7af5e2c0b5bd47977132015f63296a3511159b73b6f30fff234fefd15f9af00e

General

Target

003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Size

80KB
MD5

003bc4a27334564f0ac1fd1cdaf7a9d0
SHA1

2cdbc54f04de576b383043d61c0d21b410172271
SHA256

7af5e2c0b5bd47977132015f63296a3511159b73b6f30fff234fefd15f9af00e
SHA512

17f32a630b1c07b33d381e7baaf7995873a28eb40b781c12b77b51998f9cfd9386cd2142f4c0b5270dc9f91162f53ec12d5d048c74c96d14a09adac1c0dba4bd
SSDEEP

1536:r1c4z99rxd9WmNzLqSW5Z/74OFdiVRN+zL20gJi1i9:r1f59VXXZqSW5J4OLiVRgzL20WKS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe

Executes dropped EXE 8 IoCs

pid	Process
2564	Dkifae32.exe
2764	Dmgbnq32.exe
3608	Deokon32.exe
4548	Dkkcge32.exe
3880	Daekdooc.exe
3228	Dddhpjof.exe
5096	Dknpmdfc.exe
3104	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkifae32.exe	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	3104	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2564	4936	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe	83
PID 4936 wrote to memory of 2564	4936	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe	83
PID 4936 wrote to memory of 2564	4936	003bc4a27334564f0ac1fd1cdaf7a9d0N.exe	83
PID 2564 wrote to memory of 2764	2564	Dkifae32.exe	84
PID 2564 wrote to memory of 2764	2564	Dkifae32.exe	84
PID 2564 wrote to memory of 2764	2564	Dkifae32.exe	84
PID 2764 wrote to memory of 3608	2764	Dmgbnq32.exe	86
PID 2764 wrote to memory of 3608	2764	Dmgbnq32.exe	86
PID 2764 wrote to memory of 3608	2764	Dmgbnq32.exe	86
PID 3608 wrote to memory of 4548	3608	Deokon32.exe	87
PID 3608 wrote to memory of 4548	3608	Deokon32.exe	87
PID 3608 wrote to memory of 4548	3608	Deokon32.exe	87
PID 4548 wrote to memory of 3880	4548	Dkkcge32.exe	89
PID 4548 wrote to memory of 3880	4548	Dkkcge32.exe	89
PID 4548 wrote to memory of 3880	4548	Dkkcge32.exe	89
PID 3880 wrote to memory of 3228	3880	Daekdooc.exe	90
PID 3880 wrote to memory of 3228	3880	Daekdooc.exe	90
PID 3880 wrote to memory of 3228	3880	Daekdooc.exe	90
PID 3228 wrote to memory of 5096	3228	Dddhpjof.exe	91
PID 3228 wrote to memory of 5096	3228	Dddhpjof.exe	91
PID 3228 wrote to memory of 5096	3228	Dddhpjof.exe	91
PID 5096 wrote to memory of 3104	5096	Dknpmdfc.exe	92
PID 5096 wrote to memory of 3104	5096	Dknpmdfc.exe	92
PID 5096 wrote to memory of 3104	5096	Dknpmdfc.exe	92

C:\Users\Admin\AppData\Local\Temp\003bc4a27334564f0ac1fd1cdaf7a9d0N.exe
"C:\Users\Admin\AppData\Local\Temp\003bc4a27334564f0ac1fd1cdaf7a9d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\Dkifae32.exe
  C:\Windows\system32\Dkifae32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 212
        10⤵
        Program crash
        
        PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3104 -ip 3104
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
80KB

MD5
6b2a75fac66dd48f4e749d9758149c5c

SHA1
ba6e32996e56c5010a1ca4e0661176ad47450489

SHA256
53910cbbb6d1a8f37e2d43aed9243f9ee05b24b48d50f8e33d21838ab00dc14a

SHA512
1924ff931560671a7ed8652156cd4835bb3be63dc7aff31ed1e2a9b07b5bf262dd2d9a3b395e1e8555fb754d560365ccf34bef50ef5faed4f489d8f3adb64b3b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
80KB

MD5
929c58a5bde217b779cfc56c40631946

SHA1
0b4500561115e867393d15a2fdaed70baa4c5f16

SHA256
c6351b6a7f2284d619f24aa78a486e66c2bf277c7eaab3e7e90c2e6473fa5d69

SHA512
4741975a1e26c9f713b812f0fb1d0f036c047cd1146ac66e309d78cd27e62d9edc6cd19d710196be673ffa7a7d7fa257b90ad7eac72622727cf4d65d3601c121

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
f8ed6e89ec33fbdd7f6a646516f532e2

SHA1
1e9195bc93977c6c3b5318b6687c6d7a264dbb7d

SHA256
2ee3728243aec7617ae5aa3746df9e100467edf19eb7b078473ea56dde5d103e

SHA512
cf41b09a4df72c286847059af7b25ac4e13dea89d893e36254cfdbc28a7b769bbea279ee7d4276f9b1d8e440d12d1c02f51948d67d9a9374270697fdc85ae52a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
80KB

MD5
339c8f75570f0c076a0a8a3d92fbf518

SHA1
86e491ae55628d823486d3a59e7ed8338578b787

SHA256
e30ec94c95237c5823f6e3a221e46d751d1895df873317d4af7a914fe45a5059

SHA512
6efa031a68b452179716a616868aa8ceb31ada749a5edc662ae34d38fed769ba8816f9471358c549b8e73e9882c8b8c502c3cd48cefa027d44f56f67243b64c6

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
80KB

MD5
25c5aaf2e5ad9d1628b1e11d32e91300

SHA1
eecd001ba9708863f6201904a837455e375da4e1

SHA256
73c79a9107000554e3ae6e99e2c981af6400747e890cb08620474a2e4937f14f

SHA512
ff588ff86e39936e180c6b8aff305605f9eb5b36620249ce373ad23624c00b8d731cf02c0e7e0935fd4e6f58ae4c8866bacbc7f7020a54d602f277eaab2b18ef

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
80KB

MD5
d4ca5633d5412769d157df28e8385deb

SHA1
315ecddf442722273d10dbc695ea9313eb7dfe96

SHA256
ac105e14d5dd5d46a7fab1f35ff8ed4fad8da82320cc4f17f4a5bfb005e0cfd3

SHA512
4df9819175d6e0b32ff274c29eba71fff8dee8db5092e1582a9c6d4f88e6f59468fcbf951a4728a6c7b4a935c608efca2742721ce049bae019a8bcd439fe9e69

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
3703501d48169ee3c2db1ab922bd8dac

SHA1
df41de2de2ab32e7d411b0e09a0545c7638c6214

SHA256
a878bd64a63f77bfb29cbe14498f0f88f775d68327cdf12b6ca9aed20c168fb2

SHA512
37a55e0d0b8ee76d91993af08436a9843508e075cef862e04cdb3a495e1140bec65f1f0a29b289a02a6804c4ee34300520ee95a6cb2df65fdb0a8e792521763f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
d32e0fb1dcf96f588dcccf9f4085be0f

SHA1
b645cf8bd61aeb21112de061fcc499731dd46a56

SHA256
f65130da685b649cac2e72f9a1228abf9a496f6136ca2d46c6c949b73ea9212e

SHA512
1471eebe0bc86eb231628f25d3054afa96b28584b832b4a5a8d551f38532deb33fd39eabd077b09c5e76675228580a7456d3694e25b2a69a9117131180564b4c

Download Submit
memory/2564-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4936-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads