d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61

Analysis

max time kernel
94s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Size

89KB
MD5

b87a607932850b9cdae1faea91f2068c
SHA1

afce92773544742aae92b55adb9e9ef30a3737ec
SHA256

d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61
SHA512

3a6a695f5e66ddf04ca6021f3d7d033364ad93c235228b8b969fd48372a4b1f708c94d3cdc95a641c668e7af1a21eb6f9e1983e5db142a1616990ca9a9210f75
SSDEEP

1536:GI5vtM4iXj/1MZ+/hKNGAqTcgGf1tFcClExkg8Fk:GI5vtpiz/qEh2TqTcgSbFcClakgwk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe

Executes dropped EXE 19 IoCs

pid	Process
2756	Cdfkolkf.exe
1496	Cjpckf32.exe
4928	Cajlhqjp.exe
2628	Cdhhdlid.exe
2292	Cnnlaehj.exe
1672	Calhnpgn.exe
2568	Dfiafg32.exe
2544	Dopigd32.exe
3300	Danecp32.exe
1564	Dejacond.exe
4040	Dfknkg32.exe
2620	Dobfld32.exe
5104	Dkifae32.exe
4584	Deokon32.exe
1796	Dhmgki32.exe
2900	Dmjocp32.exe
2228	Deagdn32.exe
2392	Dknpmdfc.exe
2460	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jffggf32.dll	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1260	2460	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dobfld32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2756	1916	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe	82
PID 1916 wrote to memory of 2756	1916	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe	82
PID 1916 wrote to memory of 2756	1916	d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe	82
PID 2756 wrote to memory of 1496	2756	Cdfkolkf.exe	83
PID 2756 wrote to memory of 1496	2756	Cdfkolkf.exe	83
PID 2756 wrote to memory of 1496	2756	Cdfkolkf.exe	83
PID 1496 wrote to memory of 4928	1496	Cjpckf32.exe	84
PID 1496 wrote to memory of 4928	1496	Cjpckf32.exe	84
PID 1496 wrote to memory of 4928	1496	Cjpckf32.exe	84
PID 4928 wrote to memory of 2628	4928	Cajlhqjp.exe	85
PID 4928 wrote to memory of 2628	4928	Cajlhqjp.exe	85
PID 4928 wrote to memory of 2628	4928	Cajlhqjp.exe	85
PID 2628 wrote to memory of 2292	2628	Cdhhdlid.exe	86
PID 2628 wrote to memory of 2292	2628	Cdhhdlid.exe	86
PID 2628 wrote to memory of 2292	2628	Cdhhdlid.exe	86
PID 2292 wrote to memory of 1672	2292	Cnnlaehj.exe	87
PID 2292 wrote to memory of 1672	2292	Cnnlaehj.exe	87
PID 2292 wrote to memory of 1672	2292	Cnnlaehj.exe	87
PID 1672 wrote to memory of 2568	1672	Calhnpgn.exe	88
PID 1672 wrote to memory of 2568	1672	Calhnpgn.exe	88
PID 1672 wrote to memory of 2568	1672	Calhnpgn.exe	88
PID 2568 wrote to memory of 2544	2568	Dfiafg32.exe	89
PID 2568 wrote to memory of 2544	2568	Dfiafg32.exe	89
PID 2568 wrote to memory of 2544	2568	Dfiafg32.exe	89
PID 2544 wrote to memory of 3300	2544	Dopigd32.exe	90
PID 2544 wrote to memory of 3300	2544	Dopigd32.exe	90
PID 2544 wrote to memory of 3300	2544	Dopigd32.exe	90
PID 3300 wrote to memory of 1564	3300	Danecp32.exe	91
PID 3300 wrote to memory of 1564	3300	Danecp32.exe	91
PID 3300 wrote to memory of 1564	3300	Danecp32.exe	91
PID 1564 wrote to memory of 4040	1564	Dejacond.exe	92
PID 1564 wrote to memory of 4040	1564	Dejacond.exe	92
PID 1564 wrote to memory of 4040	1564	Dejacond.exe	92
PID 4040 wrote to memory of 2620	4040	Dfknkg32.exe	93
PID 4040 wrote to memory of 2620	4040	Dfknkg32.exe	93
PID 4040 wrote to memory of 2620	4040	Dfknkg32.exe	93
PID 2620 wrote to memory of 5104	2620	Dobfld32.exe	94
PID 2620 wrote to memory of 5104	2620	Dobfld32.exe	94
PID 2620 wrote to memory of 5104	2620	Dobfld32.exe	94
PID 5104 wrote to memory of 4584	5104	Dkifae32.exe	95
PID 5104 wrote to memory of 4584	5104	Dkifae32.exe	95
PID 5104 wrote to memory of 4584	5104	Dkifae32.exe	95
PID 4584 wrote to memory of 1796	4584	Deokon32.exe	96
PID 4584 wrote to memory of 1796	4584	Deokon32.exe	96
PID 4584 wrote to memory of 1796	4584	Deokon32.exe	96
PID 1796 wrote to memory of 2900	1796	Dhmgki32.exe	97
PID 1796 wrote to memory of 2900	1796	Dhmgki32.exe	97
PID 1796 wrote to memory of 2900	1796	Dhmgki32.exe	97
PID 2900 wrote to memory of 2228	2900	Dmjocp32.exe	98
PID 2900 wrote to memory of 2228	2900	Dmjocp32.exe	98
PID 2900 wrote to memory of 2228	2900	Dmjocp32.exe	98
PID 2228 wrote to memory of 2392	2228	Deagdn32.exe	99
PID 2228 wrote to memory of 2392	2228	Deagdn32.exe	99
PID 2228 wrote to memory of 2392	2228	Deagdn32.exe	99
PID 2392 wrote to memory of 2460	2392	Dknpmdfc.exe	100
PID 2392 wrote to memory of 2460	2392	Dknpmdfc.exe	100
PID 2392 wrote to memory of 2460	2392	Dknpmdfc.exe	100

C:\Users\Admin\AppData\Local\Temp\d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe
"C:\Users\Admin\AppData\Local\Temp\d60a1dcfceafea3b4cc5f08bd0c5c22e3bd93215209bdf7648f5bda3ba172c61.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\Cdfkolkf.exe
  C:\Windows\system32\Cdfkolkf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\Cajlhqjp.exe
      C:\Windows\system32\Cajlhqjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 216
        21⤵
        Program crash
        
        PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2460 -ip 2460
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
89KB

MD5
6420f02941dd78c145f4ab83d1a11dab

SHA1
3d282879e3da7e994b076d555f416adcc13f48c7

SHA256
92006287e9423339921f74b2c543060b0266687757fb8c6423e64a9b326558ef

SHA512
3f2eb1e86303133494f4bb68ca9d81d2ca05eca4213e10bf609a70efbe9b8a981f9a12623064965fa733735338857d8f7bb1c60ee8c00105ce09905861b2a7dc

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
89KB

MD5
89082330a920852be1bcc645246c0b17

SHA1
f767ac0e0fd2fbca9dce3767c4408a3a65a7f16b

SHA256
a8385dd83574ebd1da8c5abb9572784e33733a0892053b48ed0e21b8f6f7f9a4

SHA512
ce34d8ec02f1f89e545a17cab7e39fd03315d119ac7cdcdfc795164aff501a66da565e1d45be2226b555012f3e0a598a27be9ac44f441e8edb4aa0abfabd79c0

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
89KB

MD5
9f8a0b6ad6349fb4f984f4fa945f8e15

SHA1
1cdcbd0d3df487174c79d94a18ace8cd0202239f

SHA256
072b17623aaf1fd8a4ca247946a65ad0b755cbb6fcd744af2b432d44acdbf7fc

SHA512
7df286cc7b9003964d07602b6a6fa87eebbaebc483887d9d53dddcd8e0d88ba6b320cfad78d22f9740367425b96e1808321f9648aa38f6ecf0efa5c7b7c8de8f

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
89KB

MD5
e903643db1a7d96b7b531b38bd299724

SHA1
d2cd948b964d198445f87ef7d7971a2f62e4b00f

SHA256
16a3276cedab913fb3ade4e156fe71bcb2ac3ee37ab28038e40a8f07cbfdf944

SHA512
c0904b272b8321c56477e98cbeaa94a25abfc85ede768dc879a2c7d6a6e6c06bbae21ac827fd1d90ce419165d21c94ce8959b6b7bf523b586957613d6a07a09f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
89KB

MD5
9a5887cbc0fd28a9e0af4d9c7e62d7a6

SHA1
d7e4a135cb3ea9480b91ce6221f42991583ea6f5

SHA256
45fc2bcc796bc9e8badc0dad0f866965e0818f833beda0bdf44ffba7355ae799

SHA512
b1ce8ea0c5568fd43eaa12931fd21496d1d1aac9d15626fe573de970e369e552ee1ad637c9ee58969ec9084cb834f8c86be9c1b1eb4af8764556a20b175d81be

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
89KB

MD5
78a278e3075f4d6dd92b64e3742c6383

SHA1
ced2f7aae6b5aeb4c7369ed559f537fbf8d0ee32

SHA256
be5bf19a3753a738969d9b3ccd5cca6c9d80cfae2831b0dd210cf8a4aac7d95a

SHA512
a67765c72817d2f7d3716383a99e9614539cd203f9891174706df9c76a53f59f05ca4bb727913174bda3a62d2a73cdb534e5294d77e6d1e7c8595872bee79058

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
89KB

MD5
8633c872f1ef1c5e7153823635ec68b8

SHA1
44563392fa30ed908aae3acbf7ecf21ec7d1ea9d

SHA256
37b0de58bc484434fda89b85f7fba62c82a701adf5198088ed981080a313a153

SHA512
384d839d1b6622b4183a82f5640fadbe290ef304a4de1a2f83d41d1dbe537fe9dd8cc61f89aa4cd306931f7aa7e74d84b25737819b88b784e89a9443638e1ca3

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
89KB

MD5
087bd8198e1709293b9157ea15dd39ee

SHA1
7029ced7ad9d2dd12631507278f494157b209e4b

SHA256
ddbe042e1985307cdbb2e009c3bffa26c78c4582f5fdc33d99afd5b903d53e04

SHA512
50cd41cfb4d747c4c8bd8f15f23a2c8f5b9f06dcda39333a927bf3c87d6597afb1952d25b875d4ea0203700e57a7a105d924cd77bf1906e7ea92a3e50cdc88aa

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
89KB

MD5
62cba754ccb837fbfd1d06bb2121f461

SHA1
f45a34b2a77900cb4c36b52decfab34239225f6e

SHA256
bf3b3cc30d32be005a72cd76eb5fab4acc6b705ac0ad19bda15be0cbba271c5f

SHA512
930ba7edf6b94e5327c80839f10ef3c2d1e822bf34505d8a75f177ebd5c2a62f3b475770500a73ade04acc344f357b4a2e33c03f5b25b576d64f136c054dd926

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
89KB

MD5
161f9187640e0dd026a0c615c17bff08

SHA1
bb6c7003c90a3cc84fef740d3c324d0aeea8f4e7

SHA256
da238db50fcd0ff432dd863f82f0e56ce707da613b3f00a9772897ca24eeed61

SHA512
3ad68086f2f1d1f5718c53a71dfe08278971ac922f57a2ae315e8653aa63b2cc0b907a795fb11fd080a1022a4eec2eec5d38d74352de4bf09b2f4f14627d5547

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
1ea3317fabd5b0b935a6d8b54f5fb256

SHA1
3763d6d2db8a8e04a001f210065bc3223e3d9624

SHA256
871181739b62b44b40ac11957edb156a26faf221578380478853a5d3ad681a1c

SHA512
4c9b6d18970d893cdf0a8a835b348c2a0e5becac008cc1b79a4f491061935c0aa7d005ccda3517bd7bd6f3e9c174e7efc8b79870e369047696ddd74d5dc9779f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
89KB

MD5
a4bed3cb8821aa43a22b53aa0708b426

SHA1
9b98345b48eb1c3e6025deaa4d168f1c81a3293d

SHA256
0dd9d94ef1506dc304622295e61282f35fe75a6840b4210b2bdc589a0c325af0

SHA512
c21cd62930c95773eda59a29d4f0469c000dc64472ed15b8b019c0bced240664d2823a93900c7d8e56d579181dbbbf314890588418578385790ea2c1b8e63b6b

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
89KB

MD5
5d2904c28be9ab28ff567401c5219937

SHA1
55c7d18c1e23a68bf70f1ac55a2b9917ea65b271

SHA256
6b3be160ba0d816b421d9aa6153604a747c8052b76b489955e61dde76b0ca57f

SHA512
84c7f2eeac3b1f370e82322f49a2c08c8b3733ddc74c673b8ea664fca31744115751ac47003b97a3c11a9668007d8d8f06c201a6f1c9e4847ad594cda3e1ed18

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
89KB

MD5
6200a35a221b355260075baeeb522589

SHA1
42451739ba136c729dba620d4c316d51307b9eb0

SHA256
16677ba408d35d9997e1475982601f383fcae59505af97251e906f6e2b6d27a0

SHA512
0d2901ceb174f4998a65815dec8799fe3d9efa14c52efc0c93921e54e21ec8c06a402ad8e1acdef6a7469637e04ee704954294c343b9aaac0350c6e02993ee5a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
89KB

MD5
d1de3be2123e424ed7b2aff42a6fd776

SHA1
5fe391f9f072be0f60b71f14a05dded9efe1853e

SHA256
64ac4253b54a83d1f197f682a85383cd61012d1aaac7c690fb6f03acbfeabbc2

SHA512
f8c45611b485ac3e35b1d427a561434520565fd46b2dd638f36d393a3120cd1859a03e24b877d91fabce4939a9526f5e29aae25edf9e667d43436ad939171ecd

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
89KB

MD5
521209bf41dbfa3d5a0891baf0081ada

SHA1
8cd26936e38c9ae9bd785b92f2c5fd2c2e7f96d4

SHA256
a6c1b76353ef8bd44e246c9371789b1a85262a3e091ed4c5e2d57052e04c0dbc

SHA512
a407f6eedbad5a2c14bf1f1b19fd465cb58a455b1220b2383add999f259f3ac4c091cf26bb81f626d5d2247810533578d9af02e6667b04655deb526d3924f223

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
89KB

MD5
d3e5f6b9d74035165a9555fd083388de

SHA1
db934e581a55401627574210dea8f9ec60a0ae81

SHA256
d26469742f95ade2f3e727121ad0f06b5183980698bcd9d3fa8e9897964923b5

SHA512
348e872740c547b8a4e59e5332deb43ec224c3f0a0eaa79c1fae7981fbc42613a2ab633713bb89a38561af291493f83141e975082543067f039e9c5952be71b4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
d82cd94c8c6ca0407d485e79dfa5a3c5

SHA1
5285ef446e7a601348fca491c5958d3bb87674a7

SHA256
46b09c692b5e1408fbf60bd262d4f2787f2d079287945035a5dd1a27a081ad89

SHA512
13cb967f544f7c6dfe5114324938cb3e4bb9019b492efc8b6d56394e7ea3d527a39f5995794fc1a89a6b34c1913f84023aecb663caa3c417d00e445bdd62e043

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
89KB

MD5
3626ddd882dc0f034a12b7f78fe981c0

SHA1
5dfedf7ab8274ae6d12fe8fc4bdfdc40b9ec997c

SHA256
214e23ebf9844f70f3b04765461298f08377f97aa66586b81e01b0c7cd6b2e68

SHA512
b27f24836897b800f8db628af8d10c1abfd080edf19e0b6b18c2d4ecc7e5ae7cf5bb8a318772d9039fd40dc3ca14acec6daf31f9aebffa9b76601c3679237d4e

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
89KB

MD5
de24c14673730b1f5093478bdbf073ee

SHA1
9ce9a30907f3671809ec80517f77357239ade0d9

SHA256
5e9efe00d0d13529ffa3e233550ad37b5614b714d8ad5c6da624fc2340553d00

SHA512
914424a9f6c36d17e577e220866550b7e1f8b7cb5fc0809d776afe5b32519620f8182f1aa9a3a443657b43aeab51f8712ba0bd96cce09906c9f59c15ceb69879

Download Submit
C:\Windows\SysWOW64\Ingfla32.dll

Filesize
7KB

MD5
412f684df206cda650a2fff4c63797b6

SHA1
90c5168f22e01ee34c5147ab86b83dcec17ce442

SHA256
27da81543ce0ca2e470bfd4b9639d6d747cddd8561f539304ed2d3433160e664

SHA512
35acbfd5698a6be60fd36161d01efe396e2ed44440fb5968f2a8b41a805d0a77c1319d4301bb9524d47b2affe3221584c493fcb0728b30bae554ba84c94e02fe

Download Submit
memory/1496-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads