9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Size

320KB
MD5

c5cda9ffed280bb8c7d8c59350beb772
SHA1

cf2d8f860ad486c4d5a5a4bbf6f28dfde2e2085e
SHA256

9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb
SHA512

9de116d511f6842404c9ea12810db473a01cbffc10e70bdea64804044b92d75f882341bf29e3cc627305a896b3ec229bb5325c1231653f352304b81dd1ec1979
SSDEEP

6144:gH4oWqEcdTCndOGeKTame6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSg:c4UedOGeKTaPkY660fIaDZkY66+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe

Executes dropped EXE 18 IoCs

pid	Process
652	Ddonekbl.exe
4568	Dfnjafap.exe
2072	Dkifae32.exe
244	Dodbbdbb.exe
4792	Daconoae.exe
1192	Deokon32.exe
4356	Ddakjkqi.exe
5096	Dhmgki32.exe
336	Dfpgffpm.exe
3676	Dkkcge32.exe
3416	Dmjocp32.exe
3284	Daekdooc.exe
3056	Deagdn32.exe
1204	Dddhpjof.exe
4912	Dgbdlf32.exe
636	Dknpmdfc.exe
3380	Doilmc32.exe
2680	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
692	2680	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 652	4596	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe	82
PID 4596 wrote to memory of 652	4596	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe	82
PID 4596 wrote to memory of 652	4596	9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe	82
PID 652 wrote to memory of 4568	652	Ddonekbl.exe	83
PID 652 wrote to memory of 4568	652	Ddonekbl.exe	83
PID 652 wrote to memory of 4568	652	Ddonekbl.exe	83
PID 4568 wrote to memory of 2072	4568	Dfnjafap.exe	84
PID 4568 wrote to memory of 2072	4568	Dfnjafap.exe	84
PID 4568 wrote to memory of 2072	4568	Dfnjafap.exe	84
PID 2072 wrote to memory of 244	2072	Dkifae32.exe	85
PID 2072 wrote to memory of 244	2072	Dkifae32.exe	85
PID 2072 wrote to memory of 244	2072	Dkifae32.exe	85
PID 244 wrote to memory of 4792	244	Dodbbdbb.exe	86
PID 244 wrote to memory of 4792	244	Dodbbdbb.exe	86
PID 244 wrote to memory of 4792	244	Dodbbdbb.exe	86
PID 4792 wrote to memory of 1192	4792	Daconoae.exe	87
PID 4792 wrote to memory of 1192	4792	Daconoae.exe	87
PID 4792 wrote to memory of 1192	4792	Daconoae.exe	87
PID 1192 wrote to memory of 4356	1192	Deokon32.exe	88
PID 1192 wrote to memory of 4356	1192	Deokon32.exe	88
PID 1192 wrote to memory of 4356	1192	Deokon32.exe	88
PID 4356 wrote to memory of 5096	4356	Ddakjkqi.exe	89
PID 4356 wrote to memory of 5096	4356	Ddakjkqi.exe	89
PID 4356 wrote to memory of 5096	4356	Ddakjkqi.exe	89
PID 5096 wrote to memory of 336	5096	Dhmgki32.exe	90
PID 5096 wrote to memory of 336	5096	Dhmgki32.exe	90
PID 5096 wrote to memory of 336	5096	Dhmgki32.exe	90
PID 336 wrote to memory of 3676	336	Dfpgffpm.exe	91
PID 336 wrote to memory of 3676	336	Dfpgffpm.exe	91
PID 336 wrote to memory of 3676	336	Dfpgffpm.exe	91
PID 3676 wrote to memory of 3416	3676	Dkkcge32.exe	92
PID 3676 wrote to memory of 3416	3676	Dkkcge32.exe	92
PID 3676 wrote to memory of 3416	3676	Dkkcge32.exe	92
PID 3416 wrote to memory of 3284	3416	Dmjocp32.exe	93
PID 3416 wrote to memory of 3284	3416	Dmjocp32.exe	93
PID 3416 wrote to memory of 3284	3416	Dmjocp32.exe	93
PID 3284 wrote to memory of 3056	3284	Daekdooc.exe	94
PID 3284 wrote to memory of 3056	3284	Daekdooc.exe	94
PID 3284 wrote to memory of 3056	3284	Daekdooc.exe	94
PID 3056 wrote to memory of 1204	3056	Deagdn32.exe	95
PID 3056 wrote to memory of 1204	3056	Deagdn32.exe	95
PID 3056 wrote to memory of 1204	3056	Deagdn32.exe	95
PID 1204 wrote to memory of 4912	1204	Dddhpjof.exe	96
PID 1204 wrote to memory of 4912	1204	Dddhpjof.exe	96
PID 1204 wrote to memory of 4912	1204	Dddhpjof.exe	96
PID 4912 wrote to memory of 636	4912	Dgbdlf32.exe	97
PID 4912 wrote to memory of 636	4912	Dgbdlf32.exe	97
PID 4912 wrote to memory of 636	4912	Dgbdlf32.exe	97
PID 636 wrote to memory of 3380	636	Dknpmdfc.exe	98
PID 636 wrote to memory of 3380	636	Dknpmdfc.exe	98
PID 636 wrote to memory of 3380	636	Dknpmdfc.exe	98
PID 3380 wrote to memory of 2680	3380	Doilmc32.exe	99
PID 3380 wrote to memory of 2680	3380	Doilmc32.exe	99
PID 3380 wrote to memory of 2680	3380	Doilmc32.exe	99

C:\Users\Admin\AppData\Local\Temp\9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe
"C:\Users\Admin\AppData\Local\Temp\9913e0f36a9262551ab6940ffab7d824deca59a0b6977441075058bda7e5bcdb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\Ddonekbl.exe
  C:\Windows\system32\Ddonekbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\Dfnjafap.exe
    C:\Windows\system32\Dfnjafap.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Dkifae32.exe
      C:\Windows\system32\Dkifae32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:244
      - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 408
        20⤵
        Program crash
        
        PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2680 -ip 2680
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
320KB

MD5
27514db1e05d79073b450cf84fc3d3b6

SHA1
53e325c38a7d19deb2587070c7c1039282b1c3e8

SHA256
aac43f8f79230a61fb906b80ff2e7752d9efe5d94bfbf7281d788bc1a8ae4284

SHA512
d25ef151d842bdb2fbd5d03adf46060bdf25ff64b93bb8f620f0fc4e0daecf1822f413f8892a0e29adc9f8b308c2381856bd3a95d58dc172b0784b72d68c1533

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
320KB

MD5
f1c4d53bc4f95c6418405cc05e7f2829

SHA1
0c73bd15b5d5d9fc495d70966e7c829285701132

SHA256
7028cfc4845dfa03df1ceb6e9dccbf7a3f6f03442bd674f205633703e4b3b7e2

SHA512
a917be4f55280f6a898b8cd9231236900fda37b9650e88b0e57955b665d67377b813ff86c73e86d3f6cb9cea5720def034bcdfbcb5eebdd006cf8dd94829da76

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
320KB

MD5
e15e2880073b5109d214cb140eb96087

SHA1
93264d60a8dd4da46c82b7e6ffc93e7bf985f5b7

SHA256
78fb962df0dba897a053a9b22566f82499d24da211766201cbdff9356ea61d2e

SHA512
4bbc8cf2b60f5531277924dd29189bc6984e4a243ad2395882f41869dc03d6b02871ca1e7c7689c5975f76b2f5feb65c2d1f542dd30ba0a48345ea34c6c9fd1d

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
320KB

MD5
57312e426890ec8f43581dac603cd186

SHA1
d3ff03118678d039cebb9ef0e7f92ff8c250fcfc

SHA256
aff83340c8a35ab23fe528719d27c2b9ab28ed68a157ae624b1f63cea056a19e

SHA512
13c0cf462254a9e761825facc3cb297417b18560fcaf3c56fa802c2a7bdf59c2cc2d8779c125c2cfd6e8ae309e835b31fb6ab1f7502d03343f8cb98fba044b68

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
320KB

MD5
ed8cafab81bdcc830ee4f3c27b8fc9e7

SHA1
f2ab67f18c07359964fc1d82c74dd99f4b76c157

SHA256
0e95cb4a29df8dcfeb3fb5678a0cbd2b6db476759b14ede66a455915022d83fd

SHA512
a8129f3189b10c44bbc4fbc253625fbc2b28f2bdff1952b3f8c79742f5591a57ec2a7cb074eb1af397715116f578f1174b91eacc686b20c02a1b70f44c25462e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
320KB

MD5
43caeaaab0fa2f939ca744e8764e92df

SHA1
e4af8afab8c373ca21618b858cee4e2e72a7c078

SHA256
c9aaada3695195545021d6976342c87422c67dde20735c30fdccc9659e2d6bc5

SHA512
4dc21fc0c94cd2fca679bbb7f3a8c5ff5acf9bb3f1528a51bb9b16d3e0b29d184dd6ac19dc96fd698f23938a299ce0a9cbd728ca616d5cd72daa60d55b76cb69

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
320KB

MD5
a1e06b31883d7d158e7f3dd66f37a74b

SHA1
4048153ff95728be10c7690c13e18c648143886e

SHA256
0bd44f33b9234db2f84c24c5fcc105543a55b7b44d6b641463dc4cfa629fb99b

SHA512
4bb386908336bb4dfd6b1da67df4b0206ef2f105121774533a81c21960ea8e1df0469691ca1a72f47b397a7fb8147d023a31cc7c3e5093f73ecd24230fe798e7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
320KB

MD5
420cf66182b609fc784d61a0b1cf3aa1

SHA1
c1adb3dcc3d12bc2212aeb893b6a93c3faf88818

SHA256
abd458bdb8af05adee4eb0ef641fecff77d5c0e8714e64450fe978dc5256e160

SHA512
b1970115f831b79d4e6b8d0b9d977cf3ac750844fb7d4aa15a04a504c5f06e5edf329080678c07b7eef7a516bd10cb8352140cf7b3b7cca9d68e2641c9fe1500

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
320KB

MD5
1924772a30412f582742800be33327e1

SHA1
8bd9443498aa911996cd57844c3e6ebf2c6e06f7

SHA256
15932933b0065dc99fec83b731446d0460d019618e291d27bf45696290d83478

SHA512
1cc48e88de7af3b4d9493e915370177b20ed28c3fc4092ef41c5dcd406e7900b3d884942fb60bb66e9bdc8e04744024ce56a1e3fa7047450ab23228173066459

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
320KB

MD5
dda52ec21d6611aea4517e01b3184c3a

SHA1
504a8f2d6601170a000a2176643bb0a55f7d8121

SHA256
6332078b927cb8d56a2e53170e2833167ef4082b537f4cc8961c3599ba1d8d99

SHA512
6b0a79c7a5a84ca79582b3e13c44b358d91a0cc87bee6886b40d4d7cfc9dd06491f88058b5cd60b13eea6c8f960ecba3b1d5bbfc3d20264feffdb416015a0ce4

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
320KB

MD5
73915a970520dabca5f8e8e126e3770c

SHA1
56f97eb02854e8901483db4681cffbe16971b370

SHA256
fcd7547bca8172e3e0db1db9b41ee1d7797b08b4a0aaabf35090f5deefc0030c

SHA512
46664269afbd858f29d8f2d2d1e3dc60fa41126e133976abb7ff2b00b38909b34f72fba9141e010b5bec835ffeebdb20e81e509fac876798148470a0d0ca01c7

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
320KB

MD5
d7ee938acd4f91c18d834857d307603e

SHA1
01006b019a600f70d527cca6ee8fb471c127d063

SHA256
d238f8d37e910729765a9643adf630b02c736d635c16b2c481e7a5fb3409341e

SHA512
7a90d4f86d7d5d07e4a3eeae481f66ec2c23b6e425b56405fe44302b7a6b6a01adfb72291f0dcf0571a64dc672cdf51718efaffeb3c9322e96e16af6f12341f9

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
320KB

MD5
62734c7639470a065917bb9b8916d00b

SHA1
4c5f812b8f36f2b8832722ad0c1f90d2aef73373

SHA256
7f3ae4237c6c906508f54cd6b7ac40e7b67ed2a30201ddb82dd41b90c98dc3f7

SHA512
4c13c1b74ef32af2757cf7163400a933692ca93b4b5684d912cd09ced9ab5513e589702bc97a66cb6efd0287eede0501b260047354874d6be0fa5d030465bba9

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
320KB

MD5
80ce0a0f9ea74240750bb621837afea8

SHA1
93c8790782b713832ca81cfd12d6b49494554461

SHA256
1e4c3d032e9108c8a5ef6842801772ab78751c7c2c85ae08fda701eab8bac663

SHA512
cc34e4b82f1315bcccc5b5b5fd940232d596877bf5655e84408892ae62dd16b8d09fc2db9f72cd6fb3c7c0cf64d4e9d3acb59452c40e571fc87fc8ab0d0dfb08

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
320KB

MD5
c47cc16769572022be3ffdf2c99df0f1

SHA1
00067291595d4e5e1ffec8f41e8b265ef4771edd

SHA256
5a821d90fb96783b910e059d3c429257794fab9c80bb0c237ccd2f26b2f9e6c9

SHA512
116e397ef535848974743e7350160e53233230080c2b94f963dd9f61ca90092eb5bd70075094f172402115676f4ed89f9443ccf0a6f10513c2cdc2118577aae6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
ac7b49fbce4863bc6134571ec01b1aca

SHA1
d7ebfdd5daefd06655a579aba901c156b2796d7c

SHA256
2861bcb060c00556595dbeb5fed046184c14eaaf3818308632bf9614d7447353

SHA512
2c084f28719c06d627a9776ad8cf50fef610df80ad2a9555ed4329732b3343eac7cdcbc34efaf784997599f07fa928226d8d0e1fa71acbea5f7554a043a8e472

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
423d99cbb9aa1c43a00c97156383e883

SHA1
deb7aff83fbe6649f8918b37094fbf839fcf1267

SHA256
afd0ef9e30daf954b68d7ea4e1dd1a3a231e6ec6498bdf9b286d9d6e1f886d08

SHA512
568cce580c37d39b33dacb365193e85b35c235c26cca8db4a3459967482eca7caa0d3dcbba92df374f7a0bf583c851910178f4b85c39b15c22176ad82d3f4382

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
320KB

MD5
62e0f3b9df65ffc460255dbb908990ec

SHA1
fd158d6ae552f84029322a1c81e5032e1bed66a3

SHA256
66eb3c12c575f21475933c8487c98f708b0845d6ca4599090109a0305a8e9be8

SHA512
37e6da2209fa2cbc587676f05591503c1a13f2d77384a18f8add54b2b3b61cfc2fafb6b5a4c4ec08c259763f2c7568de16341b810692e89fdd995a7a7ca2fcc2

Download Submit
C:\Windows\SysWOW64\Oammoc32.dll

Filesize
7KB

MD5
591cfc51e959bb6b004cc0ef2bfa0bc6

SHA1
5d2acfa88803905736dd3d1375a8732bf7def631

SHA256
b8f74ecf1b51ba6c0fb5533c0ab70e57805964f047f2e40cc6ea33226537e8b8

SHA512
0ab5832f70963ff095c0e0401b3e9ee0bdd6dd2fb661b262a63c8b3c5619866dfa2e64ebcabe345fddccbb2c4b364907ffb8b1ee7961bbb43f6edf9d6a8d5ef1

Download Submit
memory/244-36-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/336-76-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/636-132-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/652-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/652-146-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1192-52-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1204-116-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2072-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2680-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3056-108-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3284-100-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3380-140-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3416-92-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3676-84-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4356-60-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4568-21-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4596-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4596-145-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4792-44-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4912-124-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5096-68-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads