesize
62KB

MD5
912b7f9f2885fb5f3dd5e54e66880698

SHA1
1973e490fe194296e0078f8c34cc444c5e1f79c8

SHA256
bec220bbf22074a30964e82ff4cf70aa63e3d123cd744d486007a4bf85b2127f

SHA512
9508fbb8cdd4cf4e556955e959dfd8245caaa32995fdc0fb6a7c3610c72a13e87ec365c0f78eee2d6cd133f93526a79c981b61d054eaa94c64412f4c7cf5b343

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
62KB

MD5
5406890bf0701a05e01b20264ab83cb8

SHA1
c2d75c0c7d3db04339e531bb1d2c56be5382ede6

SHA256
a8e03c7e6cc67c515108a333d625011cc01e6bb68f4870e4ee0c02b1e3215b80

SHA512
2ed3b0bbf4d1f9bdd69280b9c8ed9e3516e7a5862748aa15d0727310b3551b7ac130bd0305ab0bcb0e54e559b4961be8406d3c1bd7e044bbe8851fd94d5edc8c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
62KB

MD5
4dd724070e12d2310301770b57764104

SHA1
94f51304236188349fa1808731e38017bc99434a

SHA256
d3e163b294cca7ff34d624be9d9df6dcefd1bf9732edc9d589be100b87c3278c

SHA512
d4d1c6cfd4bfcf52618b2656788bc1d810a34dc78b39c4e38eb4952305126d0a746b435d9d653673a811a16238d0aa6a271c7ef361b8078be08914087a7f7967

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
62KB

MD5
5bcaf7d6adc78dc8650449789b228c6b

SHA1
ca61fc2a5679b8af3f94fcc5165d03c999a27dd1

SHA256
6f09b0354b0bde91c7fe23ea7fa1eab08c215cb980fe482f9a65915551319b66

SHA512
01f6a7e491cd4b461148c953c3116beeecf22ab7c5e5375590bbd1bbfaad0a6246aeb0ddb38ef7a6a51b310a72af3a4188c6a9410f2aa9660b7adc6fac1a3ba1

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
62KB

MD5
de90d844e3f67feabd2327a9fa74d483

SHA1
03c0329663a9fccb49304a68419813e6992f9fb3

SHA256
c8d8d6afed80d20557bcf1e439d3f9ae2d5514a16cff60762a5767fdfc29b921

SHA512
886ea2aee65ee3af2a7dccc311861fbf50f701cbb530b5dc78e1ed0d2b2cd825d358444c2ab9ed1be713f5d8b83a8a70e5c8fe20a48071d17ab603205efbf41b

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
62KB

MD5
ad5a692a5c8fa6c05f1397ebeefc7de5

SHA1
9a98ffa90a9eb474506bae6b54fb6ab1d3ce2666

SHA256
99ea17979cd31803d330f3e31a0579fa080e4f9eecc23a750e3af206f66ed29c

SHA512
1dbbd3f83861cbee6ab5eeb2fc7a0e97d7709e140383ef4db64dc2e1362e3cefa0bb2a7aa3e0c6cfb60f112367019993ff911ccb23043e7f615a523b3fe2059a

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
62KB

MD5
0b9c6b03f30090556d7959a19a59a07e

SHA1
33f6a92eaaaa75e44da9f06ed3e5ddbc4c427847

SHA256
ea39fa0878339bb9acad254ad33f1fee99c0125d7114d5a040e84a109e409066

SHA512
20cbd7f45ab71fe9481113474ede220835dc9c19a25820c10af372ca4536fc979bd1d4cf8733e32179ce837ed74a891060f461e29c7dc3ab20dad81931a8994f

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
62KB

MD5
9bba8aa042b33ab1d1aed2b0ac463d7b

SHA1
58ae429ada2e248766d87581fd1672ff351a74a7

SHA256
27624efc72f364a6554a2209b0d3c6e243f7667ef92b37f0e4c2d8f4d2af4145

SHA512
8bc0391e41332425da5071cd87f4e01c381450639dc4a1f9b84c7ca99ce30fbfb47cf9e31ed2833be0b11fab3deac782741213ea517fe3a526fec04e085c28b2

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
62KB

MD5
ba17ffa47539a8a92729268de9ca97e4

SHA1
088594f625e544d2b7d7389718355ccadd30b069

SHA256
91203dfa41a86e5d7a7711340ebfd59f1c5f237c5cdbd12b22dcd9e8d92f41f3

SHA512
720273d9065b018424384b1c8133a1f8709fd41df5ddcfa2943f2d2103904f64e1a8451eb37cdc6a39e9ddf9dd553c48dda9a5b5c393ad05faad0ab98bc81d66

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
62KB

MD5
4be6eb01785ddcd928e11383e00daeee

SHA1
79646a87c5b607474c0b627cc836273ee2b1fed4

SHA256
6ef2d43ff5421c8067b144587f1a707c1ad29f1c16641790ddddec49fd05515e

SHA512
a561330920525d738a8586562fe1852ff26037513c53ac4fc5b1399f5a25a61d8d4bd5737205cdd5b78c15ea6e12447c18f0b7ed69bfce906b6bfb82544c6a9f

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
62KB

MD5
ddfedf2156dd8ccddb5087e3fa8704be

SHA1
6606268325c64778256a2304b8f216185001f3ec

SHA256
22a75d3c309c71071717d52d237212edb1d8a8ed8030d4279aa140c011d11d39

SHA512
90e7ffe4e20cff796f1cd2bca63e7b3f010578454e32bc36d572049e0deed7c60397c7484b1173ee2fd3a395a3b189e4f3f08b4d4dceeedd172f50c60fd85840

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
62KB

MD5
570880e1ec7ac1c96406de21f0af1a84

SHA1
9d811b5d478f05c1e14aaeb1a5e23c7e45e1d621

SHA256
5f3db909e5a300afb2e14ce86ae633c6185f5030b6d7dece0af2b89bd8826379

SHA512
90a465e5fc477d0cca81c0d411c1ac4ea4c78a963be65769f6a4dfdf9b15293031dc564a4920a8bfaaf676e6cd2624f6695f12cfd10c2c033782cff95da74be7

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
62KB

MD5
9564b74e84fb157598d7709d4a59c7d2

SHA1
c5e0182cb2bfce53ad0e659ff49e83d5b9e1409d

SHA256
e0508d56726bfbe9a6b40c953a29cb7268bd2076c3d0f45e6784e5786b637ab1

SHA512
b5ad5584867a371abe9fec47f0eaaebb5a84e75ddfe9938f2e3deca90b2619a6a53824899569a37e83a3cb40b6137d02a384053924ca655b5fed03a67659d82d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
62KB

MD5
ffec4620ec958da7ba7ef6251a92b7b5

SHA1
eae1402b5e152a754207810de1ce5fc4fed74fa8

SHA256
14111ad0fb45e3078a03a4e6275a69daf0dfa8a28fd4dac6db6dcea49963ebb1

SHA512
4762a012ad4dd519fff33f27a93e32b092c4e1266bc212b79cd57a2e9b85e5e68d51ff9ae60c5b21d58152b57a199a4a14e5d1d3a5ebdb36803476b54bd6e6b7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
62KB

MD5
5a96e6e8e4ba173a196fa36a299a4385

SHA1
c2d1b8b884ca7bf589c1e46e21d2c8218c1a9ad3

SHA256
188f584049ce8d542b8eda3bdeefe57813eeabd799e2cfc037f4c59e69d76841

SHA512
18fff2a37db15da5dc30996b76f700bd59928bb5e68c971b9b507d35f10a0d78f06a0bd624a7f04c0d1682d997267fe82758c567a277225cca7ec292220cf824

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
62KB

MD5
c499dd479c5a9fec088cf4fc2ba5b1f3

SHA1
15809dab1f22ea74170b314989d0871fc7ebaa1e

SHA256
7a4281e8d20baf4fade14ae9d65e7dadef361dd59848460349668408b60f5f0c

SHA512
887d979e8fda714f0d15ff4c16e495183ac3ad099489bb272d0ec30833906030ec8603d23070451b3ab5d90e441e476b5937201c389cbb0b6a66758eb15bf0d9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
62KB

MD5
fbaa170b1bebf1bce7c0f6e85826c739

SHA1
955c9ceea35b46c92902b59ecd3cb258cae45249

SHA256
56282e0be111b15734838a2ca19c049f01c6a326085ed7c08177672608807269

SHA512
cae8acc3381cf7ef61017585d13a24548b72653c46d8070a71565b4865d8299eb8e69ca808342748745301af1b46169c85245adf274bd1dd728652768ef0159f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
62KB

MD5
532e748ab5b403997cfe4052dc20c15a

SHA1
da25cb815f3fd4147b135e1fcaad4ea7f9d6463c

SHA256
44ac7b4826339f0901f40f4c23510287e7fb5c69e0cee7dbff8b504d9b6e2698

SHA512
272789311fe22018cacd20688af3e186aa737356a6f0b8d1b2edb5008d3835f9c382657c6d3d7ea230f6bb270cf13c3b060624e0d8ea9347948deb2a2970ae15

Download Submit
memory/704-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/704-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/960-126-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/960-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-157-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1880-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1880-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1900-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1900-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2380-164-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2380-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2868-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2868-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3000-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3000-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3276-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3276-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3288-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3288-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4032-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4032-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4732-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4732-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4732-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4756-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4756-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5044-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5044-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads