9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46

General

Target

9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Size

64KB
MD5

aa4d24f7e4d91b976015587f12e5a12a
SHA1

0f2dd78b7ca06f2f0353e2a9285aa2c8babb3d7e
SHA256

9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46
SHA512

7149f878b47981c8e112a0f1ab0ce501a15ce8ad8b353fa80ea806d4880fd0da8f6abd57c4e09d22cbd787c2c4399c1851fa56f77d76aa6c171ed186dad8d127
SSDEEP

1536:lZKPJ/oqJZ5aHyQboyEs41HUXruCHcpzt/Idn:lZgwqJZ8S3yEs6pFwn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe

Executes dropped EXE 8 IoCs

pid	Process
220	Delnin32.exe
3656	Dfnjafap.exe
5112	Dmgbnq32.exe
1624	Ddakjkqi.exe
3680	Dkkcge32.exe
540	Deagdn32.exe
2624	Dgbdlf32.exe
3144	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3224	3144	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 220	4032	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe	82
PID 4032 wrote to memory of 220	4032	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe	82
PID 4032 wrote to memory of 220	4032	9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe	82
PID 220 wrote to memory of 3656	220	Delnin32.exe	83
PID 220 wrote to memory of 3656	220	Delnin32.exe	83
PID 220 wrote to memory of 3656	220	Delnin32.exe	83
PID 3656 wrote to memory of 5112	3656	Dfnjafap.exe	84
PID 3656 wrote to memory of 5112	3656	Dfnjafap.exe	84
PID 3656 wrote to memory of 5112	3656	Dfnjafap.exe	84
PID 5112 wrote to memory of 1624	5112	Dmgbnq32.exe	85
PID 5112 wrote to memory of 1624	5112	Dmgbnq32.exe	85
PID 5112 wrote to memory of 1624	5112	Dmgbnq32.exe	85
PID 1624 wrote to memory of 3680	1624	Ddakjkqi.exe	86
PID 1624 wrote to memory of 3680	1624	Ddakjkqi.exe	86
PID 1624 wrote to memory of 3680	1624	Ddakjkqi.exe	86
PID 3680 wrote to memory of 540	3680	Dkkcge32.exe	87
PID 3680 wrote to memory of 540	3680	Dkkcge32.exe	87
PID 3680 wrote to memory of 540	3680	Dkkcge32.exe	87
PID 540 wrote to memory of 2624	540	Deagdn32.exe	88
PID 540 wrote to memory of 2624	540	Deagdn32.exe	88
PID 540 wrote to memory of 2624	540	Deagdn32.exe	88
PID 2624 wrote to memory of 3144	2624	Dgbdlf32.exe	89
PID 2624 wrote to memory of 3144	2624	Dgbdlf32.exe	89
PID 2624 wrote to memory of 3144	2624	Dgbdlf32.exe	89

C:\Users\Admin\AppData\Local\Temp\9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe
"C:\Users\Admin\AppData\Local\Temp\9c6f60add4dff4cd13fafc5717b4af4e6082bb4cc3421e598e91ddf5a8e39d46.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\SysWOW64\Delnin32.exe
  C:\Windows\system32\Delnin32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\Dfnjafap.exe
    C:\Windows\system32\Dfnjafap.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\Dmgbnq32.exe
      C:\Windows\system32\Dmgbnq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 396
        10⤵
        Program crash
        
        PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3144 -ip 3144
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
0ef2bf540727334291533b898a741a21

SHA1
f98dea249d9d392a1294e9bf13a2f765e426fe52

SHA256
da4c66c01a95acb85c53e5e6dd81dc8da643f49fce2e3a570e474308e180dfe8

SHA512
b98e11b03af606bc593546621f1e74681e9b267e3f121f489229fe88ca2d055e553392dcbd0138e18dda0aa996e15f246e85d634aca55a9eb18c9f028caff49f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
fbf22c83a439f2d663add1842aad099e

SHA1
8338646ef90098c73ae59fc00dc06d8f6dc27ca9

SHA256
7e0e394408cb9c5b5b292e67306b797eccd87602daee7d73b7a43af7b787a5c8

SHA512
afc040c07991061b55ae3f51dac01995ba07d5e64e86f979d0782a74a767b05b0b7d813eb236f83297d9824a49b0f84ca9b841922c3a7ec4dc9179adce0520ca

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
1c991ee79e0f805e22f762130f6870c7

SHA1
e8fda55aaeba0ccee61f2da0ba2fc0244ae68849

SHA256
5f0928d9a94af533541828457449ec0c93eff3980603cfe4d9be9ad0a1a6f090

SHA512
3f178263f0c8d5a22766c770f98824d53a0c9d3ddf8685cbccf833ebbc8baea019b5829558b0ab4c864be7bc778183b7a804a41a5d0608a6d792b83398d38ca0

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
9ab862b548c707f952d9f83b77b46497

SHA1
669800b0ed256f18e2f384e025db304b2b6eeb17

SHA256
3dd41f955978d14c2b15a46416f73ad6c2f31f1f27c890dbbf28ca705ce9dcdb

SHA512
3cbf75bb35f0c6571bc3b6efba59fbd4a968238cba9646d37191681fb6b153743b7e3fd21b9617d3d2a2f4f1b7ad6b2969c201f1301b60e8d551b092e5b7359f

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
e520da584915a89712073d18c0c967c6

SHA1
56e0d1914d829690c52435658e23c43636f2ab57

SHA256
8befd027d181d3814f2a04b8f85184caa7f973f6303476d6be37a0e73e387c94

SHA512
51fef1eeb7f84bd84ab010dc6741bc7ffab714ed727d47e241649625cd09da1913b5e86cda9ee0f68222e7349ac8cc62907e79c273e6d8c9e00477701958922f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
5f4973a92495e36e32a5bd65e1d0efc8

SHA1
20eef21af84695ec1f8164936585e9a93327764f

SHA256
7916939ef9f291aeab16a0c6e97879048655fc6579d23cb9a2cb5e7cf7d52e83

SHA512
46c836b5e353394495ab252a526f65473bc320e5d185698025aebfc36cf0e921c3826330168ced3b70d1f254b679038f76bcc67c7f07db34d3b4dc2a5678de01

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
7cd57f6e7e00c0f435956047c2938044

SHA1
29389910a9baabd458110773622a5d0001de1e0c

SHA256
0201b72b5b2811c73320f875da29dd883156563c1af2d31da95bd4a776f3cf7e

SHA512
ad8a99a20dd049f0989a98027971ffd3b929208d75aa71a647bdec490f322fcf6edfdee0e46ee357b2818ed3b60654edcdcd7415108ab27cb9fe967c15543e16

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
323e4d857c7693a8356acb5e82e45804

SHA1
991307c75ec848b01d2d7228d524d6e66692ea53

SHA256
f8bc0a2decdf6fa79e03098cf11948e862fd03cbec08e6f8ce0863ba9d42d4e3

SHA512
5f9f67a4ea9668d92319120db5fee5de9280774f8cebada79af84bc41a34fb3ffbf316d967c3a772f7332d882a8e3200ffe4380b49fea4d7564486a405bc251e

Download Submit
memory/220-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads