442fd1539f0cefb2ba79d047162f17aa4fdbcc12fcd43f1039abb826221aceca

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a307d0661cd298ded1c6484efe6384_JC.exe
Size

192KB
MD5

a8a307d0661cd298ded1c6484efe6384
SHA1

7919593e1428d6fc20cf1f705f4de5143ea2d8e8
SHA256

442fd1539f0cefb2ba79d047162f17aa4fdbcc12fcd43f1039abb826221aceca
SHA512

93590cd1b91a4580fbaea1c031ccc51ec2d36ee01cf934f868b198bdd0e2edd8f17ad45137a804e418b76ccbe7eaaec53490185e85fd2d1635361cef07cd3ee9
SSDEEP

3072:1MaNmbOfbnTW0M/cbsiVygzL20WKFcp9jRV5C/8qy4p2Y7YWlt6o:SaNmsbnTW0M0bkgzL2V4cpC0L4AY7YWx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a8a307d0661cd298ded1c6484efe6384_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a8a307d0661cd298ded1c6484efe6384_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Executes dropped EXE 12 IoCs

pid	Process
2452	Cmlcbbcj.exe
1020	Cjpckf32.exe
1428	Cajlhqjp.exe
4448	Cdhhdlid.exe
4876	Cmqmma32.exe
4816	Dejacond.exe
3256	Djgjlelk.exe
3860	Delnin32.exe
4760	Dodbbdbb.exe
4104	Dfpgffpm.exe
4564	Dhocqigp.exe
4820	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	a8a307d0661cd298ded1c6484efe6384_JC.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	a8a307d0661cd298ded1c6484efe6384_JC.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	a8a307d0661cd298ded1c6484efe6384_JC.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	4820	WerFault.exe	96

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a8a307d0661cd298ded1c6484efe6384_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a8a307d0661cd298ded1c6484efe6384_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a8a307d0661cd298ded1c6484efe6384_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a8a307d0661cd298ded1c6484efe6384_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	a8a307d0661cd298ded1c6484efe6384_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a8a307d0661cd298ded1c6484efe6384_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2452	644	a8a307d0661cd298ded1c6484efe6384_JC.exe	85
PID 644 wrote to memory of 2452	644	a8a307d0661cd298ded1c6484efe6384_JC.exe	85
PID 644 wrote to memory of 2452	644	a8a307d0661cd298ded1c6484efe6384_JC.exe	85
PID 2452 wrote to memory of 1020	2452	Cmlcbbcj.exe	86
PID 2452 wrote to memory of 1020	2452	Cmlcbbcj.exe	86
PID 2452 wrote to memory of 1020	2452	Cmlcbbcj.exe	86
PID 1020 wrote to memory of 1428	1020	Cjpckf32.exe	87
PID 1020 wrote to memory of 1428	1020	Cjpckf32.exe	87
PID 1020 wrote to memory of 1428	1020	Cjpckf32.exe	87
PID 1428 wrote to memory of 4448	1428	Cajlhqjp.exe	88
PID 1428 wrote to memory of 4448	1428	Cajlhqjp.exe	88
PID 1428 wrote to memory of 4448	1428	Cajlhqjp.exe	88
PID 4448 wrote to memory of 4876	4448	Cdhhdlid.exe	89
PID 4448 wrote to memory of 4876	4448	Cdhhdlid.exe	89
PID 4448 wrote to memory of 4876	4448	Cdhhdlid.exe	89
PID 4876 wrote to memory of 4816	4876	Cmqmma32.exe	90
PID 4876 wrote to memory of 4816	4876	Cmqmma32.exe	90
PID 4876 wrote to memory of 4816	4876	Cmqmma32.exe	90
PID 4816 wrote to memory of 3256	4816	Dejacond.exe	91
PID 4816 wrote to memory of 3256	4816	Dejacond.exe	91
PID 4816 wrote to memory of 3256	4816	Dejacond.exe	91
PID 3256 wrote to memory of 3860	3256	Djgjlelk.exe	92
PID 3256 wrote to memory of 3860	3256	Djgjlelk.exe	92
PID 3256 wrote to memory of 3860	3256	Djgjlelk.exe	92
PID 3860 wrote to memory of 4760	3860	Delnin32.exe	93
PID 3860 wrote to memory of 4760	3860	Delnin32.exe	93
PID 3860 wrote to memory of 4760	3860	Delnin32.exe	93
PID 4760 wrote to memory of 4104	4760	Dodbbdbb.exe	95
PID 4760 wrote to memory of 4104	4760	Dodbbdbb.exe	95
PID 4760 wrote to memory of 4104	4760	Dodbbdbb.exe	95
PID 4104 wrote to memory of 4564	4104	Dfpgffpm.exe	98
PID 4104 wrote to memory of 4564	4104	Dfpgffpm.exe	98
PID 4104 wrote to memory of 4564	4104	Dfpgffpm.exe	98
PID 4564 wrote to memory of 4820	4564	Dhocqigp.exe	96
PID 4564 wrote to memory of 4820	4564	Dhocqigp.exe	96
PID 4564 wrote to memory of 4820	4564	Dhocqigp.exe	96

C:\Users\Admin\AppData\Local\Temp\a8a307d0661cd298ded1c6484efe6384_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a8a307d0661cd298ded1c6484efe6384_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\Cmlcbbcj.exe
  C:\Windows\system32\Cmlcbbcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\Cajlhqjp.exe
      C:\Windows\system32\Cajlhqjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
1⤵
- Executes dropped EXE
PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 404
  2⤵
  - Program crash
  PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4820 -ip 4820
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
192KB

MD5
539de6485d8a9897ade57295c8f453a3

SHA1
fab88129f86a660d67ea48d002225d220dd528bc

SHA256
f679badcbb98353f439050746c9d2f6fdbf1f7a7a653f5ac4a738e5a095885b0

SHA512
0b830581ca7c5653ae7d6bb022ef6d00c24b6e687ee7aa684705d1947422302c1fced96adf4379d1f38f30e1daa3916d9f565ebfc1188c93dc0521a9a5d8266f

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
192KB

MD5
539de6485d8a9897ade57295c8f453a3

SHA1
fab88129f86a660d67ea48d002225d220dd528bc

SHA256
f679badcbb98353f439050746c9d2f6fdbf1f7a7a653f5ac4a738e5a095885b0

SHA512
0b830581ca7c5653ae7d6bb022ef6d00c24b6e687ee7aa684705d1947422302c1fced96adf4379d1f38f30e1daa3916d9f565ebfc1188c93dc0521a9a5d8266f

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
192KB

MD5
f95734bfa1bfe14161900c8088e109d6

SHA1
6062105e000bfdeb5754696906cae330f869f29b

SHA256
5b325d9dc7e8e4649564c8cee85dd63dd052877430300b5b89ad891c2ba98a35

SHA512
afdfc5589174db105703062261a7b4276f52a519fe876989ebea83507de7b551e8607b4d451decbb9bcb578fbcc9fb3866a17c90b1b924306395e5096e474b72

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
192KB

MD5
f95734bfa1bfe14161900c8088e109d6

SHA1
6062105e000bfdeb5754696906cae330f869f29b

SHA256
5b325d9dc7e8e4649564c8cee85dd63dd052877430300b5b89ad891c2ba98a35

SHA512
afdfc5589174db105703062261a7b4276f52a519fe876989ebea83507de7b551e8607b4d451decbb9bcb578fbcc9fb3866a17c90b1b924306395e5096e474b72

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
192KB

MD5
b6da50d64df224f4bbd547e755a14475

SHA1
2a102eaa015f16135c20798505bcd3f0b7811c59

SHA256
bc33707bf9db96c6809baac720df4de9b535c33bc56f98d4c0913bf869cefaa0

SHA512
a1d66b51759535ad1a14e7b46244394ab568cb93586db23e98431ed076ffade7ea567f3b2b28b78734ad5dafcdaae3a40443c0e37f3c868f2d424a4f2347f311

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
192KB

MD5
b6da50d64df224f4bbd547e755a14475

SHA1
2a102eaa015f16135c20798505bcd3f0b7811c59

SHA256
bc33707bf9db96c6809baac720df4de9b535c33bc56f98d4c0913bf869cefaa0

SHA512
a1d66b51759535ad1a14e7b46244394ab568cb93586db23e98431ed076ffade7ea567f3b2b28b78734ad5dafcdaae3a40443c0e37f3c868f2d424a4f2347f311

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
192KB

MD5
2af2fbe8c63baafa421ac06d23c940a7

SHA1
d48a5c71c80fd2d37a6beb4b40712a788ab48922

SHA256
8f1e91a944f9956be762818b07819d6692387521be78bd0ef589a6db34c9d44f

SHA512
65e130aa17aacd6f4ed8fd7fd1f274f686e65eaed21f90ea4a95894f9da28ce070db2e258ffce414d5bd5a46d1529fac9642829b467a6a4e111e1fe9d2991e18

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
192KB

MD5
2af2fbe8c63baafa421ac06d23c940a7

SHA1
d48a5c71c80fd2d37a6beb4b40712a788ab48922

SHA256
8f1e91a944f9956be762818b07819d6692387521be78bd0ef589a6db34c9d44f

SHA512
65e130aa17aacd6f4ed8fd7fd1f274f686e65eaed21f90ea4a95894f9da28ce070db2e258ffce414d5bd5a46d1529fac9642829b467a6a4e111e1fe9d2991e18

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
192KB

MD5
eda87037c2802de3c148b22e01fbffcf

SHA1
30db11a6c7e2550ccd9ff4566efcc7072dd48fde

SHA256
aed89c9780d88bf90ba49efddec1374ca33fd785519786eee85638b6beeb6372

SHA512
9e9bd8858c95544f3b6ab6a7d4df795e5eba20079cfd4df0a102d20261c6a165e4c411e304632c53297534a795227787defc42efb6b9d393f9ec3a839752d62e

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
192KB

MD5
eda87037c2802de3c148b22e01fbffcf

SHA1
30db11a6c7e2550ccd9ff4566efcc7072dd48fde

SHA256
aed89c9780d88bf90ba49efddec1374ca33fd785519786eee85638b6beeb6372

SHA512
9e9bd8858c95544f3b6ab6a7d4df795e5eba20079cfd4df0a102d20261c6a165e4c411e304632c53297534a795227787defc42efb6b9d393f9ec3a839752d62e

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
192KB

MD5
6baf3fd3be718d89c7ea15a0ae8cacc0

SHA1
6fdf18ccfb4b215cc6470513b456c06b1316b227

SHA256
55bce05052fa41f1a96a209c9c21281685d3bae62cbf25487b347b4c07298318

SHA512
075bd79c8b1844035b63f90f4189d4a228312969307e02fe185643d43c5c69790e6ed883f1efca0584b3b0e3df95adbe075c0897aaefd07fc60701af848563b3

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
192KB

MD5
6baf3fd3be718d89c7ea15a0ae8cacc0

SHA1
6fdf18ccfb4b215cc6470513b456c06b1316b227

SHA256
55bce05052fa41f1a96a209c9c21281685d3bae62cbf25487b347b4c07298318

SHA512
075bd79c8b1844035b63f90f4189d4a228312969307e02fe185643d43c5c69790e6ed883f1efca0584b3b0e3df95adbe075c0897aaefd07fc60701af848563b3

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
192KB

MD5
c65a04a11bfdaa1aeaf700f265ed7433

SHA1
a9f661111c3e7c23cc9c1555db3365a047c89c0a

SHA256
01af9bf6c69d239eda3ca7326e4cf5206c83ce5cfe4f872631350e85080bafa8

SHA512
402241e9b7a1b32bd598480d9a3e07cddf3f1b92a70648e77678a2a51768c0704b7c3eb956a2103a2901e516cc1704be331ddd50c7e27ff7059bca9746891961

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
192KB

MD5
c65a04a11bfdaa1aeaf700f265ed7433

SHA1
a9f661111c3e7c23cc9c1555db3365a047c89c0a

SHA256
01af9bf6c69d239eda3ca7326e4cf5206c83ce5cfe4f872631350e85080bafa8

SHA512
402241e9b7a1b32bd598480d9a3e07cddf3f1b92a70648e77678a2a51768c0704b7c3eb956a2103a2901e516cc1704be331ddd50c7e27ff7059bca9746891961

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
192KB

MD5
735616304b0543b01942e335d36114b5

SHA1
5ef67d0b682c8512aa741eba529bfe41a3334c1b

SHA256
4aed750352a0a37c7f851521a0849bf42d5a2b95c09a4f331e75bf86c1365247

SHA512
c43491d4aed3e4a9bd6138591f6d65e1dd6c1792a53ad6c2d732cd4d47564bec699b7d3cdc038b01e22ed65b9fb6af1a28fcdef8db60a805e8147ff11448d6a0

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
192KB

MD5
735616304b0543b01942e335d36114b5

SHA1
5ef67d0b682c8512aa741eba529bfe41a3334c1b

SHA256
4aed750352a0a37c7f851521a0849bf42d5a2b95c09a4f331e75bf86c1365247

SHA512
c43491d4aed3e4a9bd6138591f6d65e1dd6c1792a53ad6c2d732cd4d47564bec699b7d3cdc038b01e22ed65b9fb6af1a28fcdef8db60a805e8147ff11448d6a0

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
192KB

MD5
25cdd85e4b82be9778f3aff00ce7f73a

SHA1
cf42d25524240e62a346b5ac6b11489bb9eda191

SHA256
c2edb6e953eb5cf6dc52eee89d08088742a6460399e7ca444091eec738fe8bcc

SHA512
5f2b02c56b85fefc748858ef989051fa1ba19766dfdec698dadc974083231964d477f1ab1ece5df2d2d9ac99aadcb90e2b686eb9ca881333b1a5daa0b178bbff

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
192KB

MD5
25cdd85e4b82be9778f3aff00ce7f73a

SHA1
cf42d25524240e62a346b5ac6b11489bb9eda191

SHA256
c2edb6e953eb5cf6dc52eee89d08088742a6460399e7ca444091eec738fe8bcc

SHA512
5f2b02c56b85fefc748858ef989051fa1ba19766dfdec698dadc974083231964d477f1ab1ece5df2d2d9ac99aadcb90e2b686eb9ca881333b1a5daa0b178bbff

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
192KB

MD5
c962c5238e5c4dda016e3135bbdf300e

SHA1
ac573d3d5707e365b8f9faac8232db4974ebd881

SHA256
f12b29a0306baddd19f86c92e154bcdbaa214c5a753b8de58fbf8bc8f8af789f

SHA512
09a70d6dd77a2c290b42c7e477519b5dc4810133dd685965e3a7ddd23bf22225cd01ebbfd5b05615905369fc4bafa237419e32ca4d42258f5c0e8f229aa5ecdd

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
192KB

MD5
c962c5238e5c4dda016e3135bbdf300e

SHA1
ac573d3d5707e365b8f9faac8232db4974ebd881

SHA256
f12b29a0306baddd19f86c92e154bcdbaa214c5a753b8de58fbf8bc8f8af789f

SHA512
09a70d6dd77a2c290b42c7e477519b5dc4810133dd685965e3a7ddd23bf22225cd01ebbfd5b05615905369fc4bafa237419e32ca4d42258f5c0e8f229aa5ecdd

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
f63513edc33ed4f07768dff1e67ae2a7

SHA1
b7bd8e81248d3fb4f30d6133ce20175f6bb9bb71

SHA256
2ceb057ccea8142c0af9200b6a21895f2a640f53b23d65a71258d7558e6a37b2

SHA512
3286795e470ae7e67ddc5971e8fa0d5e631579adcbebf22507b40d0d67d16b5460f95c1dd7b1c94fb56a379c2dbd90c4673e1588a30e03e81baac1e14abd2016

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
f63513edc33ed4f07768dff1e67ae2a7

SHA1
b7bd8e81248d3fb4f30d6133ce20175f6bb9bb71

SHA256
2ceb057ccea8142c0af9200b6a21895f2a640f53b23d65a71258d7558e6a37b2

SHA512
3286795e470ae7e67ddc5971e8fa0d5e631579adcbebf22507b40d0d67d16b5460f95c1dd7b1c94fb56a379c2dbd90c4673e1588a30e03e81baac1e14abd2016

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
192KB

MD5
7224044cd87c44fc306f837c7499bf16

SHA1
77e5ef4594002a5542086d04b19f71e37b280867

SHA256
ee8aab71c71b48393b356901fedc4239f1c1f50fe6704bd2b2d8ab94ec5e0545

SHA512
4ac4c9d9d8bee75e42f12372e48b4107ecd78229b36b1bfe72fe522e9caf729e07fdc4ee45f88019481d63684e3350567d92a398df3a892e616fe613a5c3836e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
192KB

MD5
7224044cd87c44fc306f837c7499bf16

SHA1
77e5ef4594002a5542086d04b19f71e37b280867

SHA256
ee8aab71c71b48393b356901fedc4239f1c1f50fe6704bd2b2d8ab94ec5e0545

SHA512
4ac4c9d9d8bee75e42f12372e48b4107ecd78229b36b1bfe72fe522e9caf729e07fdc4ee45f88019481d63684e3350567d92a398df3a892e616fe613a5c3836e

Download Submit
memory/644-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/644-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/644-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-102-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4760-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4760-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads