bdeca3f19d5c11f983bbdb10c2dc8196aa4fc85a93277d6c016d6a95e720ef36

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Size

896KB
MD5

e2c86fbd6398b8e366a220f13b48d9f1
SHA1

b6d2a9d0ee716b4a6c553724faccbaf630521ff7
SHA256

bdeca3f19d5c11f983bbdb10c2dc8196aa4fc85a93277d6c016d6a95e720ef36
SHA512

41295ddb707e03820dc9d85c2991a33e52de22f60b21bf0f14b2dc8053ddcf89de86f177c6a5521e3bb82485f3dcee4b7c529b2d52103c3745b404d21a3cd747
SSDEEP

12288:BtS5HlpdkByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:Bwpdbvr4B9f01ZmQvrUENOVvr1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe

Executes dropped EXE 18 IoCs

pid	Process
2160	Chmndlge.exe
936	Cnffqf32.exe
4084	Ceqnmpfo.exe
1528	Cfbkeh32.exe
4108	Cmlcbbcj.exe
2728	Cfdhkhjj.exe
4048	Calhnpgn.exe
3076	Dhfajjoj.exe
2024	Dopigd32.exe
3660	Dejacond.exe
3184	Dmefhako.exe
4224	Dhkjej32.exe
4984	Dmgbnq32.exe
216	Ddakjkqi.exe
2424	Dkkcge32.exe
1488	Dddhpjof.exe
1048	Dgbdlf32.exe
2204	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process
3252	2204	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2160	3544	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe	83
PID 3544 wrote to memory of 2160	3544	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe	83
PID 3544 wrote to memory of 2160	3544	Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe	83
PID 2160 wrote to memory of 936	2160	Chmndlge.exe	85
PID 2160 wrote to memory of 936	2160	Chmndlge.exe	85
PID 2160 wrote to memory of 936	2160	Chmndlge.exe	85
PID 936 wrote to memory of 4084	936	Cnffqf32.exe	86
PID 936 wrote to memory of 4084	936	Cnffqf32.exe	86
PID 936 wrote to memory of 4084	936	Cnffqf32.exe	86
PID 4084 wrote to memory of 1528	4084	Ceqnmpfo.exe	88
PID 4084 wrote to memory of 1528	4084	Ceqnmpfo.exe	88
PID 4084 wrote to memory of 1528	4084	Ceqnmpfo.exe	88
PID 1528 wrote to memory of 4108	1528	Cfbkeh32.exe	89
PID 1528 wrote to memory of 4108	1528	Cfbkeh32.exe	89
PID 1528 wrote to memory of 4108	1528	Cfbkeh32.exe	89
PID 4108 wrote to memory of 2728	4108	Cmlcbbcj.exe	90
PID 4108 wrote to memory of 2728	4108	Cmlcbbcj.exe	90
PID 4108 wrote to memory of 2728	4108	Cmlcbbcj.exe	90
PID 2728 wrote to memory of 4048	2728	Cfdhkhjj.exe	92
PID 2728 wrote to memory of 4048	2728	Cfdhkhjj.exe	92
PID 2728 wrote to memory of 4048	2728	Cfdhkhjj.exe	92
PID 4048 wrote to memory of 3076	4048	Calhnpgn.exe	93
PID 4048 wrote to memory of 3076	4048	Calhnpgn.exe	93
PID 4048 wrote to memory of 3076	4048	Calhnpgn.exe	93
PID 3076 wrote to memory of 2024	3076	Dhfajjoj.exe	94
PID 3076 wrote to memory of 2024	3076	Dhfajjoj.exe	94
PID 3076 wrote to memory of 2024	3076	Dhfajjoj.exe	94
PID 2024 wrote to memory of 3660	2024	Dopigd32.exe	95
PID 2024 wrote to memory of 3660	2024	Dopigd32.exe	95
PID 2024 wrote to memory of 3660	2024	Dopigd32.exe	95
PID 3660 wrote to memory of 3184	3660	Dejacond.exe	96
PID 3660 wrote to memory of 3184	3660	Dejacond.exe	96
PID 3660 wrote to memory of 3184	3660	Dejacond.exe	96
PID 3184 wrote to memory of 4224	3184	Dmefhako.exe	97
PID 3184 wrote to memory of 4224	3184	Dmefhako.exe	97
PID 3184 wrote to memory of 4224	3184	Dmefhako.exe	97
PID 4224 wrote to memory of 4984	4224	Dhkjej32.exe	98
PID 4224 wrote to memory of 4984	4224	Dhkjej32.exe	98
PID 4224 wrote to memory of 4984	4224	Dhkjej32.exe	98
PID 4984 wrote to memory of 216	4984	Dmgbnq32.exe	99
PID 4984 wrote to memory of 216	4984	Dmgbnq32.exe	99
PID 4984 wrote to memory of 216	4984	Dmgbnq32.exe	99
PID 216 wrote to memory of 2424	216	Ddakjkqi.exe	100
PID 216 wrote to memory of 2424	216	Ddakjkqi.exe	100
PID 216 wrote to memory of 2424	216	Ddakjkqi.exe	100
PID 2424 wrote to memory of 1488	2424	Dkkcge32.exe	101
PID 2424 wrote to memory of 1488	2424	Dkkcge32.exe	101
PID 2424 wrote to memory of 1488	2424	Dkkcge32.exe	101
PID 1488 wrote to memory of 1048	1488	Dddhpjof.exe	102
PID 1488 wrote to memory of 1048	1488	Dddhpjof.exe	102
PID 1488 wrote to memory of 1048	1488	Dddhpjof.exe	102
PID 1048 wrote to memory of 2204	1048	Dgbdlf32.exe	103
PID 1048 wrote to memory of 2204	1048	Dgbdlf32.exe	103
PID 1048 wrote to memory of 2204	1048	Dgbdlf32.exe	103

C:\Users\Admin\AppData\Local\Temp\Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.Danger.ATA_virussign.com_e2c86fbd6398b8e366a220f13b48d9f1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\SysWOW64\Chmndlge.exe
  C:\Windows\system32\Chmndlge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Cnffqf32.exe
    C:\Windows\system32\Cnffqf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\Ceqnmpfo.exe
      C:\Windows\system32\Ceqnmpfo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 408
        20⤵
        Program crash
        
        PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2204 -ip 2204
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
896KB

MD5
0017b16e13c278312a530d695a0893b8

SHA1
529da06aae80c38d76dc82642f5c8ac6f463f288

SHA256
34de8da872e0621bd0de874c216e7f104efb8f33b08ae150fe06ba3537ffa6ee

SHA512
5f56d85a3d6141178aeb97481bf391bc19ae7954630f2752d270ed89fd6852be96ea6c0d9fed0635891b7f95282867c8ab705773376330bf23bceebf61fa4379

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
896KB

MD5
1534f41fbcbd966390e095a4afffd8f1

SHA1
0831d30a43ebed608ab4449f00892b5db5b78821

SHA256
b5fddec07ef687decda2fe7b9acf0eb60a5a04304d81efc71f7e1ea185724934

SHA512
92d62151a4bbac4da5df9377b92ea323432e3e0b1ef7c677f139c3107ccb6e67232f3817dafacc6d0cd89d1512fc5105a2ba9e1caa06c9f7dbc38aa1d0b242e7

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
896KB

MD5
16348a8fe960748562d3993a1ef1cc8b

SHA1
8dc7178cfb8deffda027fd93c3bd9c2ba1936196

SHA256
334a997a48e530aec3840d6ac353f0a5effa7ad3acf43b7f043b57505cc009d8

SHA512
1b11a522582b1879ebbe23dc4cf3d3e478952f8325d7f044e16a8ccd1c0d40e127a0b89a7a1f3cedd1d29c4a742e95a00cd60c48466c697bddbc43d8eff9a9c2

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
896KB

MD5
834ace09755ecf24ac83c947d0dfa946

SHA1
4e2a1cdacd2759d27380b3d2b9ffc0ed4e307b9d

SHA256
f09d040dfad12d47855d6638d06eb5f261cf59647bd2f7d2894e151f1dbb855c

SHA512
403946dd0f81bd1a8933b103731340876ee98b622c2602a27ec5cbe75c95aefede09b5a967a0983459a93c8109334f767259f994aacb58c8f0adc7a1d62a85ec

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
896KB

MD5
43814c512c986d33f4330b417335fdfa

SHA1
dd7c28503e8f7cd12e69d12229dd9abbe4b60d00

SHA256
2b7b4d3effd67cfd11beb189427b04ca5c3952b5fd69883a096008126f80740b

SHA512
05ca22813b3f8f2dbb92c9e858728349576f29674bf82cc19de3a04b7426e26e729233e4fa4039077448cbc1186f240aed28389bd8d1ef47d3e5d3b4b3d66734

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
896KB

MD5
f828c0a51f95817154b53b123210f129

SHA1
8df138984a3e6acee23e9ca1b706b1937d29124e

SHA256
888617fe4af7a0ec23150521187560a2285fa4a7512cf1ae5300ef8c24bbd778

SHA512
fcebd9df4d4873afdbebf1691a0c839649a6bb113363079553db622f64d4adca104b27a9459b61e9582addbffecbf2f95cbbb4f27122d9a688a76b5c0f9889e8

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
896KB

MD5
837b67b3ffaab5bb055d1d0814bfae6c

SHA1
ec720364d558427c06fc5d973007109350431de4

SHA256
67ce8d645bc10d0a12c4d7ceab7537e961821d4759220d2eca2ac88c8091f4cf

SHA512
a503090d6f927d052b81a968159937a8a74036a53e3cc8e6b6ed7b3be7bacd48f07c832297697dba9b4b671840f181c720d72fad19cfe0952a928394693a44bd

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
896KB

MD5
b51824d6ede2470bf3f1d4498febb9b6

SHA1
925c5343aa9e269dc2be86882a1f906d11a98d8f

SHA256
5f31887892c0933a5e5d0582d38a9b2df743db3baa001d261a9b2e40734b6d96

SHA512
7efdcf2b81cb283c57fe9d2ba6c1316d72715c1395ddf327efdb3a4576a0c0a77e9b9f9c4c1d0af22396e178315d494ee9e0007bbd346a70761a87a3bbdf80bf

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
896KB

MD5
4ce5e4ad2fe63edaeb4e5e9178036a0c

SHA1
0d02f65bc48dc966a9e152d26e000880d906c770

SHA256
9b13d1cb70a79a9940a28e09c16cb33a335d4ac4a6955ec9fbdb8646a27b71ac

SHA512
dc9a0700aad6437b5e550a6a64428903743cc66e5a70e10f5b8ba4d16d7e7598fff96804f84a587f96effe95def95c5db4d5bd5a5c3990d040c4a3a93768efc0

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
896KB

MD5
42c4519d47b71b28e278eb74af6154cb

SHA1
23a1971292d8fffa93b22dd17695497c34b8f7df

SHA256
ae7699717247f1391ae85920b1999350bc1fefb94a460881aa219dfc79bf0565

SHA512
52b6dac89f48307a3dce2c334ec0f75ca25e8b68d1eab24bb02d92b15ca2a990f9d23175d4869d8f333769f3a6ce14e06d0654fbb3f1de56c8dda1f9f905b035

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
896KB

MD5
fde48ab76152aea765074b96c7489c57

SHA1
7b67d05c331f39896d81268f1c5bd2e51d81e983

SHA256
b124cd5ff807174e7d070befc1b2317796a9cab73ed70be804a578a9401db615

SHA512
6c03444d3590105a2d4553c7cddc95898ead57610b12beaaf91accbd80f594d29190675603ee7cfa2ff7aabfd5878768fb9f33555a0d7fe5cc74f73610ab25fc

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
896KB

MD5
1413abfe8af86cf119078bf5b7b28d63

SHA1
db25d3947a9097f3b032c7475d78d6ad7650f38f

SHA256
d538e61d65787168b7dcdc17598e45dc25bf61e30ffcd5825789c2d391d297b4

SHA512
630e8fe297d78f060ff7e94eb2991ea1f4321e69c2e8c7ec8c4940da92ac9e3794a24801a4daa7016d9ecf162a2505868a7b57187c92bbc212b86fb2ecc8efbb

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
896KB

MD5
cb7ef3dc12f2b2c2133ba8b5ac8ae593

SHA1
899d5193a43382911258fa11e22d5335b9b1fe50

SHA256
c31a16991d9e0e426e93ca5c1daffa188e4071e8f7bbe0a66a2634baeda246f0

SHA512
23336f1463772765be41bf74d6a4af0871a7594ee55dbb410bee86101dbcdf9f7e6ab81eca4049f63374aada8c57429ea623a1b2ed03a0bd91c731c6d5358703

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
896KB

MD5
f8f6075f148fbecc81497db973ba06a0

SHA1
aae08695580f262ca828f0c56f9e0ea605b8c996

SHA256
38400a21ae85999c33b008419d16eb161f84925888a0beaf602060e72f3738be

SHA512
92fc6901d6d284c1b55acae33d330ee2183de4c33f2e626528650373ae34c64583b973977291abdd221549fc4e1e70ea453414fa701a0e7041e8f8e3a64f671a

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
896KB

MD5
1eba5fcc64f82073d893cfe2dc0ed10e

SHA1
be2ffdd3d930198747b7601f6e73490908d25842

SHA256
5589965808663c6509baf0ba25dc2c59e5d7e9005106ca0bcd2641380a09c8f4

SHA512
8ccdd5829caccbeb6d58b1c457c23ac3348f53095f9a78d4eced2f1274d503193b114d12376ce72d74c1e3a2e8d21d2fece1d0197e3e1c2266c5fc9d4c51542d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
896KB

MD5
02be2b625cbc85076281da7fdb874f15

SHA1
225eb038caf8e212fbd3f71700a4e1b83d12fc45

SHA256
0a841669933f40bb90d8a14943453c7a6df904658ff8109893e7da8147d76871

SHA512
93c0ae2a362cf77d722e04ab3032687509bccb27615b24988533bdc177aec85df6d3553f1ee36af02070744ce137ddd9a510f942a2ca63f2d88aeda93c8683d3

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
896KB

MD5
95b6d1c9f8164edf750248df795bd604

SHA1
821bd1684f31faaa6502f52a64386410ed387479

SHA256
acb21a8161f106b57b7222b8a800052983a6ba65b3ce45e80724c83f6459f69e

SHA512
2e91d65fa13ca913a953969a9ce34f9f344a5e4da67f682687ec7943e976dbb1acc8d765e3193ea27f145da25ada36f2419a9109a1aad467abd4f570aac7e6e2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
896KB

MD5
79364fdb710e0705793548eab493d48a

SHA1
5b39ed9697457a6cd85f6a204c9e1377d98c8599

SHA256
e81bbe07a2723d2e87fcff984e0a76ee8ccca222d672a4a9001186c71dca298e

SHA512
bd4b1d16809e685e05b0ee943fbdd23d896ab6739231d9952641948cdf3ed806581eea92fba933ddc580b4802bf6e02f4ce76139858b86371e84d842112afad3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
896KB

MD5
371e34c020bc96ba04f7052d2fcea6b2

SHA1
f70e14af62c5d30146e1411fac9ba6f0108061e5

SHA256
238802af9485db8a245e23b358947dad6af45da09260f0328e34d8b4bf126d6b

SHA512
a17041db03926621b1b85744075962dc3242fe46c29e15cb9679f5ae5899b8f515383c187c2091be0911a08286cc7b816e88e327aa7b35b3e84c6deb4cea3a73

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
896KB

MD5
661a9b35eeb9b1f24a198f88675e21b8

SHA1
5da0c71c6295437aef40c3bf04a94c84bdf0bdc0

SHA256
ff7fc55d66ca5fd2d4d64f6ef021e04dca526065e24c4534750be4e265810e6e

SHA512
94456de6923f7027a683c8de4fb92d161de393a6ac47604b2e5c1bcdd66a38af0bf5321584f43b7986ac97bf8073c297ac1ee07d719c0192945817e2e31d4e39

Download Submit
C:\Windows\SysWOW64\Fmjkjk32.dll

Filesize
7KB

MD5
6276cf9b461f6b19e4f82f44353b1b77

SHA1
3482f7675362d0866c522788b2bf82529e470d58

SHA256
9369db1688820ee364fb14d5f15f3ee87e000bf1ec1212a53f7d5707d194a40c

SHA512
653c8e870015bb14c2013e903e09f83ccb0f7e10fe8c8997b444605b4e4b2685146fff309430b699ffd634c403817ed1421d628b2a0880b8310cfb3eab597583

Download Submit
memory/216-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads