60399f43b8f8983d789c46682487ae8f8f1db0e867d23705bc368199bf75a5bf

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a48c8a56cebd46a90e5e916928bba670N.exe
Size

427KB
MD5

a48c8a56cebd46a90e5e916928bba670
SHA1

c3efd369e0b06dc9f0119ef9848ebf31ac339ace
SHA256

60399f43b8f8983d789c46682487ae8f8f1db0e867d23705bc368199bf75a5bf
SHA512

45a058a0fe18c23342ce453b7fa8123dd397a39c795e6f3731bb77aa28004a0a14cd7705c2c16d709083bea2d207a28a4a38e376fe87b0cca448a8296cd640f7
SSDEEP

6144:wKAU0STYaT15f7o+STYaT15fAK8yfMx/D4LJZPlVcxqy1:HzTYapJoTYapz8ye49vWq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a48c8a56cebd46a90e5e916928bba670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a48c8a56cebd46a90e5e916928bba670N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Executes dropped EXE 19 IoCs

pid	Process
2984	Chagok32.exe
2788	Cjpckf32.exe
3356	Cnkplejl.exe
3060	Cajlhqjp.exe
1708	Cdhhdlid.exe
3624	Cffdpghg.exe
2892	Cmqmma32.exe
1556	Dhfajjoj.exe
4844	Dmcibama.exe
4516	Dhhnpjmh.exe
4768	Dmefhako.exe
960	Delnin32.exe
1264	Ddonekbl.exe
2404	Dhmgki32.exe
4512	Dogogcpo.exe
4364	Deagdn32.exe
452	Dgbdlf32.exe
2704	Dknpmdfc.exe
2444	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qlgene32.dll	a48c8a56cebd46a90e5e916928bba670N.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	a48c8a56cebd46a90e5e916928bba670N.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	a48c8a56cebd46a90e5e916928bba670N.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	2444	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a48c8a56cebd46a90e5e916928bba670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	a48c8a56cebd46a90e5e916928bba670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a48c8a56cebd46a90e5e916928bba670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a48c8a56cebd46a90e5e916928bba670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a48c8a56cebd46a90e5e916928bba670N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a48c8a56cebd46a90e5e916928bba670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a48c8a56cebd46a90e5e916928bba670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2984	2208	a48c8a56cebd46a90e5e916928bba670N.exe	84
PID 2208 wrote to memory of 2984	2208	a48c8a56cebd46a90e5e916928bba670N.exe	84
PID 2208 wrote to memory of 2984	2208	a48c8a56cebd46a90e5e916928bba670N.exe	84
PID 2984 wrote to memory of 2788	2984	Chagok32.exe	85
PID 2984 wrote to memory of 2788	2984	Chagok32.exe	85
PID 2984 wrote to memory of 2788	2984	Chagok32.exe	85
PID 2788 wrote to memory of 3356	2788	Cjpckf32.exe	86
PID 2788 wrote to memory of 3356	2788	Cjpckf32.exe	86
PID 2788 wrote to memory of 3356	2788	Cjpckf32.exe	86
PID 3356 wrote to memory of 3060	3356	Cnkplejl.exe	87
PID 3356 wrote to memory of 3060	3356	Cnkplejl.exe	87
PID 3356 wrote to memory of 3060	3356	Cnkplejl.exe	87
PID 3060 wrote to memory of 1708	3060	Cajlhqjp.exe	88
PID 3060 wrote to memory of 1708	3060	Cajlhqjp.exe	88
PID 3060 wrote to memory of 1708	3060	Cajlhqjp.exe	88
PID 1708 wrote to memory of 3624	1708	Cdhhdlid.exe	89
PID 1708 wrote to memory of 3624	1708	Cdhhdlid.exe	89
PID 1708 wrote to memory of 3624	1708	Cdhhdlid.exe	89
PID 3624 wrote to memory of 2892	3624	Cffdpghg.exe	90
PID 3624 wrote to memory of 2892	3624	Cffdpghg.exe	90
PID 3624 wrote to memory of 2892	3624	Cffdpghg.exe	90
PID 2892 wrote to memory of 1556	2892	Cmqmma32.exe	91
PID 2892 wrote to memory of 1556	2892	Cmqmma32.exe	91
PID 2892 wrote to memory of 1556	2892	Cmqmma32.exe	91
PID 1556 wrote to memory of 4844	1556	Dhfajjoj.exe	92
PID 1556 wrote to memory of 4844	1556	Dhfajjoj.exe	92
PID 1556 wrote to memory of 4844	1556	Dhfajjoj.exe	92
PID 4844 wrote to memory of 4516	4844	Dmcibama.exe	93
PID 4844 wrote to memory of 4516	4844	Dmcibama.exe	93
PID 4844 wrote to memory of 4516	4844	Dmcibama.exe	93
PID 4516 wrote to memory of 4768	4516	Dhhnpjmh.exe	95
PID 4516 wrote to memory of 4768	4516	Dhhnpjmh.exe	95
PID 4516 wrote to memory of 4768	4516	Dhhnpjmh.exe	95
PID 4768 wrote to memory of 960	4768	Dmefhako.exe	96
PID 4768 wrote to memory of 960	4768	Dmefhako.exe	96
PID 4768 wrote to memory of 960	4768	Dmefhako.exe	96
PID 960 wrote to memory of 1264	960	Delnin32.exe	98
PID 960 wrote to memory of 1264	960	Delnin32.exe	98
PID 960 wrote to memory of 1264	960	Delnin32.exe	98
PID 1264 wrote to memory of 2404	1264	Ddonekbl.exe	99
PID 1264 wrote to memory of 2404	1264	Ddonekbl.exe	99
PID 1264 wrote to memory of 2404	1264	Ddonekbl.exe	99
PID 2404 wrote to memory of 4512	2404	Dhmgki32.exe	100
PID 2404 wrote to memory of 4512	2404	Dhmgki32.exe	100
PID 2404 wrote to memory of 4512	2404	Dhmgki32.exe	100
PID 4512 wrote to memory of 4364	4512	Dogogcpo.exe	101
PID 4512 wrote to memory of 4364	4512	Dogogcpo.exe	101
PID 4512 wrote to memory of 4364	4512	Dogogcpo.exe	101
PID 4364 wrote to memory of 452	4364	Deagdn32.exe	103
PID 4364 wrote to memory of 452	4364	Deagdn32.exe	103
PID 4364 wrote to memory of 452	4364	Deagdn32.exe	103
PID 452 wrote to memory of 2704	452	Dgbdlf32.exe	104
PID 452 wrote to memory of 2704	452	Dgbdlf32.exe	104
PID 452 wrote to memory of 2704	452	Dgbdlf32.exe	104
PID 2704 wrote to memory of 2444	2704	Dknpmdfc.exe	105
PID 2704 wrote to memory of 2444	2704	Dknpmdfc.exe	105
PID 2704 wrote to memory of 2444	2704	Dknpmdfc.exe	105

C:\Users\Admin\AppData\Local\Temp\a48c8a56cebd46a90e5e916928bba670N.exe
"C:\Users\Admin\AppData\Local\Temp\a48c8a56cebd46a90e5e916928bba670N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Cnkplejl.exe
      C:\Windows\system32\Cnkplejl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 396
        21⤵
        Program crash
        
        PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2444 -ip 2444
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
427KB

MD5
9f488f401f1568d6c747ed657a17a082

SHA1
dd0233f93cfba53df21fddc73014583fb4d3bf8a

SHA256
ac662b3ae3b60db4007376e7cc8ce69ae17a692fe2b02421d776f92e80f634a4

SHA512
86f58ed71969da4e6bf9d5298dd2d1fff9c60b73dad5c9e3cc49e391ec7c98340ff49a098fe90457553fb415c4da45824336de54a87fb0c1fd5a13a8e40fdf8a

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
427KB

MD5
195b29d2691e7bc941e7be9bc2a58e9c

SHA1
88a8fac61ff62c943042a269a8e92ccf1fa768ae

SHA256
0bb36b2298369d6923c6039a13de26c71cd2adb8335201f0dcd4404c0a657a12

SHA512
e82c9c5b739a372454416766e028778c14fa1a6931c2cdf01016a478375d6aa281537cc992d1fb7ab717a374f2d71682555ccde8d1fbb282a58d8aa20c09dc82

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
427KB

MD5
de7abd9e6153e94b8fe597fbd867ab7e

SHA1
9a21fc7a4de5880d5eb1dfc9f6e410c7b20251e8

SHA256
eae0b84ccb05a722bfa4882ae7f6359568cc8b69ad06ac58e75117f760d2baf2

SHA512
5bfba7bd70fdaf1ced166fbb354d893b642349dd9640211e212b3cda930d6010f2c91547c81fa813824b3094a281662fe40c76a0574f84a156b5a3c01c20a3a3

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
427KB

MD5
955cb9125b43ca3cfc46534d506ab970

SHA1
74bc2a8578bd4507a0dcfd13ced1bb157d961b11

SHA256
1cbec99309c25701a36d02a8c7355d0e10cffd20c042f496e37c3ce33a76f731

SHA512
bf8f15c44828f05628dc7bdefec9367b63425784acb24ce8b7bf19fdf6ac25d50b0aff8c60c5c46fe2779d85889e591c1d2d07b56b741f70be0d98d811c2724d

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
427KB

MD5
5d60b1366b8f9b5e79d322b7b4ffc9d3

SHA1
a052cff41e7170933edf15103aa3a5f1062a17a3

SHA256
a6734eabf7240eec6f9c3258b5e6b3ecf692dd96bb8e98ab26ea920d0d04a2fa

SHA512
e364d771d67693a683552af9116941f97a3cfb0eb3c54e38cef35fd7dd6f3a910f4e6666f2e6f50df42aff48d0894c3b0e8c27e80761215d44b9711a9e08165b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
427KB

MD5
f58241bbb1606fe027836f2c1eee20d0

SHA1
b1e5a4f904b971c7556dd831971401658c911246

SHA256
f1e82a58e58d597a538ca8dbc66de61d3f8b2b793fb8f2cc6fcc2d271a4168e9

SHA512
7b7597a21ac964c951e0f61fd1ec6ab991e23eaf46159be84b0aa61fbb7ddce17d3a806e67ffdfce9b47cc767a46765e99d10bb0a6b553ab1e23096b4f25e60a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
427KB

MD5
761e908ef505a463f96ef09699fab0d0

SHA1
9bdbd154ec89bba46b42293bee85262c37939ddb

SHA256
bf36bdca78848728d1798baec2d5fb95bd350ffd1dfeb72882cf138938bff4e5

SHA512
602f66f35e7a049c870ae4216520c7cfea9fe70f1bf87accf2f8f7bb8cc8606c1187f31080491109b6aca1ee8829bb4a527f5ca57ad4a6cbcfefce2e80e49f13

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
427KB

MD5
9422280012760fc6fce07de00931d98a

SHA1
28598a36bc162d2acf15c14c7236e1edb63a84b9

SHA256
ad0887e1ae736b84f97ce7f861c1a85e53d40b6ac5d56c2fb18048bdc90acdfc

SHA512
089b1811faf4a73f2a48fe4ecf456e89149e5cef7d8174033905d3bbd0aab2c89fb5456187be4c0474c79999d50bb7c490fe82ca2be1e40bf9b75d83fcd98c6f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
427KB

MD5
cae5cb0a84d88bb1aa68781d2fa3f28c

SHA1
2e0862d20eab1e242fe7c40755ee7049c91f2585

SHA256
6fa8b826e5bb63de314bee45138b49c9fcc4082d8ca61028aa958113cc7dbbc8

SHA512
264fd926767f6fe4b039026d0a465d14f9b1a7cf7ab1af5c1a50c19bc855046c7985ded98ee317607dcdb4ace5d9e1c4333eae98887b79b789e8089e80367b46

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
427KB

MD5
be5a8851433f4499c3423e0f4e9623de

SHA1
134233ba142322068f9ce92e1bfdd1937fcc7c3a

SHA256
e6663a0927d7b23b1fae5277111dde01d99df2ed834793dbff004a408b32cb50

SHA512
04041ada7c13bfdd3b82e0e5830da0b1b62a468a0b4ae84273247f8118a27d857558e2b9afb4672017cba7f777e1adc2e6bf238cfe733de9f2fe97d7c1a5816c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
427KB

MD5
ee980dfe5100c708f1aa247de85baaaf

SHA1
6f17bfd6df2bf8a0acc7bb572c41b8c6ef7effa0

SHA256
7b6710aaa269b6d7c1555bd474376a76e7390178e9c29b4ef0e545d06cf3a3d2

SHA512
9356c8a401743bc1adafd4dc6efd57ec24046672f3c331bb315c13f0c90e18e1d1813c9bd84dc97286f4f1e532a2e8035750733850ba0a1139471d9ef8c00d1a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
427KB

MD5
1f201d719656358fbf1724a066ec02f2

SHA1
fcb2262901fdc0515c9e520d5354290c0deb155d

SHA256
dda7f08ce1a0b979a04e4aff61f374f9b97dafdc9a9e8d875c71dde765aef00c

SHA512
efb28836f8817b3762ccbe768620ed20a1f01407b024f7c96e5cbdcee42bdbb0a5ee7fcf784399381377d3c9e6bf6b68de299c76885ad2b99156a1b97bbf2b0c

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
427KB

MD5
56c5c369d89fbb0a4eb56abc65fe3982

SHA1
9f376838cffd2aa9b0275e2e0961a74135a98c95

SHA256
edcdf56569270127e589c8da07cf3f4e811301e61b6dfcd5ca62642605625e4e

SHA512
2364971fd4b77d209dd807601b9a8ffbcfc5034b861f62ff2be0b4072a4375671456d12d9f8f7542ba6debd2d42587369797d640c0571b72a9017abbb17c079f

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
427KB

MD5
42b3c0bafc71cba905f45f704da678d2

SHA1
04291b70ae40e1b36b2abb2ab1041ec5aa11e686

SHA256
761a687bcb923fa0533019d9a7b4911699960aa286b0128535b282caa3ec25d9

SHA512
b93bdf6e9257e4073c29c3ed2dedd351f16fc96ac8163dec38c05789ded0b44c2b1bba994118dcd016b38e039cabf433cceb228672e799f83d68a8a99ea4902d

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
427KB

MD5
93cb65d6ce1e20fd4e573acc21b240e6

SHA1
3cf788f7b8482008a4a1006f1ddff24d04382673

SHA256
f8ec23b8e933f5223fe195dbd8fc574f4170fa46745593e2f8f4f7350d877c7f

SHA512
fa804c0607409e45979b23a1e8f211182b2a1bb3e9b9d73288c922a29604d8ced57fdb5adcf128134d5e2e33458a8fa9048f7a22d11a57cb7825401d72884e77

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
427KB

MD5
48a87b1afd0363d10c9e7cad73a26da9

SHA1
bf3f35ee90c7750f2a54e9270d1a8c5f12bc2475

SHA256
eeea517fc967cdbcb4be24754cf527af27777bd3ff6f2a244c44b90a115d93b9

SHA512
27e0bdda70589fa87eba5794045aeb11f4b568810d99d6a5e8951b7fc66c558378ac6a4ff87fdf8b582114dd372982b0f91c4f600a1f42e433d6ac5714754a80

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
427KB

MD5
8872ced816f20068660e6e84265dd0de

SHA1
19a7f10ee078c078111744a5ae6e26c4649b444f

SHA256
e6a43ba1373fbf3491046edb59efe863caf36fd64fa97fc45818a0389100260f

SHA512
b95d42f1444d84fb529e6f50e7ae50b67e23b5d59f0962a024a371e761da9c1af726e072476a45dd8e3c18ea1d763c5ff107b844dad74d51428953f655aab860

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
427KB

MD5
e97d69c2250dd8c618546a5aa48f1f10

SHA1
360cd3a34ab499ffffa2dfdd6ecbb0c983990c19

SHA256
e581d3f9dc9dc90ba849c8e83b4a1bdfc9193f5d3ff7dbaa3e69ddffe4f65cd4

SHA512
695e10d82e5138329574d40b171f3d5b5084b28398dd01093f18b17969d4f76fd3889e96f8d7968993ac911cdfcde0a38c9b300512d0ed175f10e2cae191e97f

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
427KB

MD5
13e8bc1a1ecd4739028781d691411a51

SHA1
a36769546ef2938a7c69d890b24ff9101d276a50

SHA256
7b0e00338b276152d69d4b38f8ca5cb90cf566246560af8526f744f444424653

SHA512
8b4c260f76a089addd65157c748602f5cac9736086c630ad45e766a49948af2bc881e00d5167ec0dec1ed70380f52ad1467679f20137da02c145697c0dc83489

Download Submit
memory/452-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2404-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads