12708d50478310ea1b268d5cb0c626a192f6443d0ec77a9b1c63007a35fdc624

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Size

80KB
MD5

e12493cb93bf31cdf607c4bed87f76a0
SHA1

e4ee2f6fe5a6399b27d7bb6ee40f202bbb153e8d
SHA256

12708d50478310ea1b268d5cb0c626a192f6443d0ec77a9b1c63007a35fdc624
SHA512

41a23f00f2fcc189317df01fb8c66b0dc1f7882cdf4d5dec37f974c04eee9449fa0dfc78e5e7acfd6f1957b10e72ddd7e922f78ef3e83e76ae9df8fe6bebf3fe
SSDEEP

1536:Matq0RuOKTzeLJJBaIbCctDiw2q2LtYJ9VqDlzVxyh+CbxMa:dRtLLPbCctD4CJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 11 IoCs

pid	Process
5008	Bjfaeh32.exe
1532	Bcoenmao.exe
1440	Chmndlge.exe
3624	Cmiflbel.exe
4432	Dejacond.exe
3400	Djgjlelk.exe
1316	Dhkjej32.exe
4292	Daconoae.exe
2808	Dogogcpo.exe
2164	Deagdn32.exe
4564	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	4564	WerFault.exe	96

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 5008	3784	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe	86
PID 3784 wrote to memory of 5008	3784	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe	86
PID 3784 wrote to memory of 5008	3784	NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe	86
PID 5008 wrote to memory of 1532	5008	Bjfaeh32.exe	87
PID 5008 wrote to memory of 1532	5008	Bjfaeh32.exe	87
PID 5008 wrote to memory of 1532	5008	Bjfaeh32.exe	87
PID 1532 wrote to memory of 1440	1532	Bcoenmao.exe	88
PID 1532 wrote to memory of 1440	1532	Bcoenmao.exe	88
PID 1532 wrote to memory of 1440	1532	Bcoenmao.exe	88
PID 1440 wrote to memory of 3624	1440	Chmndlge.exe	89
PID 1440 wrote to memory of 3624	1440	Chmndlge.exe	89
PID 1440 wrote to memory of 3624	1440	Chmndlge.exe	89
PID 3624 wrote to memory of 4432	3624	Cmiflbel.exe	90
PID 3624 wrote to memory of 4432	3624	Cmiflbel.exe	90
PID 3624 wrote to memory of 4432	3624	Cmiflbel.exe	90
PID 4432 wrote to memory of 3400	4432	Dejacond.exe	91
PID 4432 wrote to memory of 3400	4432	Dejacond.exe	91
PID 4432 wrote to memory of 3400	4432	Dejacond.exe	91
PID 3400 wrote to memory of 1316	3400	Djgjlelk.exe	92
PID 3400 wrote to memory of 1316	3400	Djgjlelk.exe	92
PID 3400 wrote to memory of 1316	3400	Djgjlelk.exe	92
PID 1316 wrote to memory of 4292	1316	Dhkjej32.exe	93
PID 1316 wrote to memory of 4292	1316	Dhkjej32.exe	93
PID 1316 wrote to memory of 4292	1316	Dhkjej32.exe	93
PID 4292 wrote to memory of 2808	4292	Daconoae.exe	94
PID 4292 wrote to memory of 2808	4292	Daconoae.exe	94
PID 4292 wrote to memory of 2808	4292	Daconoae.exe	94
PID 2808 wrote to memory of 2164	2808	Dogogcpo.exe	95
PID 2808 wrote to memory of 2164	2808	Dogogcpo.exe	95
PID 2808 wrote to memory of 2164	2808	Dogogcpo.exe	95
PID 2164 wrote to memory of 4564	2164	Deagdn32.exe	96
PID 2164 wrote to memory of 4564	2164	Deagdn32.exe	96
PID 2164 wrote to memory of 4564	2164	Deagdn32.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e12493cb93bf31cdf607c4bed87f76a0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Bcoenmao.exe
    C:\Windows\system32\Bcoenmao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 376
        13⤵
        Program crash
        
        PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4564 -ip 4564
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
80KB

MD5
999ec9a791d86b9d2489d2b967b608a4

SHA1
207f1417332b72c45879bb13dfb5759707adab7a

SHA256
670c0c1801c9d11c6f0c18bfa00512a440467b7085da94db10ee8d41ad80f3bd

SHA512
1d3ee429fc07992ee03c06ca0558b0b74f4ec21cbfb41e80f83b4dce035bd429cc01312338cab5346fbf63f25d45cde1c46c4e0132d4c05649804f8936b9533d

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
80KB

MD5
999ec9a791d86b9d2489d2b967b608a4

SHA1
207f1417332b72c45879bb13dfb5759707adab7a

SHA256
670c0c1801c9d11c6f0c18bfa00512a440467b7085da94db10ee8d41ad80f3bd

SHA512
1d3ee429fc07992ee03c06ca0558b0b74f4ec21cbfb41e80f83b4dce035bd429cc01312338cab5346fbf63f25d45cde1c46c4e0132d4c05649804f8936b9533d

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
80KB

MD5
b2cce0078d70450462be94739ee9fed7

SHA1
950e28e892d47fb9e0e9a11fc6efd54f67ea87ec

SHA256
e239c41c4663e09c4516581f8956ff97a917b37f8a4ca23de6d7d83a132f53fa

SHA512
8ccf56ccee104128a4ad79a18d389bfda572a2df769071ea9956d9c825051790284197624a2e747651056e127d19ec2716ecadb6a982350b7989ae152e6853cc

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
80KB

MD5
b2cce0078d70450462be94739ee9fed7

SHA1
950e28e892d47fb9e0e9a11fc6efd54f67ea87ec

SHA256
e239c41c4663e09c4516581f8956ff97a917b37f8a4ca23de6d7d83a132f53fa

SHA512
8ccf56ccee104128a4ad79a18d389bfda572a2df769071ea9956d9c825051790284197624a2e747651056e127d19ec2716ecadb6a982350b7989ae152e6853cc

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
65d9bcce0a0b7a5b556c854791e67bc9

SHA1
52fd688617fb661e97e8ef7eca65a258873f93e8

SHA256
b09cb659507cecb919310b7285339a059480c4b18065a6e6d9a13518b1eacc27

SHA512
2d4d9c51ba4ab0478903a0b37abb65a1781f374f9a24ea6cd0fd6c8507e20509409c5757c57fb5467d6678af3fb10ef43962d54067d8888d7ac44f0bba0c7162

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
65d9bcce0a0b7a5b556c854791e67bc9

SHA1
52fd688617fb661e97e8ef7eca65a258873f93e8

SHA256
b09cb659507cecb919310b7285339a059480c4b18065a6e6d9a13518b1eacc27

SHA512
2d4d9c51ba4ab0478903a0b37abb65a1781f374f9a24ea6cd0fd6c8507e20509409c5757c57fb5467d6678af3fb10ef43962d54067d8888d7ac44f0bba0c7162

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
7292be5b6d05ea2529d116190975b486

SHA1
12c3b4fcf9abe94678678b1ea947521b5d603d1e

SHA256
a1a4459a3a1efde112ab14ea13f93d5ea2e57abf010418146105238e919b572e

SHA512
7213618065a2ea735a5041d22488ae34436f5112c813463ee15504719da7f0dfe0f0b684d4b24a90aea9572dfc7ead17e9162fc5f42914bbc281fd307eaf6fbd

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
7292be5b6d05ea2529d116190975b486

SHA1
12c3b4fcf9abe94678678b1ea947521b5d603d1e

SHA256
a1a4459a3a1efde112ab14ea13f93d5ea2e57abf010418146105238e919b572e

SHA512
7213618065a2ea735a5041d22488ae34436f5112c813463ee15504719da7f0dfe0f0b684d4b24a90aea9572dfc7ead17e9162fc5f42914bbc281fd307eaf6fbd

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
80KB

MD5
f1ade6a01a4711e7b07db64ad93ecb59

SHA1
33032ed4d0fa0a0642bd736827b87aa96d95dc11

SHA256
ce2450682bef8435959fe85f7095fafa587953aa8f403250307ae793ce0d3c8c

SHA512
ae5374c027f587feac65c5c01a63c6e948313343cc56bada6895cadd499ea626ae62bea9e62f5b2466c33538a0c44727837ba4afb3ed65217f8a965f72530337

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
80KB

MD5
f1ade6a01a4711e7b07db64ad93ecb59

SHA1
33032ed4d0fa0a0642bd736827b87aa96d95dc11

SHA256
ce2450682bef8435959fe85f7095fafa587953aa8f403250307ae793ce0d3c8c

SHA512
ae5374c027f587feac65c5c01a63c6e948313343cc56bada6895cadd499ea626ae62bea9e62f5b2466c33538a0c44727837ba4afb3ed65217f8a965f72530337

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
3de75f9dea804d46de86f705d6bea64c

SHA1
7c68dcb0f10e35afda9c9fba3d639033df630361

SHA256
cf2427f924330a9d3303bab7448850be277ab3da49237420ecff5e8183c7be8e

SHA512
e61013ac82332e392d2443a209a1c4d85d7b24d13a7d439f88b5a65dd961515e844e7a643d8d75de2ede03cb555c13e78e182c6336d9b770b4fe511185fc9953

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
3de75f9dea804d46de86f705d6bea64c

SHA1
7c68dcb0f10e35afda9c9fba3d639033df630361

SHA256
cf2427f924330a9d3303bab7448850be277ab3da49237420ecff5e8183c7be8e

SHA512
e61013ac82332e392d2443a209a1c4d85d7b24d13a7d439f88b5a65dd961515e844e7a643d8d75de2ede03cb555c13e78e182c6336d9b770b4fe511185fc9953

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
80KB

MD5
8dc68039b1d1e5bed5f7764fb9faa56e

SHA1
6f7d145eb5891d3e3f1094161a9e80b9fb8b4af0

SHA256
d1d69a60e5b42489a0386c629db00bf0b3a7fcf8999c4d8db9d3bf69dca66ced

SHA512
bf8af7a412bf2e13c178e956f95f8d08813bd1dd0e78105236641b4c0187fd7becff4a68b2aa83913ee69a9707b359afa200febc84d14a9d6f5effd5acd4b614

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
80KB

MD5
8dc68039b1d1e5bed5f7764fb9faa56e

SHA1
6f7d145eb5891d3e3f1094161a9e80b9fb8b4af0

SHA256
d1d69a60e5b42489a0386c629db00bf0b3a7fcf8999c4d8db9d3bf69dca66ced

SHA512
bf8af7a412bf2e13c178e956f95f8d08813bd1dd0e78105236641b4c0187fd7becff4a68b2aa83913ee69a9707b359afa200febc84d14a9d6f5effd5acd4b614

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
80KB

MD5
9ab3dee0f687ada75fc6f796acb26693

SHA1
df807cad463196c51e5bf6bbf2d38654e3df542b

SHA256
e70450826382b81750dd3c0bf3c4c823aab86b1838b50f768fdb3128b5a57a65

SHA512
0976db395c49772f5b3ea76fded47df166f7d7c51a584264d87cfadd280c1300dc7b23ba3404c4bcd9fd10468e7eed3e8b05aaf5cfeb18c05c7a10228679c446

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
80KB

MD5
9ab3dee0f687ada75fc6f796acb26693

SHA1
df807cad463196c51e5bf6bbf2d38654e3df542b

SHA256
e70450826382b81750dd3c0bf3c4c823aab86b1838b50f768fdb3128b5a57a65

SHA512
0976db395c49772f5b3ea76fded47df166f7d7c51a584264d87cfadd280c1300dc7b23ba3404c4bcd9fd10468e7eed3e8b05aaf5cfeb18c05c7a10228679c446

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
a01184bff99e366211aa21ffb784850c

SHA1
3b739397b4cc0af03781cab16554f8a3200c3542

SHA256
ce011d3764847df059c5097ab3efdeb325536acf395624bad1c733fb0d4b35af

SHA512
a53eedb65ecd694f48fe7e71e98292164fa4edd3772ff4a388a21da1a9eb120b251e0199979c719abd58cd9239239ac27961eb838f39dae92a0720899b2a1f08

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
a01184bff99e366211aa21ffb784850c

SHA1
3b739397b4cc0af03781cab16554f8a3200c3542

SHA256
ce011d3764847df059c5097ab3efdeb325536acf395624bad1c733fb0d4b35af

SHA512
a53eedb65ecd694f48fe7e71e98292164fa4edd3772ff4a388a21da1a9eb120b251e0199979c719abd58cd9239239ac27961eb838f39dae92a0720899b2a1f08

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
95a4222afa92a14a8cfec7878cbf3409

SHA1
69d49d7fe2d7e0e87641ec22b38acfc4b3b65d2e

SHA256
5b17f57b5caa7177e2de53f5c52ecc1cdfa7f312fa16271f59fe69a7b663a32b

SHA512
a5f9d6f70a146b1fa34e05242ddf86318c80a5ef41f7b747b1623c0f1a5c127558650a1f7bb00743abfdd247188173fe83c097105767f8cbb9b0ddaad242f404

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
95a4222afa92a14a8cfec7878cbf3409

SHA1
69d49d7fe2d7e0e87641ec22b38acfc4b3b65d2e

SHA256
5b17f57b5caa7177e2de53f5c52ecc1cdfa7f312fa16271f59fe69a7b663a32b

SHA512
a5f9d6f70a146b1fa34e05242ddf86318c80a5ef41f7b747b1623c0f1a5c127558650a1f7bb00743abfdd247188173fe83c097105767f8cbb9b0ddaad242f404

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
6210d582faf2cb9b41ef3bc7f535cce2

SHA1
27cbdfac883d7a0827cf71941b77c0c646181a52

SHA256
1411c411ffb1b0cca098f83a148ccd86ce6788fc1e0d2b50151c3aa1865f7b78

SHA512
fc0a53b51a2399e8c6947cb5c728d806d6aa7a26aabdf683bb289e3ac384b0af6b546bb61446d7d3d9f12cd322516b45a38bb6a9ec7bfba91b418e02a61f2cfd

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
6210d582faf2cb9b41ef3bc7f535cce2

SHA1
27cbdfac883d7a0827cf71941b77c0c646181a52

SHA256
1411c411ffb1b0cca098f83a148ccd86ce6788fc1e0d2b50151c3aa1865f7b78

SHA512
fc0a53b51a2399e8c6947cb5c728d806d6aa7a26aabdf683bb289e3ac384b0af6b546bb61446d7d3d9f12cd322516b45a38bb6a9ec7bfba91b418e02a61f2cfd

Download Submit
memory/1316-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads