e1879599961779c16d67a17a5de201da49635a8932d3f2d3b6fe10583b76c138

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3782d18f6b076b9758cabc7a2c98b30N.exe
Size

188KB
MD5

a3782d18f6b076b9758cabc7a2c98b30
SHA1

3838ce2875809534eccda4c71eab5b889d2d5d45
SHA256

e1879599961779c16d67a17a5de201da49635a8932d3f2d3b6fe10583b76c138
SHA512

013cb4f9cddcf3dcc5612f600ae3ca8efdbf96f70a3d65d9c7f052cac6ed91897304d48af1d2cf1cee1fc434a433899c9a0e7c4ef8a698c3a127e663f97df05f
SSDEEP

3072:4v5Wicr/WH9uPsts6HTlWTUOS1AerDtsr3vhqhEN4MAH+mbPepZBC8qzNJSKrDco:40icr/Se6HJaBS1AelhEN4MujGJoSoDj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3782d18f6b076b9758cabc7a2c98b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a3782d18f6b076b9758cabc7a2c98b30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Executes dropped EXE 8 IoCs

pid	Process
2148	Dfknkg32.exe
4372	Delnin32.exe
3124	Dhkjej32.exe
2036	Dmgbnq32.exe
4348	Dkkcge32.exe
436	Daekdooc.exe
3608	Dgbdlf32.exe
1472	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	a3782d18f6b076b9758cabc7a2c98b30N.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	a3782d18f6b076b9758cabc7a2c98b30N.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	a3782d18f6b076b9758cabc7a2c98b30N.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4952	1472	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3782d18f6b076b9758cabc7a2c98b30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a3782d18f6b076b9758cabc7a2c98b30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	a3782d18f6b076b9758cabc7a2c98b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a3782d18f6b076b9758cabc7a2c98b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a3782d18f6b076b9758cabc7a2c98b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a3782d18f6b076b9758cabc7a2c98b30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a3782d18f6b076b9758cabc7a2c98b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2148	2008	a3782d18f6b076b9758cabc7a2c98b30N.exe	83
PID 2008 wrote to memory of 2148	2008	a3782d18f6b076b9758cabc7a2c98b30N.exe	83
PID 2008 wrote to memory of 2148	2008	a3782d18f6b076b9758cabc7a2c98b30N.exe	83
PID 2148 wrote to memory of 4372	2148	Dfknkg32.exe	84
PID 2148 wrote to memory of 4372	2148	Dfknkg32.exe	84
PID 2148 wrote to memory of 4372	2148	Dfknkg32.exe	84
PID 4372 wrote to memory of 3124	4372	Delnin32.exe	85
PID 4372 wrote to memory of 3124	4372	Delnin32.exe	85
PID 4372 wrote to memory of 3124	4372	Delnin32.exe	85
PID 3124 wrote to memory of 2036	3124	Dhkjej32.exe	87
PID 3124 wrote to memory of 2036	3124	Dhkjej32.exe	87
PID 3124 wrote to memory of 2036	3124	Dhkjej32.exe	87
PID 2036 wrote to memory of 4348	2036	Dmgbnq32.exe	88
PID 2036 wrote to memory of 4348	2036	Dmgbnq32.exe	88
PID 2036 wrote to memory of 4348	2036	Dmgbnq32.exe	88
PID 4348 wrote to memory of 436	4348	Dkkcge32.exe	89
PID 4348 wrote to memory of 436	4348	Dkkcge32.exe	89
PID 4348 wrote to memory of 436	4348	Dkkcge32.exe	89
PID 436 wrote to memory of 3608	436	Daekdooc.exe	91
PID 436 wrote to memory of 3608	436	Daekdooc.exe	91
PID 436 wrote to memory of 3608	436	Daekdooc.exe	91
PID 3608 wrote to memory of 1472	3608	Dgbdlf32.exe	92
PID 3608 wrote to memory of 1472	3608	Dgbdlf32.exe	92
PID 3608 wrote to memory of 1472	3608	Dgbdlf32.exe	92

C:\Users\Admin\AppData\Local\Temp\a3782d18f6b076b9758cabc7a2c98b30N.exe
"C:\Users\Admin\AppData\Local\Temp\a3782d18f6b076b9758cabc7a2c98b30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Delnin32.exe
    C:\Windows\system32\Delnin32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SysWOW64\Dhkjej32.exe
      C:\Windows\system32\Dhkjej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 408
        10⤵
        Program crash
        
        PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1472 -ip 1472
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
188KB

MD5
9955eb68cd5890ce8df4eedf5fd0f462

SHA1
e32a4666fbc9d45a2cc2d57d3595c0670151bf08

SHA256
62de32ea5de2ab5d0db5570717dde49c4f5a3c747fa7e4ba3161055da9422c08

SHA512
6f8610ef6de21167dfa7b980724c726840280b8709e471e10060adfb822a2d5df3f24458116280a887d8267dd447deecf65498c3c699f51254690208b3dfb4af

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
188KB

MD5
e13a22d6445a726ae3c8d97e14451632

SHA1
aff96ffc0ae6df9810a08caaf17a31f788ae5a80

SHA256
b6168be49ff635761d51057e234f8b41a25569bd2846991ae708a811089038e9

SHA512
b2103c9217c6ee594469bc7a28155312cc7a550aa04aa3c377890b6afad22111d39e6d5c38d1a57d1a26dd7995059028d247a7aebde35b106f6060283aeae51b

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
188KB

MD5
fb928e038a2e35dcfc33af22db4ec227

SHA1
6ef056bdc5fda13284eba590a8bc1f0dda3e2676

SHA256
82fa1b5f7f672b6c90b50cbd8ace77dacc89a380d0af0630285ae21c38ba9f9e

SHA512
8124681bc34fe04356dc2dc9d138076255d2ea05f403297a453e8af3a366c5f014e264ab13fb069591e113867f55c2876f3bca020668a00051baec4ab71862e1

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
188KB

MD5
15e76c96a2276934966a7d4984944f7b

SHA1
f0aaf2e292b10d97215709e1eb55138c81702a82

SHA256
1c1039cf8524f76ab685cf55578498f69596b1ad10f28798d0d595e206c4a394

SHA512
70597f8fd242ff59d4bddf60a9df30a90e2b1cbdaf4c480ceaa27fd5c9583d28dd856af807d7ce441ccf62ef408a08a978970ba66e9e6585dd990218c0c03a90

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
188KB

MD5
e1cea50506ac992204e8bb3eefac51ca

SHA1
cb0ac215a2703d8937b1e48d8f3bba59f1c63acb

SHA256
3278a083fd1b9b02d892570497104ba814b50aa95238b8c48d644b109f6fbb20

SHA512
46fd35bc4c5ee1628b1697f0af6153a2b183b0bdf8c0daf6ea1699b8b5fbcf5c8302a25160a59c40391ecac0c2a1858762f04a607d8c9761925553aeeee17b5a

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
188KB

MD5
a4f360066254b0695de50f72a813bd6a

SHA1
795fd7d9ef0f45ab2c235f0b650b615b4f05a7c2

SHA256
7d440c19a57b314c85474f7013ea4ae65ea5c0b270cfefe063a5cccedb421515

SHA512
cf92c4f095dbc89a1d1ace209cd11b0bd1ab9983438edc9a29e8d7cef2a5ae160a88b58fa395adbbde8c1a3bd9552e4842e95f9f904fa9ff93c39ceb07727ecd

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
188KB

MD5
265d8aa7990553de2ff808540d3a37bc

SHA1
0d4d11c172cdc92f97124c2f6d237c1ead69b53f

SHA256
fe3c570535d983eedca12400cec88c63d2956e5af08c8b1a24014a1cf039fe3e

SHA512
0ec9a5b61a57a15f9f3066b674781cfc9e55594e750dfd6740dd51928dbfafb40e09e6cab055b52943b3bad88f40ed77bef77229e15364414332453c1ae7f7c1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
188KB

MD5
6b4becf54525a5eeb9b3ea586182a49e

SHA1
f887e577754961ba2eab5ccbd66dd7841464c462

SHA256
78f3319ab953514220d07a7517dd33c066a82e9ca66b933c4b05cd6aa9db680d

SHA512
4a6c50d0a50631dff407428291d63a9b201559a3a2ee56344893e0aa3ed39e488f87da926454f58d3465cb38c63ce766353c1d6b99e06860d4a1e0c0970d25bf

Download Submit
C:\Windows\SysWOW64\Jcbdhp32.dll

Filesize
7KB

MD5
13806f00a6e71c83d750e249207dca5b

SHA1
b85e30f5f07fdba0036cd1d3a79418045b2e6335

SHA256
c0390cd96936192209ee5b66160ae26d70c40d9eba803d66a23d088f67840575

SHA512
97a8f89b6882490041ce19ce50b1b6cdb4945104086170781d0fc3cac03f55574e559e617d85b7e069c66677adfa72aa24cb866ec45f097f7c091933a44520af

Download Submit
memory/436-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads