b53185986f960a16355fd0dddc701cf23dde62e714f69ec6e5faaf6ac0064b4c

Analysis

max time kernel
151s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Size

534KB
MD5

d78991754c7598a61a8ecb18441b2a20
SHA1

22f0fb641316cf195a4e8a7ef6e206f9687fcbb1
SHA256

b53185986f960a16355fd0dddc701cf23dde62e714f69ec6e5faaf6ac0064b4c
SHA512

5400cfa6681362fe50bca3563f2061912ba5ef65760680d22cc4c552aeb2a338347fd9b0ee96b42ee1f4002fbec7c43958fb3fc03d3b5822a29f0554baa4da55
SSDEEP

12288:m6Hgz5vE6IveDVqvQ6IvYvc6IveDVqvQ6IvJKcvLYvC64:mlOq5h3q5hQm7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe

Executes dropped EXE 12 IoCs

pid	Process
2836	Cenahpha.exe
1128	Cmiflbel.exe
628	Cdcoim32.exe
3516	Cmlcbbcj.exe
4084	Cajlhqjp.exe
4760	Cffdpghg.exe
1788	Ddjejl32.exe
3252	Dopigd32.exe
3088	Dhhnpjmh.exe
816	Delnin32.exe
4980	Ddakjkqi.exe
4680	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
864	4680	WerFault.exe	98

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.d78991754c7598a61a8ecb18441b2a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2836	3468	NEAS.d78991754c7598a61a8ecb18441b2a20.exe	86
PID 3468 wrote to memory of 2836	3468	NEAS.d78991754c7598a61a8ecb18441b2a20.exe	86
PID 3468 wrote to memory of 2836	3468	NEAS.d78991754c7598a61a8ecb18441b2a20.exe	86
PID 2836 wrote to memory of 1128	2836	Cenahpha.exe	87
PID 2836 wrote to memory of 1128	2836	Cenahpha.exe	87
PID 2836 wrote to memory of 1128	2836	Cenahpha.exe	87
PID 1128 wrote to memory of 628	1128	Cmiflbel.exe	88
PID 1128 wrote to memory of 628	1128	Cmiflbel.exe	88
PID 1128 wrote to memory of 628	1128	Cmiflbel.exe	88
PID 628 wrote to memory of 3516	628	Cdcoim32.exe	89
PID 628 wrote to memory of 3516	628	Cdcoim32.exe	89
PID 628 wrote to memory of 3516	628	Cdcoim32.exe	89
PID 3516 wrote to memory of 4084	3516	Cmlcbbcj.exe	90
PID 3516 wrote to memory of 4084	3516	Cmlcbbcj.exe	90
PID 3516 wrote to memory of 4084	3516	Cmlcbbcj.exe	90
PID 4084 wrote to memory of 4760	4084	Cajlhqjp.exe	93
PID 4084 wrote to memory of 4760	4084	Cajlhqjp.exe	93
PID 4084 wrote to memory of 4760	4084	Cajlhqjp.exe	93
PID 4760 wrote to memory of 1788	4760	Cffdpghg.exe	91
PID 4760 wrote to memory of 1788	4760	Cffdpghg.exe	91
PID 4760 wrote to memory of 1788	4760	Cffdpghg.exe	91
PID 1788 wrote to memory of 3252	1788	Ddjejl32.exe	92
PID 1788 wrote to memory of 3252	1788	Ddjejl32.exe	92
PID 1788 wrote to memory of 3252	1788	Ddjejl32.exe	92
PID 3252 wrote to memory of 3088	3252	Dopigd32.exe	94
PID 3252 wrote to memory of 3088	3252	Dopigd32.exe	94
PID 3252 wrote to memory of 3088	3252	Dopigd32.exe	94
PID 3088 wrote to memory of 816	3088	Dhhnpjmh.exe	95
PID 3088 wrote to memory of 816	3088	Dhhnpjmh.exe	95
PID 3088 wrote to memory of 816	3088	Dhhnpjmh.exe	95
PID 816 wrote to memory of 4980	816	Delnin32.exe	96
PID 816 wrote to memory of 4980	816	Delnin32.exe	96
PID 816 wrote to memory of 4980	816	Delnin32.exe	96
PID 4980 wrote to memory of 4680	4980	Ddakjkqi.exe	98
PID 4980 wrote to memory of 4680	4980	Ddakjkqi.exe	98
PID 4980 wrote to memory of 4680	4980	Ddakjkqi.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.d78991754c7598a61a8ecb18441b2a20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d78991754c7598a61a8ecb18441b2a20.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\Cenahpha.exe
  C:\Windows\system32\Cenahpha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\Cmiflbel.exe
    C:\Windows\system32\Cmiflbel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\Cdcoim32.exe
      C:\Windows\system32\Cdcoim32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
      - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760

C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\Dopigd32.exe
  C:\Windows\system32\Dopigd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\Dhhnpjmh.exe
    C:\Windows\system32\Dhhnpjmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Delnin32.exe
      C:\Windows\system32\Delnin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 396
        7⤵
        Program crash
        
        PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4680 -ip 4680
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
534KB

MD5
961f3af7483ec94294688e32e8688933

SHA1
a424fa3a305c15665f0b01fc477128191f06ffea

SHA256
16551ff7a244d679eb29898aa3f9c6b92ad9e8cfaf7d6721dbc9993ef5f284b1

SHA512
9aa61de93f8f9f4dc28f794543d169f206a47a23ff8bad672f5997f749793b9bead4a1ecf665cd96d6cfd5aefed201b852bd4d1bf499de8c459112f15188e034

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
534KB

MD5
961f3af7483ec94294688e32e8688933

SHA1
a424fa3a305c15665f0b01fc477128191f06ffea

SHA256
16551ff7a244d679eb29898aa3f9c6b92ad9e8cfaf7d6721dbc9993ef5f284b1

SHA512
9aa61de93f8f9f4dc28f794543d169f206a47a23ff8bad672f5997f749793b9bead4a1ecf665cd96d6cfd5aefed201b852bd4d1bf499de8c459112f15188e034

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
534KB

MD5
ea90ed66a768354c8ec8b437b9636002

SHA1
eec18534daf453d43d643bd8ee725645948a9fe6

SHA256
d1f12f7797a8711671c7c56e8371c27477a81456bace03dd191cc7883af2ad20

SHA512
c813f73e78f2fafffeb689ba921f7575a535a7c381716760d88fe1df7afcf5003fbf211b5eab64b2ed9eace7fefb8d4be0e98d4c796d8bf1277aeb6bbd2425ec

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
534KB

MD5
ea90ed66a768354c8ec8b437b9636002

SHA1
eec18534daf453d43d643bd8ee725645948a9fe6

SHA256
d1f12f7797a8711671c7c56e8371c27477a81456bace03dd191cc7883af2ad20

SHA512
c813f73e78f2fafffeb689ba921f7575a535a7c381716760d88fe1df7afcf5003fbf211b5eab64b2ed9eace7fefb8d4be0e98d4c796d8bf1277aeb6bbd2425ec

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
534KB

MD5
22e1c55a512d44c69b5f129adbee07ea

SHA1
39db7cd205bcfd0054af4324163783fe9ed8e85f

SHA256
286677f3045a153fd6babed03dcb0562e064d32bc977b40f114d968df9a95274

SHA512
bd404be28787e884c91b03b99011680c2d4211c5a439e03dbc24cf0d5252d6e40f60fad3280cee17f1846cb9dbcb13fd7da3cac14a2a1c3a04574e3fe2985a97

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
534KB

MD5
22e1c55a512d44c69b5f129adbee07ea

SHA1
39db7cd205bcfd0054af4324163783fe9ed8e85f

SHA256
286677f3045a153fd6babed03dcb0562e064d32bc977b40f114d968df9a95274

SHA512
bd404be28787e884c91b03b99011680c2d4211c5a439e03dbc24cf0d5252d6e40f60fad3280cee17f1846cb9dbcb13fd7da3cac14a2a1c3a04574e3fe2985a97

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
534KB

MD5
aeac6c572cb288d43aa9b1c4a1b0f400

SHA1
e0c9e69c89b8a513b561dc02fd4027f88c205350

SHA256
25441d131f537666b080b9cf16315f9f5343213843e522e88141e3f40fa1b769

SHA512
f950cb3b16f2a8eacb44c9cfdaee4ad80a36d55d8531f5f314e4f79572889dd5a7d4c28f4acc3422d5fb22609e4419607d523ea6aeb14a449327816d64e111e6

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
534KB

MD5
aeac6c572cb288d43aa9b1c4a1b0f400

SHA1
e0c9e69c89b8a513b561dc02fd4027f88c205350

SHA256
25441d131f537666b080b9cf16315f9f5343213843e522e88141e3f40fa1b769

SHA512
f950cb3b16f2a8eacb44c9cfdaee4ad80a36d55d8531f5f314e4f79572889dd5a7d4c28f4acc3422d5fb22609e4419607d523ea6aeb14a449327816d64e111e6

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
534KB

MD5
a181bec808363be1e7756e136cba010b

SHA1
06e5d30c3aa53b26a5be351b03cf1c0c48ba9040

SHA256
8796f8d43042761780b30791c780d851f924685cc876fbe1b83f512df0600747

SHA512
92700732b68af596a82702efb5224673340302058bf332c6ea56882d5f86bb45531f6e2195e0aa5b77017be4a8db6e52458300c9487296248924fffda7c71c0d

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
534KB

MD5
a181bec808363be1e7756e136cba010b

SHA1
06e5d30c3aa53b26a5be351b03cf1c0c48ba9040

SHA256
8796f8d43042761780b30791c780d851f924685cc876fbe1b83f512df0600747

SHA512
92700732b68af596a82702efb5224673340302058bf332c6ea56882d5f86bb45531f6e2195e0aa5b77017be4a8db6e52458300c9487296248924fffda7c71c0d

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
534KB

MD5
23a953af4a94e1acfdce1fd57147e867

SHA1
7bac51c720a9fe21e02c93881c21d7d7574bd951

SHA256
297d01c53dc841ac5d2e481e7447548d4a1228e9e267e564c92d9db504b38d0c

SHA512
25146d45ddf1c6eae2fbf9e4c7234fe5f72202139e11c655d5fad639695a58adff89c16db33a77db28e50cd9f83046160cdc0cbf2bf7daec0c195a403fc6064f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
534KB

MD5
23a953af4a94e1acfdce1fd57147e867

SHA1
7bac51c720a9fe21e02c93881c21d7d7574bd951

SHA256
297d01c53dc841ac5d2e481e7447548d4a1228e9e267e564c92d9db504b38d0c

SHA512
25146d45ddf1c6eae2fbf9e4c7234fe5f72202139e11c655d5fad639695a58adff89c16db33a77db28e50cd9f83046160cdc0cbf2bf7daec0c195a403fc6064f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
534KB

MD5
23a953af4a94e1acfdce1fd57147e867

SHA1
7bac51c720a9fe21e02c93881c21d7d7574bd951

SHA256
297d01c53dc841ac5d2e481e7447548d4a1228e9e267e564c92d9db504b38d0c

SHA512
25146d45ddf1c6eae2fbf9e4c7234fe5f72202139e11c655d5fad639695a58adff89c16db33a77db28e50cd9f83046160cdc0cbf2bf7daec0c195a403fc6064f

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
534KB

MD5
41efd95f4d65bbeb0e308d11d5eb2b51

SHA1
50845716b55b18aa1f1459e4a8929816f7f0c5d1

SHA256
e2cf52e7c3ee9e5b8242dcd504831470a4e198af4f18333f1af0022c3154d4b0

SHA512
39c53cf944a85e54ab4677a16168649ce7c5dfcd6eec6c4146dcdcd43b92e0d5dead367ce5b26f6e8d738f3972e0450169aba0b87e0b63323caed63ac5fae9e7

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
534KB

MD5
41efd95f4d65bbeb0e308d11d5eb2b51

SHA1
50845716b55b18aa1f1459e4a8929816f7f0c5d1

SHA256
e2cf52e7c3ee9e5b8242dcd504831470a4e198af4f18333f1af0022c3154d4b0

SHA512
39c53cf944a85e54ab4677a16168649ce7c5dfcd6eec6c4146dcdcd43b92e0d5dead367ce5b26f6e8d738f3972e0450169aba0b87e0b63323caed63ac5fae9e7

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
534KB

MD5
66f61729949ee57cd2ae6b5d264e17e6

SHA1
e36b6ecca13ab86d68a6661f5389372c630b1aa6

SHA256
98905f6a45b75d1ea1055f94c210330b97fb2456514b8f2517fdc7453d2da43d

SHA512
3d3a8f9ba6558f145c51298e85a63ce71dda577313652812777d2aa4674ea52659bccc6fb36819cdf1722eaf566d16ef48df93a5cae854d53aeae7a14d10cbe5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
534KB

MD5
66f61729949ee57cd2ae6b5d264e17e6

SHA1
e36b6ecca13ab86d68a6661f5389372c630b1aa6

SHA256
98905f6a45b75d1ea1055f94c210330b97fb2456514b8f2517fdc7453d2da43d

SHA512
3d3a8f9ba6558f145c51298e85a63ce71dda577313652812777d2aa4674ea52659bccc6fb36819cdf1722eaf566d16ef48df93a5cae854d53aeae7a14d10cbe5

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
534KB

MD5
9d74b8f9da84556da84fca9f856bd3c3

SHA1
d1ec8fcacfeead208fd6335347118fed5d31efa9

SHA256
7f20d700a53f091a3e53922c0d144e980659942d948149e0975629029aab2581

SHA512
c01c88aca3543e220803802ee2ccb47381eb8b95ec0c3b4ef3c7d0861bedcc90725c3b45e28bd2bee058cc37eebc5235592e04580a421a6035872c3e563e6743

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
534KB

MD5
9d74b8f9da84556da84fca9f856bd3c3

SHA1
d1ec8fcacfeead208fd6335347118fed5d31efa9

SHA256
7f20d700a53f091a3e53922c0d144e980659942d948149e0975629029aab2581

SHA512
c01c88aca3543e220803802ee2ccb47381eb8b95ec0c3b4ef3c7d0861bedcc90725c3b45e28bd2bee058cc37eebc5235592e04580a421a6035872c3e563e6743

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
534KB

MD5
67ab2a0d48345875434613ce14f3621c

SHA1
532f7a817730f34845629f2a6236e2bf85c9d1d7

SHA256
9fd2f5ed708d49397e26322d3c6cc7232a7ded3480ee272f21c673d4de17c33e

SHA512
23a496122b7c2248bd291e291b66e3dde3041227157d845886be5d29e20531d8849b2e07cea2aa3e977dc5e200abe5c3d2a2b7e707784b3738f2d8bd77e11e42

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
534KB

MD5
67ab2a0d48345875434613ce14f3621c

SHA1
532f7a817730f34845629f2a6236e2bf85c9d1d7

SHA256
9fd2f5ed708d49397e26322d3c6cc7232a7ded3480ee272f21c673d4de17c33e

SHA512
23a496122b7c2248bd291e291b66e3dde3041227157d845886be5d29e20531d8849b2e07cea2aa3e977dc5e200abe5c3d2a2b7e707784b3738f2d8bd77e11e42

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
534KB

MD5
476e9e5f295744519fa36a97f14a3bc7

SHA1
c0ed7f3444769873907f2ad8b6e9ffffe2ecd3f8

SHA256
e304a61bfc6647321b358d57ed1615927a85772b035d36fc373fd8e652cfbb75

SHA512
11e0dd38a02670298c311cacf539cdec4feed19399ce727ee5719165352fdf29195ca286f1dcd2030f8109ef0f6e94fdb26638ae2c952a9f5768e2303d31916a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
534KB

MD5
476e9e5f295744519fa36a97f14a3bc7

SHA1
c0ed7f3444769873907f2ad8b6e9ffffe2ecd3f8

SHA256
e304a61bfc6647321b358d57ed1615927a85772b035d36fc373fd8e652cfbb75

SHA512
11e0dd38a02670298c311cacf539cdec4feed19399ce727ee5719165352fdf29195ca286f1dcd2030f8109ef0f6e94fdb26638ae2c952a9f5768e2303d31916a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
534KB

MD5
493f44c13b29bdd231695b40d57a80c0

SHA1
6d575edeed67ecc294645961ab4c8e2d330dd408

SHA256
d9e891c5b486b89b6c4fcd4124cd088a65d854b8bc057f4c788528ed1ed62aed

SHA512
db26a64bf673b4d4709cf4c52a5f770d01e0de4628d48f8b0769d809327a44c29027f865f728f87a45ad7c0f519319b3f290b930712d6a912b17fee22689f7e6

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
534KB

MD5
493f44c13b29bdd231695b40d57a80c0

SHA1
6d575edeed67ecc294645961ab4c8e2d330dd408

SHA256
d9e891c5b486b89b6c4fcd4124cd088a65d854b8bc057f4c788528ed1ed62aed

SHA512
db26a64bf673b4d4709cf4c52a5f770d01e0de4628d48f8b0769d809327a44c29027f865f728f87a45ad7c0f519319b3f290b930712d6a912b17fee22689f7e6

Download Submit
memory/628-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads