ae0215cc5b1e4561196c3cc8deaff34f5a6bc64ab0f58102fe6e0406bc8c6a45

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Size

93KB
MD5

cb21059b492e3dab0b37cecf5a7cb14c
SHA1

3b89b9bd2a69930b17b99427c8d75d4ab73b85f9
SHA256

ae0215cc5b1e4561196c3cc8deaff34f5a6bc64ab0f58102fe6e0406bc8c6a45
SHA512

57d3113922b60a14409d0cea70102937c5e8b23f620a79728cd9471391093d9cf85efd4a77e1c29e1e2c23c75ef1690c53ac7b7292eca41fd4cd7070e250c539
SSDEEP

1536:Eh6SKmtBxp6C68Hxj3L64UO6TVeq29RW8nqsRQRRkRLJzeLD9N0iQGRNQR8RyV+a:yvb36C6Shb64gTVeZW8nReRSJdEN0s4X

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	Ceehho32.exe
2708	Cffdpghg.exe
832	Cegdnopg.exe
4496	Dopigd32.exe
4856	Ddmaok32.exe
4296	Dfknkg32.exe
780	Dfnjafap.exe
4040	Deokon32.exe
3712	Dkkcge32.exe
1644	Dmjocp32.exe
1352	Dhocqigp.exe
1764	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1804	1764	WerFault.exe	96

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2752	2060	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe	84
PID 2060 wrote to memory of 2752	2060	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe	84
PID 2060 wrote to memory of 2752	2060	cb21059b492e3dab0b37cecf5a7cb14c_JC.exe	84
PID 2752 wrote to memory of 2708	2752	Ceehho32.exe	85
PID 2752 wrote to memory of 2708	2752	Ceehho32.exe	85
PID 2752 wrote to memory of 2708	2752	Ceehho32.exe	85
PID 2708 wrote to memory of 832	2708	Cffdpghg.exe	86
PID 2708 wrote to memory of 832	2708	Cffdpghg.exe	86
PID 2708 wrote to memory of 832	2708	Cffdpghg.exe	86
PID 832 wrote to memory of 4496	832	Cegdnopg.exe	88
PID 832 wrote to memory of 4496	832	Cegdnopg.exe	88
PID 832 wrote to memory of 4496	832	Cegdnopg.exe	88
PID 4496 wrote to memory of 4856	4496	Dopigd32.exe	89
PID 4496 wrote to memory of 4856	4496	Dopigd32.exe	89
PID 4496 wrote to memory of 4856	4496	Dopigd32.exe	89
PID 4856 wrote to memory of 4296	4856	Ddmaok32.exe	90
PID 4856 wrote to memory of 4296	4856	Ddmaok32.exe	90
PID 4856 wrote to memory of 4296	4856	Ddmaok32.exe	90
PID 4296 wrote to memory of 780	4296	Dfknkg32.exe	91
PID 4296 wrote to memory of 780	4296	Dfknkg32.exe	91
PID 4296 wrote to memory of 780	4296	Dfknkg32.exe	91
PID 780 wrote to memory of 4040	780	Dfnjafap.exe	92
PID 780 wrote to memory of 4040	780	Dfnjafap.exe	92
PID 780 wrote to memory of 4040	780	Dfnjafap.exe	92
PID 4040 wrote to memory of 3712	4040	Deokon32.exe	93
PID 4040 wrote to memory of 3712	4040	Deokon32.exe	93
PID 4040 wrote to memory of 3712	4040	Deokon32.exe	93
PID 3712 wrote to memory of 1644	3712	Dkkcge32.exe	94
PID 3712 wrote to memory of 1644	3712	Dkkcge32.exe	94
PID 3712 wrote to memory of 1644	3712	Dkkcge32.exe	94
PID 1644 wrote to memory of 1352	1644	Dmjocp32.exe	95
PID 1644 wrote to memory of 1352	1644	Dmjocp32.exe	95
PID 1644 wrote to memory of 1352	1644	Dmjocp32.exe	95
PID 1352 wrote to memory of 1764	1352	Dhocqigp.exe	96
PID 1352 wrote to memory of 1764	1352	Dhocqigp.exe	96
PID 1352 wrote to memory of 1764	1352	Dhocqigp.exe	96

C:\Users\Admin\AppData\Local\Temp\cb21059b492e3dab0b37cecf5a7cb14c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cb21059b492e3dab0b37cecf5a7cb14c_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Ceehho32.exe
  C:\Windows\system32\Ceehho32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Cffdpghg.exe
    C:\Windows\system32\Cffdpghg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Cegdnopg.exe
      C:\Windows\system32\Cegdnopg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 416
        14⤵
        Program crash
        
        PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1764 -ip 1764
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
93KB

MD5
4caa3be10dadaa462424a9fa07fe32f1

SHA1
244738d0b04b18823f2ef24beffd6c3470400238

SHA256
12d1277672f9697d3a4ee0be80c76bec43fba9268d868bdff35821a09b71b2b6

SHA512
759fb567170ab69ec54da965a19dfb380d9a86252e6ceb9d8e14fa213d0c188c2049d7247367fc70b537bc6ff0403794526e07bf669520ac373580f506bcf79b

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
93KB

MD5
4caa3be10dadaa462424a9fa07fe32f1

SHA1
244738d0b04b18823f2ef24beffd6c3470400238

SHA256
12d1277672f9697d3a4ee0be80c76bec43fba9268d868bdff35821a09b71b2b6

SHA512
759fb567170ab69ec54da965a19dfb380d9a86252e6ceb9d8e14fa213d0c188c2049d7247367fc70b537bc6ff0403794526e07bf669520ac373580f506bcf79b

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
93KB

MD5
6a4390681482baf6c8eef699a16ced58

SHA1
cb14ae553b52c79c8dbd4d9de6283469354f0235

SHA256
f417fcec21cc4fe5504957c2e802e8fab6e3d149eda2a0a68c45f9cf9a7a8d60

SHA512
520d8bc35f1c56521d877a110a1149500e2681846f530388af15a15a85c17eacb907cfc31058cde45936f27478e30f4216aefa4c17980ec56ad5fe11033769e1

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
93KB

MD5
6a4390681482baf6c8eef699a16ced58

SHA1
cb14ae553b52c79c8dbd4d9de6283469354f0235

SHA256
f417fcec21cc4fe5504957c2e802e8fab6e3d149eda2a0a68c45f9cf9a7a8d60

SHA512
520d8bc35f1c56521d877a110a1149500e2681846f530388af15a15a85c17eacb907cfc31058cde45936f27478e30f4216aefa4c17980ec56ad5fe11033769e1

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
80f72181bb2e027f08d4ce4450e206ef

SHA1
159aa6845162b7aeadfa07d2c698936684773a91

SHA256
14ee7fa9eceb736263ea5b6e716ae0495a6c69b39bc03a2780b66d571f0a1067

SHA512
1bd4ce8966ced16c1a02da7674b57a4a1cfdc20e03adcf76f3a3bb76685b7f6ddd98a1a0462473cc779c733d78f4603a88bb2174b39a95c58fc24b4e0d9f610c

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
80f72181bb2e027f08d4ce4450e206ef

SHA1
159aa6845162b7aeadfa07d2c698936684773a91

SHA256
14ee7fa9eceb736263ea5b6e716ae0495a6c69b39bc03a2780b66d571f0a1067

SHA512
1bd4ce8966ced16c1a02da7674b57a4a1cfdc20e03adcf76f3a3bb76685b7f6ddd98a1a0462473cc779c733d78f4603a88bb2174b39a95c58fc24b4e0d9f610c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
012298c49f172860ec1c13e27819607f

SHA1
b480b3f968335e192cf0475ee2b16a38cc1c4f21

SHA256
11c6169737874192fb3fe7f921e2e6640eca78c80ce7e55c610ee3378313d635

SHA512
058cb369025b3c04d3a6907214a62d1aad598a2944efe63a1873cd114420e240274d53d082db71772b37510c89303dbc11178c103a181b9cf5be38a99a95a93f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
012298c49f172860ec1c13e27819607f

SHA1
b480b3f968335e192cf0475ee2b16a38cc1c4f21

SHA256
11c6169737874192fb3fe7f921e2e6640eca78c80ce7e55c610ee3378313d635

SHA512
058cb369025b3c04d3a6907214a62d1aad598a2944efe63a1873cd114420e240274d53d082db71772b37510c89303dbc11178c103a181b9cf5be38a99a95a93f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
07ffbae74e9c8add67f19e8143c5cb50

SHA1
cdec6f9d461d71d7fd5608f139d5cdb70bbbc95e

SHA256
b1b2a52b5d05a1dc676a5bef841b6a992c1d503b005533e9e591b721c63a488b

SHA512
d11f9df51de1c60548d15528f71d1fd01c7c4dd1be1b596064d5ffdde4e35860e79e279239ff0599d86b11374e2694d188eadb8f7d795e8951d8fd982eb3c931

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
07ffbae74e9c8add67f19e8143c5cb50

SHA1
cdec6f9d461d71d7fd5608f139d5cdb70bbbc95e

SHA256
b1b2a52b5d05a1dc676a5bef841b6a992c1d503b005533e9e591b721c63a488b

SHA512
d11f9df51de1c60548d15528f71d1fd01c7c4dd1be1b596064d5ffdde4e35860e79e279239ff0599d86b11374e2694d188eadb8f7d795e8951d8fd982eb3c931

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
8b21026c331237b519e89fe966f89c7d

SHA1
0291b5040ad601775f47f5a9b551136b3c97a5b0

SHA256
92e66db8474088276fb6795593f6e55da9c5404ad0b19c6449250c129e2f6978

SHA512
a23897bc780372edc1c3dd472d3963d98df3f206e771858124a3e7b7ae0d551ad30f108d7f4140ff5115b4b1250a67455ac460b8edea11da23b4a4bb79dc0d83

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
8b21026c331237b519e89fe966f89c7d

SHA1
0291b5040ad601775f47f5a9b551136b3c97a5b0

SHA256
92e66db8474088276fb6795593f6e55da9c5404ad0b19c6449250c129e2f6978

SHA512
a23897bc780372edc1c3dd472d3963d98df3f206e771858124a3e7b7ae0d551ad30f108d7f4140ff5115b4b1250a67455ac460b8edea11da23b4a4bb79dc0d83

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
93KB

MD5
293e7396be3f610bb69fafe0ca8a0ee5

SHA1
540d9f3a2c7265895bc97052f87c055f77f60a17

SHA256
22d1d592048ea32e37e182efcc648a6cec38756002c935dd8833309972d5b8ef

SHA512
220e0a755e0e926be5164e60bab33464dc7212133942b8abc52cf9806e177af09cb7afe6643e1405bf276a370bf682289eee15194b1b19a766928585bcdfd336

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
93KB

MD5
293e7396be3f610bb69fafe0ca8a0ee5

SHA1
540d9f3a2c7265895bc97052f87c055f77f60a17

SHA256
22d1d592048ea32e37e182efcc648a6cec38756002c935dd8833309972d5b8ef

SHA512
220e0a755e0e926be5164e60bab33464dc7212133942b8abc52cf9806e177af09cb7afe6643e1405bf276a370bf682289eee15194b1b19a766928585bcdfd336

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
98e4faa3eefa917e3ac8ed50ec1fc092

SHA1
15ab0e23d1a750f853416b510f5a7f9df11483cf

SHA256
73cb8a8a756e8e4a9611615cfc0529c6e541c6ed9b794b87a089dd10337d3208

SHA512
5d2f32196548f801eec448d140c2c896f6f272eb304a57ec42b5a74c12f5ddc5cfe003adb1be76c532013e6efff6794daa79c6c47cd986f365bf064203da14d3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
98e4faa3eefa917e3ac8ed50ec1fc092

SHA1
15ab0e23d1a750f853416b510f5a7f9df11483cf

SHA256
73cb8a8a756e8e4a9611615cfc0529c6e541c6ed9b794b87a089dd10337d3208

SHA512
5d2f32196548f801eec448d140c2c896f6f272eb304a57ec42b5a74c12f5ddc5cfe003adb1be76c532013e6efff6794daa79c6c47cd986f365bf064203da14d3

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
93KB

MD5
53543cca0b191bbcd260c4c952b2708f

SHA1
a31c5f548bdb4e1cc7428136aa2ffeb7f5c677f8

SHA256
219677301d1875bf47ea3ad576b84622c6283e064e2aaef82f103fe50b276d1f

SHA512
d86be2ee60c801dac247bc0e829632c7951eb8e713cc2278e76705dea12de0cf046d89f3fbbc1188977e300f486e3ffa8794298e116c238e45006b6f85d8cbf6

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
93KB

MD5
53543cca0b191bbcd260c4c952b2708f

SHA1
a31c5f548bdb4e1cc7428136aa2ffeb7f5c677f8

SHA256
219677301d1875bf47ea3ad576b84622c6283e064e2aaef82f103fe50b276d1f

SHA512
d86be2ee60c801dac247bc0e829632c7951eb8e713cc2278e76705dea12de0cf046d89f3fbbc1188977e300f486e3ffa8794298e116c238e45006b6f85d8cbf6

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
991716ba35d53b9ba9310a95358911a1

SHA1
5e411efa1a477eea06d0614d7390977255905516

SHA256
49448aa398db1bef3cf601f910e3c555c554d2b4864b83f31590bb84bf3232f5

SHA512
ed4bfac144c14f0fcf1b11f3a1f6fed45e05c97515b6f070d48b6fadb7e4898fe7d12ee11d836dc91a7b8dcb3ef5900af11feeca707ee6a2b376ab2b8b853613

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
991716ba35d53b9ba9310a95358911a1

SHA1
5e411efa1a477eea06d0614d7390977255905516

SHA256
49448aa398db1bef3cf601f910e3c555c554d2b4864b83f31590bb84bf3232f5

SHA512
ed4bfac144c14f0fcf1b11f3a1f6fed45e05c97515b6f070d48b6fadb7e4898fe7d12ee11d836dc91a7b8dcb3ef5900af11feeca707ee6a2b376ab2b8b853613

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
e17ed8e7df77e3225e9692d48a2d9378

SHA1
19ac9c6bbee02db21abedf37cfe7d7becdc017c2

SHA256
d91a728a6cb1f43a842e589138b38ce53a02f8338e661cbd0b3bbce91492d38f

SHA512
0d0e3dd04230ab0afa41613f725d07d10af0aa8e40955df5ef1e6281ecda7381bd64debe7c8668dd771996e7ca16c37ff9b06488aa6c41b5a464e08e325b3cfd

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
e17ed8e7df77e3225e9692d48a2d9378

SHA1
19ac9c6bbee02db21abedf37cfe7d7becdc017c2

SHA256
d91a728a6cb1f43a842e589138b38ce53a02f8338e661cbd0b3bbce91492d38f

SHA512
0d0e3dd04230ab0afa41613f725d07d10af0aa8e40955df5ef1e6281ecda7381bd64debe7c8668dd771996e7ca16c37ff9b06488aa6c41b5a464e08e325b3cfd

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
93KB

MD5
583dcd0e4986c56e6c816127da47641b

SHA1
816f656ea8eb9f457624946e2e4049de76d40a99

SHA256
faf34e1190d15a0698ad607ca479627e30f21ef2090b499b1b4a00949674eb32

SHA512
335bfc1134721ad2fff081e2a9b64ab8c357fa09bb244aa1d49fbb9bebfca4e42663e941823b067d1dca1cb45fc0e1c5a9d892e3d7f949d938b4d38f5e824f05

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
93KB

MD5
583dcd0e4986c56e6c816127da47641b

SHA1
816f656ea8eb9f457624946e2e4049de76d40a99

SHA256
faf34e1190d15a0698ad607ca479627e30f21ef2090b499b1b4a00949674eb32

SHA512
335bfc1134721ad2fff081e2a9b64ab8c357fa09bb244aa1d49fbb9bebfca4e42663e941823b067d1dca1cb45fc0e1c5a9d892e3d7f949d938b4d38f5e824f05

Download Submit
C:\Windows\SysWOW64\Jjjald32.dll

Filesize
7KB

MD5
e6d1bde39e9d934624e24571d67d5424

SHA1
7983ca25c2d4b7e1a3362a5e90bd5b66667eb55a

SHA256
4fa7c7ea3209659460147190e19e9a112ea4003a1911f70af3621964118380cf

SHA512
e8923331b7b13571cf74389217d39ee5a6fd44d8546931548f963302ffdde95ed11877b2fd340aeec4729c8873b99dd9d6b46c0bd031d449ab1cf9119bb0f237

Download Submit
memory/780-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads