e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421

General

Target

e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Size

84KB
MD5

f12a504b97b107e7fe1144b51d982220
SHA1

fcbca44266ff88dfd2aaa6b29acb230b8a80d80e
SHA256

e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421
SHA512

f132687e58ccaf154bb1b9c72c4048d1e6babf4b1f0700c8b00c28c7121f44aa046ed9c0b96384e206afc07a159fa9019b74851f7ce30b89d14840659dc47eba
SSDEEP

1536:TV1z2J2u4oyEObuYdkSgLDg8dXDdsfXSREXHfVPfMVwNKT1iqWUPGc4T7VLd:ox4HdUWfCREXdXNKT1ntPG9pB

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe

Executes dropped EXE 8 IoCs

pid	Process
1832	Dfnjafap.exe
1012	Dmgbnq32.exe
2236	Ddakjkqi.exe
2752	Dkkcge32.exe
1624	Daekdooc.exe
3268	Dddhpjof.exe
4800	Dgbdlf32.exe
428	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	428	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1832	3628	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe	82
PID 3628 wrote to memory of 1832	3628	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe	82
PID 3628 wrote to memory of 1832	3628	e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe	82
PID 1832 wrote to memory of 1012	1832	Dfnjafap.exe	83
PID 1832 wrote to memory of 1012	1832	Dfnjafap.exe	83
PID 1832 wrote to memory of 1012	1832	Dfnjafap.exe	83
PID 1012 wrote to memory of 2236	1012	Dmgbnq32.exe	84
PID 1012 wrote to memory of 2236	1012	Dmgbnq32.exe	84
PID 1012 wrote to memory of 2236	1012	Dmgbnq32.exe	84
PID 2236 wrote to memory of 2752	2236	Ddakjkqi.exe	85
PID 2236 wrote to memory of 2752	2236	Ddakjkqi.exe	85
PID 2236 wrote to memory of 2752	2236	Ddakjkqi.exe	85
PID 2752 wrote to memory of 1624	2752	Dkkcge32.exe	86
PID 2752 wrote to memory of 1624	2752	Dkkcge32.exe	86
PID 2752 wrote to memory of 1624	2752	Dkkcge32.exe	86
PID 1624 wrote to memory of 3268	1624	Daekdooc.exe	87
PID 1624 wrote to memory of 3268	1624	Daekdooc.exe	87
PID 1624 wrote to memory of 3268	1624	Daekdooc.exe	87
PID 3268 wrote to memory of 4800	3268	Dddhpjof.exe	88
PID 3268 wrote to memory of 4800	3268	Dddhpjof.exe	88
PID 3268 wrote to memory of 4800	3268	Dddhpjof.exe	88
PID 4800 wrote to memory of 428	4800	Dgbdlf32.exe	89
PID 4800 wrote to memory of 428	4800	Dgbdlf32.exe	89
PID 4800 wrote to memory of 428	4800	Dgbdlf32.exe	89

C:\Users\Admin\AppData\Local\Temp\e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe
"C:\Users\Admin\AppData\Local\Temp\e995293382c404fbec006dff78c85de98736a634aee9c68cb2e69dd8e8ce3421N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\Ddakjkqi.exe
      C:\Windows\system32\Ddakjkqi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 396
        10⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 428 -ip 428
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
84KB

MD5
8224b58d615022b0b7ee69c8b4e14201

SHA1
ee6f867aacff33314465b36f198e63975264c754

SHA256
d4af26315a1cdb95bfb7cc9de0a00d0d38abcf268897adfe04b2827de8a49a88

SHA512
fb785b40e9918ea8dfed04a865068bc162e6e5e703b062fbcc885470690300c0c0d740d018a575b3432559e974c166d4f68f04e494101863b73525f2b7902777

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
84KB

MD5
a04e989c5def1cf83ba09323346e641e

SHA1
d2e05ff3bcd47c4bc5843e24786fdd3146c79254

SHA256
709896a24660f1c13544fe12a9d5d0711c64c755394636341ffdfc6005c08ed4

SHA512
da348739f3c94d964325b2010872c1c248c7db52f1438744b19087b727b426ba89eff99fd7b1bdf1dc9fbca8d6fcfda42d944de6e3c516f1136ba94922d98c51

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
84KB

MD5
d485348ba3d5319430cae0d83e61da34

SHA1
8cc9f4c8f7935d0c5e96efc52825210243e8461b

SHA256
10e8f861ef368eb5e32528adc1a21edaf37ffc68bb5b14e4bd94ec197034945e

SHA512
36a93708614494cefb14770c35aba77ec52d1ec8b59473a589f45b72ad2999e1b81e585faa7cc396f10d5cd78eced61c7ff9c1648f209eb72f7b432635378fc9

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
84KB

MD5
30d07a0af9f313ec61b7a85fd46cc4e6

SHA1
98e911a05e63ffd795b4be61dd2ff1445b78c59a

SHA256
e0c887022da9cb4758ef858b609b00078ce712f1297822a1abc38d4f31a7cd40

SHA512
b3a5b6d1b54236795933bffd7938a24bbfaf12f9ec129dee5c8db7ae4111aaadeebe5796181f0ca5334c44d56315f40d86932b89a907dd433d710ef8904dc215

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
84KB

MD5
f5e555f9bc951f7cc7b9d5b99ae62914

SHA1
9e4a84c749e6f69daa533e54fe7dbb2d8153a537

SHA256
49dcdb271a596ee904a77662e7b5b2e588c8085d92ebdab7fc6c922ce8ff56e6

SHA512
d28ce4c7f559b2b4db096a471d55e1818dbdc568907cf9d0d3c598df3a2e353d82aa5842de5711ea60bbe5c95a6e660acded65fb7a46327b2c006f0e63f9d04e

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
84KB

MD5
0cb831119577cf1135e38e979f8325f2

SHA1
a64ec95cec578057cd3da9e1964c04aab8a12b9c

SHA256
9f9a5a5f6da70684527cdc2a125dd3d274409733a1ade7d994da1efe91d80abe

SHA512
b72a45c4627a62ee3ce9fda2176dfb68f87f71315ac9c4179fe1b1a8b38be965d24f0aad6c3b1abdcd71e8d1273ae221df667fe80452df6084b8a33934789291

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
84KB

MD5
9a53cea98fb4383eafeb82adefc42d22

SHA1
3329518c2d70b17661667c01b02aeec9ab5cefda

SHA256
419c042f39cb5c90e12f99b92cd23cc8b5d14d3ffe110ee52775985febd20175

SHA512
09bc4dad863b4cb0663c36697fc0789c11ea793449f32452bec1c9ea82b18968bbaff32dd4da22f252e0e7641f1731e90472c89762168db6348d6cace5d19eb6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
84KB

MD5
3292bed98ba8eb3dc0c0d3e3c1452c80

SHA1
d43d49e32e3950f89a9958e1c476001efbc2cb1d

SHA256
2e2b41a398037f0cec621f3924740088d75dae2ab6e08bce226057bd602e4b15

SHA512
bb128105878eb6a611e17b3bc6e5c606b6562fddc10b3e435d7948e14b60635e57515a9ae5bcb6e9fd110549a3a36be356265786ccb2146478fd6681227db92f

Download Submit
memory/428-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/428-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1832-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1832-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads