265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Size

1.2MB
MD5

b3d778a4a0f7b8a6ecc884cd43cb1a96
SHA1

dfcadf4846aa97b157a98a27ce399b615f3b4aaa
SHA256

265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397
SHA512

20011d88a4343fa0dbf7f5c64e1fc2553164cb43a9d8f6e4c39be66f4f2a62c031d8ec1ab1c8db91f26b6202dbe1e9b8dce23507ca45818895869db0258d8fe9
SSDEEP

12288:3wlSYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:3ZYlFiWZpsKv2EvZHp3oWiQ4ca

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe

Executes dropped EXE 11 IoCs

pid	Process
3112	Bmbplc32.exe
2200	Bclhhnca.exe
2396	Bjfaeh32.exe
3420	Cjinkg32.exe
4620	Cmgjgcgo.exe
2540	Chcddk32.exe
2716	Calhnpgn.exe
1212	Dhhnpjmh.exe
2660	Daconoae.exe
2364	Dknpmdfc.exe
3708	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4044	3708	WerFault.exe	96

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3112	4764	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe	84
PID 4764 wrote to memory of 3112	4764	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe	84
PID 4764 wrote to memory of 3112	4764	265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe	84
PID 3112 wrote to memory of 2200	3112	Bmbplc32.exe	85
PID 3112 wrote to memory of 2200	3112	Bmbplc32.exe	85
PID 3112 wrote to memory of 2200	3112	Bmbplc32.exe	85
PID 2200 wrote to memory of 2396	2200	Bclhhnca.exe	88
PID 2200 wrote to memory of 2396	2200	Bclhhnca.exe	88
PID 2200 wrote to memory of 2396	2200	Bclhhnca.exe	88
PID 2396 wrote to memory of 3420	2396	Bjfaeh32.exe	89
PID 2396 wrote to memory of 3420	2396	Bjfaeh32.exe	89
PID 2396 wrote to memory of 3420	2396	Bjfaeh32.exe	89
PID 3420 wrote to memory of 4620	3420	Cjinkg32.exe	90
PID 3420 wrote to memory of 4620	3420	Cjinkg32.exe	90
PID 3420 wrote to memory of 4620	3420	Cjinkg32.exe	90
PID 4620 wrote to memory of 2540	4620	Cmgjgcgo.exe	91
PID 4620 wrote to memory of 2540	4620	Cmgjgcgo.exe	91
PID 4620 wrote to memory of 2540	4620	Cmgjgcgo.exe	91
PID 2540 wrote to memory of 2716	2540	Chcddk32.exe	92
PID 2540 wrote to memory of 2716	2540	Chcddk32.exe	92
PID 2540 wrote to memory of 2716	2540	Chcddk32.exe	92
PID 2716 wrote to memory of 1212	2716	Calhnpgn.exe	93
PID 2716 wrote to memory of 1212	2716	Calhnpgn.exe	93
PID 2716 wrote to memory of 1212	2716	Calhnpgn.exe	93
PID 1212 wrote to memory of 2660	1212	Dhhnpjmh.exe	94
PID 1212 wrote to memory of 2660	1212	Dhhnpjmh.exe	94
PID 1212 wrote to memory of 2660	1212	Dhhnpjmh.exe	94
PID 2660 wrote to memory of 2364	2660	Daconoae.exe	95
PID 2660 wrote to memory of 2364	2660	Daconoae.exe	95
PID 2660 wrote to memory of 2364	2660	Daconoae.exe	95
PID 2364 wrote to memory of 3708	2364	Dknpmdfc.exe	96
PID 2364 wrote to memory of 3708	2364	Dknpmdfc.exe	96
PID 2364 wrote to memory of 3708	2364	Dknpmdfc.exe	96

C:\Users\Admin\AppData\Local\Temp\265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe
"C:\Users\Admin\AppData\Local\Temp\265ba112daf3e67da25b92dfedde3d7edb192d2604400148ff24135dcad04397.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 404
        13⤵
        Program crash
        
        PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3708 -ip 3708
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
1.2MB

MD5
0e4f0de063a6834266cbb5e2632a271b

SHA1
1ea96ab8d28f6d1b1a798b9aab5b8b653a7dac59

SHA256
2ee6a52b42f89af86090481652e78643d111857528b2be10cf321033ec4b65f4

SHA512
c909243ccd6f9929bd94377627e165cca10b5cd934e28142c52caaa472a88337024abff85ca6e262db806b6cabbf75d0ac24612bb43e93aef81bea6f4f2f2093

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
1.2MB

MD5
85983e8786249cd7aac742925a44e097

SHA1
751fa0b59d8643fe60b6aa94c8af3a1c398577b4

SHA256
f55a89c08252426912c540008be18a64925b2a48a79a78882312cee327996f74

SHA512
2fa10dd626b956286a819422cf11bdb67d90cf97d45e0ef610180336090336d063df4eaa9fff4d2021a3781d40033f05b75f2d8d158ff619aa48454214ce8b9d

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
1.2MB

MD5
f5cf50343c5870f54116873b2accac11

SHA1
6a453a5de817fcb88c3aba8baf26be85b2b125d4

SHA256
08bf4e3fe3911b027bc357b1980c757f0eb210121282573b3fb98fea265e1437

SHA512
5477fe8b98fb4baa98f4d28cde8869b233e595fc05848387abbd1c00008cd47e791c13dcd7e8979fafad56431e180b09b69ae1c8178ee2dac79d5acb1777bd02

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
1.2MB

MD5
37f569f42dd0a0d4b13f99b9eff705b7

SHA1
1ef7f072252c42c4aae3328c8061651fc2e9f281

SHA256
56473e34bda78abaf7e0e45494363b5c98110b701204c36cdf29629a29269bc8

SHA512
cf8214343f7e3d7a7debed37b1ad3cad595e67c9cb0c0a2b40ed8d9def4a0c2bec8984e5625ec95e42fded45c371195ccf2a927d28f975c800fee71d13d039b2

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
1.2MB

MD5
d7ad0f24bf6041bef7f1b988312fdf2e

SHA1
46ef46f7040e9c5bb0d058a7203743c43ac2682b

SHA256
7855026327c1f079e6a10ecf89a6e1f6fb984d63d5ad22053e080b9f23694dbb

SHA512
88ce9bcee5472683a9d9e3611f6ffcdd7e32b7a8f48bcb9bc442816d8eb2c632df8b7c929978244438a43c869ba22dafdfb06ce0bfac0376290c8ff96f5a7d60

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
1.2MB

MD5
33f7a21ab78aa10828c534a1b1e0bd4a

SHA1
e4eb5a7b421cbaec947945e5e325ffea0dea8250

SHA256
f2bacb0978eb81bfd1f80899ba38311ff63a6969db0040498f389c903dc1fcb1

SHA512
ef82b724f6318e67a9bad803dbc02bc75335b89bd9643200f2d944e5c6bc1ad27c56bd337f46868a5822cc124683e278e72ce52f94e85a40b16338d1065b50d3

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
1.2MB

MD5
290a8cb8917e6b4ee84dc51f83fc31f0

SHA1
c0ecfa58a775e83d4c77a91a2fed769a43a49d9f

SHA256
372df6604733220f067749fb337a673672abe931fa8c0af55fbae8af2bef64c2

SHA512
12549ef860ff5862759fc191ef9593fa7d61a3480ec4747fb68cdb3ae7c84d2c9c458f0a6713955436fc63323dac528238489f5a1b4a13295685fb2294f7ea47

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
1.2MB

MD5
1c9592a12fde9680cdb6f01f386b53be

SHA1
0a9e5927cd37c5073f901bcc1ce97a2775c7cf6e

SHA256
c365e079d4c39d72ac6b55767a901d2eb58ad95208d597ee075afc313e79d951

SHA512
5af1e04aa5f35041d4d04c27c07aa332e8ac0d401422d4a3fa449adf0b3785c9c615a4e27ad1ccb23cebd2083002fef5bdcad78ecf8ae13372f65620b8a49f66

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
1.2MB

MD5
4397df9e33de5e5307f19c6280531294

SHA1
9782dce67eec8c39383b27befba4e16632f45121

SHA256
620e9f7b87547389ddffaf6ea507db418361e501c5741c8065b295526891d4eb

SHA512
e6d739ec77b2ec56f6adcc5f69d4ed7624413b2c1041c9b5d765e53042e6e30391ac52693fb7461e0fc17f8785b809dac3c1414131068119783159b00b45da15

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
1.2MB

MD5
52d455b3c21f6a4d6fa91f7478e385d6

SHA1
257a1c50f77cf1a1d28291cd37e6b220988a226b

SHA256
1370561562b9adde24eec82c58f6ac775cefa0c4959c741c6337a1c74ff5392c

SHA512
c88e908940f270e8fa31d29ae81b249598a246921e211e7a85021569a9a4e45c3d3e09a45eb0e51e6b2bf0c2eaf7099952ed6e944c380a80e79cb52edabc9cad

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.2MB

MD5
68fcfbe02fd45d6756779300d20a536f

SHA1
579af1a58f77b766d1aa35f70e2d6b19979bbd52

SHA256
35f178684786d74a4637dc83a0fc75601ac8978cc2710610147074d4e1cdf1ca

SHA512
c5fe9ff8138f33af9fef2029df82caa663019961868fb2bd9ade9405b95eb1730eb7f98b9f568dbad55d61eab1ac76a8fe4368a97b8ac09f43930998a48c35e2

Download Submit
memory/1212-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1212-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-91-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3112-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads