e5f6212c0f97d401f66f0fae35be633f471fd80e7a336351dbde49121cdbd706

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e38c449a75187f902ea68d5d26f62170N.exe
Size

570KB
MD5

e38c449a75187f902ea68d5d26f62170
SHA1

b3541176874741016f3596033b39cf13281bd332
SHA256

e5f6212c0f97d401f66f0fae35be633f471fd80e7a336351dbde49121cdbd706
SHA512

15af41d3cbc78af636f5ed015e4f99842236e7394651dff74216c940811c168200b145f60e63b98a7254e09d9c0df294e4120221797b6c822963d6d5ef79e582
SSDEEP

12288:XyRwgBRHjPh2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsRf:BgrHjPh2kkkkK4kXkkkkkkkkhLg

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e38c449a75187f902ea68d5d26f62170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e38c449a75187f902ea68d5d26f62170N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	Dhkjej32.exe
4972	Dkifae32.exe
1456	Dmgbnq32.exe
3012	Deokon32.exe
3724	Dhmgki32.exe
4268	Dfpgffpm.exe
1596	Dogogcpo.exe
3768	Dmjocp32.exe
3044	Deagdn32.exe
4592	Dhocqigp.exe
4748	Dknpmdfc.exe
1432	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	e38c449a75187f902ea68d5d26f62170N.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	e38c449a75187f902ea68d5d26f62170N.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	e38c449a75187f902ea68d5d26f62170N.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process
3452	1432	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e38c449a75187f902ea68d5d26f62170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e38c449a75187f902ea68d5d26f62170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	e38c449a75187f902ea68d5d26f62170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e38c449a75187f902ea68d5d26f62170N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e38c449a75187f902ea68d5d26f62170N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e38c449a75187f902ea68d5d26f62170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e38c449a75187f902ea68d5d26f62170N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 4780	112	e38c449a75187f902ea68d5d26f62170N.exe	83
PID 112 wrote to memory of 4780	112	e38c449a75187f902ea68d5d26f62170N.exe	83
PID 112 wrote to memory of 4780	112	e38c449a75187f902ea68d5d26f62170N.exe	83
PID 4780 wrote to memory of 4972	4780	Dhkjej32.exe	84
PID 4780 wrote to memory of 4972	4780	Dhkjej32.exe	84
PID 4780 wrote to memory of 4972	4780	Dhkjej32.exe	84
PID 4972 wrote to memory of 1456	4972	Dkifae32.exe	85
PID 4972 wrote to memory of 1456	4972	Dkifae32.exe	85
PID 4972 wrote to memory of 1456	4972	Dkifae32.exe	85
PID 1456 wrote to memory of 3012	1456	Dmgbnq32.exe	86
PID 1456 wrote to memory of 3012	1456	Dmgbnq32.exe	86
PID 1456 wrote to memory of 3012	1456	Dmgbnq32.exe	86
PID 3012 wrote to memory of 3724	3012	Deokon32.exe	87
PID 3012 wrote to memory of 3724	3012	Deokon32.exe	87
PID 3012 wrote to memory of 3724	3012	Deokon32.exe	87
PID 3724 wrote to memory of 4268	3724	Dhmgki32.exe	88
PID 3724 wrote to memory of 4268	3724	Dhmgki32.exe	88
PID 3724 wrote to memory of 4268	3724	Dhmgki32.exe	88
PID 4268 wrote to memory of 1596	4268	Dfpgffpm.exe	89
PID 4268 wrote to memory of 1596	4268	Dfpgffpm.exe	89
PID 4268 wrote to memory of 1596	4268	Dfpgffpm.exe	89
PID 1596 wrote to memory of 3768	1596	Dogogcpo.exe	90
PID 1596 wrote to memory of 3768	1596	Dogogcpo.exe	90
PID 1596 wrote to memory of 3768	1596	Dogogcpo.exe	90
PID 3768 wrote to memory of 3044	3768	Dmjocp32.exe	91
PID 3768 wrote to memory of 3044	3768	Dmjocp32.exe	91
PID 3768 wrote to memory of 3044	3768	Dmjocp32.exe	91
PID 3044 wrote to memory of 4592	3044	Deagdn32.exe	92
PID 3044 wrote to memory of 4592	3044	Deagdn32.exe	92
PID 3044 wrote to memory of 4592	3044	Deagdn32.exe	92
PID 4592 wrote to memory of 4748	4592	Dhocqigp.exe	93
PID 4592 wrote to memory of 4748	4592	Dhocqigp.exe	93
PID 4592 wrote to memory of 4748	4592	Dhocqigp.exe	93
PID 4748 wrote to memory of 1432	4748	Dknpmdfc.exe	94
PID 4748 wrote to memory of 1432	4748	Dknpmdfc.exe	94
PID 4748 wrote to memory of 1432	4748	Dknpmdfc.exe	94

C:\Users\Admin\AppData\Local\Temp\e38c449a75187f902ea68d5d26f62170N.exe
"C:\Users\Admin\AppData\Local\Temp\e38c449a75187f902ea68d5d26f62170N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\Dkifae32.exe
    C:\Windows\system32\Dkifae32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\Dmgbnq32.exe
      C:\Windows\system32\Dmgbnq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 408
        14⤵
        Program crash
        
        PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1432 -ip 1432
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deagdn32.exe

Filesize
570KB

MD5
05ca2dec80d0193f85dd5ef6c9df0b57

SHA1
c6bca59168a8272100551d778d40049b6825fe24

SHA256
b25025bbbf2c8340e4745f522eb9d2f16b29490901ce1b1e045127c3368eeb8a

SHA512
080ea2e377006c30243997911a2ec5f84e2125174373d39582f89b3c2f77c052beda7d27b0fd72055f463d1d994a0598971a6b9e84ea58cb1512f61a811144a7

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
570KB

MD5
31e55ada94fdfcba6529fd53cbe8049f

SHA1
6970d48ddb8326065c47fdff6d6a5823ef3c7a20

SHA256
77657368be29e77a061dbedfe80937d01ab05af248fc92d3743f08c55c81c06f

SHA512
9ffbcbb884b0e27a67f48e8af802fb0b46165ad168b0eb2108192162d82465eea3134f520efa59121777b8812ab80353a7d10b633732b291e552114d9594476c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
570KB

MD5
44b453527d52408042d5993cf6d19f94

SHA1
92db242b555c6cb6f25e97abdbf9cae2f8ddf4cd

SHA256
ad006f541bbf48bbb8218c0fb91ac9e8905658f7fa7ce879318d7f613ef757fe

SHA512
a29479d5ec24e5ca482ae0e36d476167a18a15e31c0bb0342f384ff9bc3f5d32fd94aa1dea635b9f9f314ca1d0ac1866a1e373412c4580a5d9300ecf9e650d8d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
570KB

MD5
de897cc09d77743e9c27f7f36a2fd2ba

SHA1
17cbc2bf530a7fd7b3fdcd877bcd5696c9fde992

SHA256
56110d3c7e67c6bf8fdb8e9dcb72d0a4b4eeb95d7965ada771fa5090b13358f4

SHA512
0dde0d96687f56a9fac27b427e0b95ccf623a632af1a8da8b7d5509bd0fd0a426d945bf6109dae9c2fc77de4ea5dbc95490ea4cb7390b21d2fe80332c65c68d7

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
570KB

MD5
2c1b4054a9f7f7d8e41ad0c092d8502e

SHA1
2f1648eb641ee7fca16ef325da0a6655ca60d675

SHA256
a66aa0dd7a3f020a82fabbc28842bf9839b2bf4f2833a1fabdceac0e865c26e5

SHA512
5b9c38be0c9910f1646e8347ff62fd39107829d4284a85b6d364d067d174ecb8b5950f98477e052b6dbde176145c797bbb310df330f6a673c3fbfef22c07c958

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
570KB

MD5
02b42b5c9a0796f48d5d1fa11b126a25

SHA1
77e5558a02d0f5f44e400b8f1938983e896d9b50

SHA256
f2c713febf94c6a6fd165bfb26b06d35800565cd5f9390814530624dc7b2b59d

SHA512
3c58360573c7c83ffd42f58a0a86c50c90b6598549e7318f133eeca304957484ffecb73113f6977e1b66ea28b126815c1d514b920abe5dfe880c385d51522826

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
570KB

MD5
34b7236ba882ff95264ffd23aa9f7b69

SHA1
6ea68740bb7f88ff46502c0e1307fd0df42d6c39

SHA256
e6af92c9acfa92da7be91b6116fdc3b11b6104262ed94cb023261a4ef8a1fc42

SHA512
d9b555c4b63c3f3d07499f44cfd6845794afa3ea9bccb6f936c6aab9102cad7c2175593a41afaf7c01331dea79d5bcb4f9951be21ea236517eb8c23d6302309f

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
570KB

MD5
0eeb49e9f8ed1bf3e7eb1c4d11e0bae9

SHA1
8e88997ed975d42a8f7832c6aba1195b883a3732

SHA256
d86f8326d4823ee3bc7d99c76f3c278266aa97a07b29a0fa7fa4ba1aea6141f4

SHA512
9f01e1dc3e49bb354e3e047e6f396751ccd29e568833cc2e483f2f7f694c56f2a698e83d3fc83ebb54fc0fdc6cc3896fd02d21f85e13a57c199fa831e29cd162

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
570KB

MD5
a837ab6d1ed7ce957c38591c145032c2

SHA1
b5b04e205023b1f051b8c03a3232c4dc0afa8c7c

SHA256
c4f20e5a7729b2f5a784c407da33c9dc1d695825b15829ec58fb59900e0c68fd

SHA512
4dd24048a2b9ab99ac09c9e7339f45a0141e15fa4f5c27636089b8089d16d16b99679809b484b293a004738376605346c19970f139731cb99d2c502a871ea3f2

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
570KB

MD5
3e27a4eb1595314cbdb91285361f1b72

SHA1
29eb557e455d136d8c738673943cfb82d48f92e7

SHA256
76a82cae41b1db669bbba56d5f550328bcdbf21f0eafa2cd68ed8ac480f11575

SHA512
ea27154eab7d60939cf0ccc2b881790cf06ca53e56d6673720dac09428204621ae1246bdd53138aa3da06c9fdc760758e5b986dd297ca0ed24a7a7868cf4f23b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
570KB

MD5
cacc73b9d93dfea37d3d402a79ca0172

SHA1
937b6269d5d8b9bcb6d56cf422fd0684188fe5ac

SHA256
3f0d3f5ed3c6e6ab3712879eb65eaaff2996ef4c184eed3582b81bb870b185f6

SHA512
74d3857204154fee5ed66b03803284ed9c094fe4752f099125c978978ef8e0cc5aad61ce9e187ab36600c8a564a7933e5d407bfa64b0f164c07e06a478fbb0ba

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
570KB

MD5
6a377992bc48c662ecfd7b6625a91f7c

SHA1
ad696ec6210fd2307d84b681b9cb8637835ca151

SHA256
d574de5a5dfdb0a465f11033aa9dfaec1318d4c3723892a9fa91cdb60c53e4a3

SHA512
93f806e95b800ff78b4c99f50463687e37adf78b0c2a1f77fb9d7fde1a8a9688fe497d809bbd966915f50c7c9551e096fafe152abf479c0021efcf7b707b2281

Download Submit
C:\Windows\SysWOW64\Fpdaoioe.dll

Filesize
7KB

MD5
4bd57b2fc3bd565c73b49871d22efe3a

SHA1
75e91533610e1d0eafe03bd579cf2b882f6d3063

SHA256
a0250a181817dfb32593ffddef49c94559b400c76bdc34a4961b0f8e86b9d71e

SHA512
221d2e3044f8809d56d0b8a835cd6c82e7bf94415c0563a424df853fbde66902f194c21a2efb6234a6c0a71f845cbd1df6b46ca990c1eafd012c6c7caba73038

Download Submit
memory/112-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/112-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads