f1908e4e307af8475c6ce30bdab778d681e0afbd2e43d428c3c33ef9a3d334bc

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eacb579a0aab1ea788bf806141c007f0N.exe
Size

276KB
MD5

eacb579a0aab1ea788bf806141c007f0
SHA1

17950e5fc4976e2bd267451c0473624b70b28bca
SHA256

f1908e4e307af8475c6ce30bdab778d681e0afbd2e43d428c3c33ef9a3d334bc
SHA512

50a49515291eed68dc1eb38696018654d96d9302d654d1b11e0373e9a736f74fcd972499e7972ce495263021abeee7392ade955946feea43252b305f8d4652fe
SSDEEP

3072:16QbVqeKGf9UeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDrM8d7wMtLAr:cQfKgUdZMGXF5ahdt3rM8d7TtLa

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eacb579a0aab1ea788bf806141c007f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	eacb579a0aab1ea788bf806141c007f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe

Executes dropped EXE 17 IoCs

pid	Process
380	Cmlcbbcj.exe
4844	Cdfkolkf.exe
3120	Chagok32.exe
3136	Cjpckf32.exe
1736	Cnnlaehj.exe
2212	Ddjejl32.exe
2512	Djdmffnn.exe
2504	Dejacond.exe
4008	Djgjlelk.exe
3292	Daqbip32.exe
1308	Dfnjafap.exe
3108	Daconoae.exe
4332	Dhmgki32.exe
392	Dfpgffpm.exe
4620	Dogogcpo.exe
1484	Deagdn32.exe
404	Dmllipeg.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	eacb579a0aab1ea788bf806141c007f0N.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	eacb579a0aab1ea788bf806141c007f0N.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	eacb579a0aab1ea788bf806141c007f0N.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3800	404	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eacb579a0aab1ea788bf806141c007f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eacb579a0aab1ea788bf806141c007f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	eacb579a0aab1ea788bf806141c007f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	eacb579a0aab1ea788bf806141c007f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	eacb579a0aab1ea788bf806141c007f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	eacb579a0aab1ea788bf806141c007f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eacb579a0aab1ea788bf806141c007f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 380	3180	eacb579a0aab1ea788bf806141c007f0N.exe	83
PID 3180 wrote to memory of 380	3180	eacb579a0aab1ea788bf806141c007f0N.exe	83
PID 3180 wrote to memory of 380	3180	eacb579a0aab1ea788bf806141c007f0N.exe	83
PID 380 wrote to memory of 4844	380	Cmlcbbcj.exe	84
PID 380 wrote to memory of 4844	380	Cmlcbbcj.exe	84
PID 380 wrote to memory of 4844	380	Cmlcbbcj.exe	84
PID 4844 wrote to memory of 3120	4844	Cdfkolkf.exe	85
PID 4844 wrote to memory of 3120	4844	Cdfkolkf.exe	85
PID 4844 wrote to memory of 3120	4844	Cdfkolkf.exe	85
PID 3120 wrote to memory of 3136	3120	Chagok32.exe	86
PID 3120 wrote to memory of 3136	3120	Chagok32.exe	86
PID 3120 wrote to memory of 3136	3120	Chagok32.exe	86
PID 3136 wrote to memory of 1736	3136	Cjpckf32.exe	87
PID 3136 wrote to memory of 1736	3136	Cjpckf32.exe	87
PID 3136 wrote to memory of 1736	3136	Cjpckf32.exe	87
PID 1736 wrote to memory of 2212	1736	Cnnlaehj.exe	89
PID 1736 wrote to memory of 2212	1736	Cnnlaehj.exe	89
PID 1736 wrote to memory of 2212	1736	Cnnlaehj.exe	89
PID 2212 wrote to memory of 2512	2212	Ddjejl32.exe	90
PID 2212 wrote to memory of 2512	2212	Ddjejl32.exe	90
PID 2212 wrote to memory of 2512	2212	Ddjejl32.exe	90
PID 2512 wrote to memory of 2504	2512	Djdmffnn.exe	91
PID 2512 wrote to memory of 2504	2512	Djdmffnn.exe	91
PID 2512 wrote to memory of 2504	2512	Djdmffnn.exe	91
PID 2504 wrote to memory of 4008	2504	Dejacond.exe	92
PID 2504 wrote to memory of 4008	2504	Dejacond.exe	92
PID 2504 wrote to memory of 4008	2504	Dejacond.exe	92
PID 4008 wrote to memory of 3292	4008	Djgjlelk.exe	94
PID 4008 wrote to memory of 3292	4008	Djgjlelk.exe	94
PID 4008 wrote to memory of 3292	4008	Djgjlelk.exe	94
PID 3292 wrote to memory of 1308	3292	Daqbip32.exe	95
PID 3292 wrote to memory of 1308	3292	Daqbip32.exe	95
PID 3292 wrote to memory of 1308	3292	Daqbip32.exe	95
PID 1308 wrote to memory of 3108	1308	Dfnjafap.exe	96
PID 1308 wrote to memory of 3108	1308	Dfnjafap.exe	96
PID 1308 wrote to memory of 3108	1308	Dfnjafap.exe	96
PID 3108 wrote to memory of 4332	3108	Daconoae.exe	97
PID 3108 wrote to memory of 4332	3108	Daconoae.exe	97
PID 3108 wrote to memory of 4332	3108	Daconoae.exe	97
PID 4332 wrote to memory of 392	4332	Dhmgki32.exe	98
PID 4332 wrote to memory of 392	4332	Dhmgki32.exe	98
PID 4332 wrote to memory of 392	4332	Dhmgki32.exe	98
PID 392 wrote to memory of 4620	392	Dfpgffpm.exe	99
PID 392 wrote to memory of 4620	392	Dfpgffpm.exe	99
PID 392 wrote to memory of 4620	392	Dfpgffpm.exe	99
PID 4620 wrote to memory of 1484	4620	Dogogcpo.exe	100
PID 4620 wrote to memory of 1484	4620	Dogogcpo.exe	100
PID 4620 wrote to memory of 1484	4620	Dogogcpo.exe	100
PID 1484 wrote to memory of 404	1484	Deagdn32.exe	101
PID 1484 wrote to memory of 404	1484	Deagdn32.exe	101
PID 1484 wrote to memory of 404	1484	Deagdn32.exe	101

C:\Users\Admin\AppData\Local\Temp\eacb579a0aab1ea788bf806141c007f0N.exe
"C:\Users\Admin\AppData\Local\Temp\eacb579a0aab1ea788bf806141c007f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\Cmlcbbcj.exe
  C:\Windows\system32\Cmlcbbcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\Cdfkolkf.exe
    C:\Windows\system32\Cdfkolkf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Chagok32.exe
      C:\Windows\system32\Chagok32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
      - C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 416
        19⤵
        Program crash
        
        PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 404 -ip 404
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
276KB

MD5
1f9f755c44a85039c5c618d66deb3de1

SHA1
790b8fb5e62aeda11a2b6f443c03807c5ab80764

SHA256
0a970e0bce0df2bdcda52fff925f78063d7da131044a3401a784432d0f79c8ab

SHA512
d3ab2dfae521fa653f1aa83f9392f388506aee1430639552ae209f6b9c5bfa64aa1fc68e2cc457c44e873509bc7cb2b5d4c65071d2c30b36e3d36463e0c3568a

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
276KB

MD5
dace6d014a789dc4d48c60dd447c2ba0

SHA1
815712a88bd1f1a5e76f11fd470fea1707e616f5

SHA256
b063de9a419ac5eb426181300856d2dd7951bb48bd57bd5bd5156f37c7c188bc

SHA512
3663a37ea4c85569ad48a8d526f9a029a809be2bcb0fc5f58fe20f72dc599c6a622f586d5a6c72933e539693b205065623aeed38629623ceb5e8ad43a8663717

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
276KB

MD5
a4c7e1a8f53b72eede2d481eded2802f

SHA1
68a5049ac300323b2565c8d4ce0eb566ab27d936

SHA256
c50108ff3a2f34b1b06346ee5cd437c315cd55ac585678836e6041212eb8a53a

SHA512
718c68c77da1d9587295e8413257fd042af680a1689ebebbd2a3f67e769bf35ccfb28bee425b1702cedf29a0d287d45c6d8e3ad6459af98e6cdb89533056f66e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
276KB

MD5
5cd438f5cfa01de6d5769e03740972b9

SHA1
6d0eb01b282795c457ec5792437416c0f8a52584

SHA256
f125cd816eb86bf560535fb9fb97993feaf802718904fab892499b6aff89cf05

SHA512
eaf8565aefc28078bd86870e168a9a5c04395497a6f7d57851b11d93e35bdde511c366887c12922305bea340235730c3cbf7881bb11159eb89c989e377a934f9

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
276KB

MD5
f63c0d5e4a2034b4893d7dfee736668d

SHA1
eaa1224c7c5781ca5804696a405f19d7251bd5ec

SHA256
9d593946ff177db74eccebca99cfb19ec5fcf6b0df7dac435a09127b29619b32

SHA512
0a3868f5055c1480021f1dd5532d8e70ed63981af3c67b30bd2470300aecdbe42bfdda33f558aff820e64077347c34ed2e93405e380c65ba9f40fa8636b7a34a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
276KB

MD5
605c90c7aa4b0bac54ed17a3aa6e6edf

SHA1
87d2fbf892f345e28ab0d43773688d0c126ba86b

SHA256
46f4c2cadfbda934d49881a2b7c90a2b4940b86d1d3d0d1474da47f9afde1868

SHA512
a8f161851bddee9b983bcac19e8e00979313a8e406a8440507d2e7e0112f0a5706da70a0d3f038d190eb6a08526a87dfdeca946f8ce58a49511d41a5b88f9600

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
276KB

MD5
3745e0ac3c3471acb9448dcf6a41bdf6

SHA1
746f7c73608aac3de4e4da432bb2adef52e79b8e

SHA256
86d1ea05b615d2189ded1d9286d908b0a42d4e393b88ee563c1ea6163bbe9ac4

SHA512
1607edd8e98b10ebe07a1919a98c93ebe85e6bdae4f8e0c98bbbd6cb361e5fb4edc440ac14060425453e40ab2c08259373bc78f51cbd3d605c1671710df25293

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
276KB

MD5
a1aaf4f43dcd115bc9c114a079301559

SHA1
16b0f4da329ee99cc1577f5496c03faf7e1aa598

SHA256
ffdb24c4c084bd7be3a802cdff4850c830f6f34bc75ba82080e156ccbb4e4970

SHA512
96e0d4dc68ad3990d3d45279e6a092d23e837c0ad5358cd6edd10ccfe1cb876974a4035aaa64345a1c5780959c28fe3c8b499ec50b378241a48c64018c62b6fa

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
276KB

MD5
182859d71cc06394e4509504856809b6

SHA1
e48055393188850eb1f13cdb212e169ebc59f3dc

SHA256
5f7ab6d601c8760339bbc4cedb02af7e078dce08f41083c3c208feae65f5f4b0

SHA512
2c00b593a6f610a140ce0615ef9840b7459bec5ff0480a1d4a9eeb68a3d5e8e260561d80a841bbe4f4ca0c9d7294788793854910061309cd2b5c683e9b8f9a5e

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
276KB

MD5
5f3c0c63bb3fabbe92375baa805676de

SHA1
745e4d3ca2543653b58bc3da783e94972041f7f7

SHA256
09523d6fde2d5dfba996e41cf2eb1e22c4372953f60497cf11b2f0714dc251e4

SHA512
811318a48fbeea1512f285b438a8d20282bc025304dc7ee04ab8f953dbc40cf56f3f487cb917f064c91d66f2e238a0f71567645ebb8661f4cb2979ed96335e83

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
276KB

MD5
7f954d922b95c8ea3951e1698c05b3f9

SHA1
45be364181c33136124bfc3e3c8c25604db016b6

SHA256
ff4049e3e333297866bb1ba7354f425c8d9925fe3ebe959a51a0a7f78bb6356a

SHA512
52dce054f8994ce07fe3c232e286be6e161f8ef198bf6c6bded7a2bce931ce115b658924004c701d82027025af1996781e7d2c45f6326195fe88f23efd2d3e15

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
276KB

MD5
243271d1059b3d6416499bc4420fbd31

SHA1
f4a8a804d33fc1015ef160bb8efe6b94dca26154

SHA256
8d5a1ce5291c8df019813521f0ee06cdd17368c4ef03752c0da487483d71acec

SHA512
6cd34e484cb46cd1249f36db70366bf27f110bc664eb63236be696a5478ee2cf4e7f27be574d872518b0596742d09cace393cab5eb0289f54170776f1dccf6b8

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
276KB

MD5
e79f08f689063f50a2c098a2bd2447f7

SHA1
ad6e0befc783050b048630848cf27c8060c8c506

SHA256
992d3c82ad6f02501c82369f18e7c0f8031a5b7f5b11f87cf1b1b6e7595dc080

SHA512
a56203c170ac0250b6e3feb4fe97c29bd1d61ea4ba8a2d646f626c923f26745f09aa3dd222aa14f0b0cd856f5b5d124506b6c8f1e558f1c96e4b7746acf20d50

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
276KB

MD5
a9f3851be92f28c301d635db4b78a54c

SHA1
bf2101bbfc13cb39d8d2f00095dd6e4baa00f0cc

SHA256
c0954bc4c52892d3d0537fe88b66ee106faafdd6bdf646b97404304f2fb1316d

SHA512
7291fc26e6c8c153a0b027020d73184cdf399a64f538c7b464b84487ee0ef0ee0583e863521ab5cf38fbfc6cf5bcba8cc22f6547b27d2513f1dd3cbbceb9cd2a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
276KB

MD5
5637d71630a0b12a914c74246087b569

SHA1
3c111ad5b7dc428099ab0494a219c9adeb49dcba

SHA256
c5fae5492fc33dbf73616f39146f84fc00b8323c88cd0e9c7b86c9e3930e4ce0

SHA512
c4532d15d4c7335034fa60f1103d2e3aee6a855b06dba6abbbbace7681c6015a28a98d85c8d4e64e91d3f931b2fc7c3ff16ea06e7518d8518132bbf157dbcde5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
276KB

MD5
5c945b1ed38d231a801231aba28f9c10

SHA1
6fe9d85b56f02112950dc213816eec1d43af0d6d

SHA256
4323f398ce23f45fcdf01a8e040b1f806a7dbb056b2b4bb33327cc35c932534d

SHA512
4cab618f31328031749ac30541947350d39c2b510601321597537aafe3797ad25fa1989a400c990bbfe0a3e6e5856206261c60be8bcde9bf6cfcc2944f99f0dd

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
276KB

MD5
e6cd81ce45f11f4b08958985fe20ed5f

SHA1
671394eb6501c5250b8c5c3acc55d39142595822

SHA256
cab94638c4d2cd79239cadbffee0b7041c409568d24a542e95ee2d373cf4c397

SHA512
cc2bc3de722b776025b9a523562446a35b9509107791531194b8edf3382711eddc31543e61b7e43da2f142c3a5c8cd428b13ee73091fee82e2a9ef58845ed842

Download Submit
C:\Windows\SysWOW64\Ingfla32.dll

Filesize
7KB

MD5
412f684df206cda650a2fff4c63797b6

SHA1
90c5168f22e01ee34c5147ab86b83dcec17ce442

SHA256
27da81543ce0ca2e470bfd4b9639d6d747cddd8561f539304ed2d3433160e664

SHA512
35acbfd5698a6be60fd36161d01efe396e2ed44440fb5968f2a8b41a805d0a77c1319d4301bb9524d47b2affe3221584c493fcb0728b30bae554ba84c94e02fe

Download Submit
memory/380-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads