cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76b

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Size

428KB
MD5

e5d2939251c7e57d480c7d0078de4560
SHA1

410397a3fc0299d3ca11c19efd6c8888f2273afb
SHA256

cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76b
SHA512

c391dc607da1cfbb80bb2a2bbdfe896c8cf66b88f26c24a266dcbfc302f9d89cc0197b8f3fdb107c66cf4bcde36b10035ab5f25da814cf823f1e3c5d3eca5b5e
SSDEEP

6144:SULQtP85ZXZuKVp1fNrNF5ZXZ7SEJtKa4sFj5tPNki9HZd1sFj5tw:e05hjtFrNF5h0EJtws15tPWu5Ls15tw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe

Executes dropped EXE 12 IoCs

pid	Process
2804	Cnkplejl.exe
408	Cajlhqjp.exe
380	Cegdnopg.exe
4568	Dopigd32.exe
2272	Dfknkg32.exe
912	Daqbip32.exe
4920	Daconoae.exe
2428	Dkkcge32.exe
4908	Dmjocp32.exe
1092	Dddhpjof.exe
1668	Dgbdlf32.exe
5008	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	5008	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 2804	3960	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe	82
PID 3960 wrote to memory of 2804	3960	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe	82
PID 3960 wrote to memory of 2804	3960	cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe	82
PID 2804 wrote to memory of 408	2804	Cnkplejl.exe	83
PID 2804 wrote to memory of 408	2804	Cnkplejl.exe	83
PID 2804 wrote to memory of 408	2804	Cnkplejl.exe	83
PID 408 wrote to memory of 380	408	Cajlhqjp.exe	84
PID 408 wrote to memory of 380	408	Cajlhqjp.exe	84
PID 408 wrote to memory of 380	408	Cajlhqjp.exe	84
PID 380 wrote to memory of 4568	380	Cegdnopg.exe	85
PID 380 wrote to memory of 4568	380	Cegdnopg.exe	85
PID 380 wrote to memory of 4568	380	Cegdnopg.exe	85
PID 4568 wrote to memory of 2272	4568	Dopigd32.exe	86
PID 4568 wrote to memory of 2272	4568	Dopigd32.exe	86
PID 4568 wrote to memory of 2272	4568	Dopigd32.exe	86
PID 2272 wrote to memory of 912	2272	Dfknkg32.exe	87
PID 2272 wrote to memory of 912	2272	Dfknkg32.exe	87
PID 2272 wrote to memory of 912	2272	Dfknkg32.exe	87
PID 912 wrote to memory of 4920	912	Daqbip32.exe	88
PID 912 wrote to memory of 4920	912	Daqbip32.exe	88
PID 912 wrote to memory of 4920	912	Daqbip32.exe	88
PID 4920 wrote to memory of 2428	4920	Daconoae.exe	89
PID 4920 wrote to memory of 2428	4920	Daconoae.exe	89
PID 4920 wrote to memory of 2428	4920	Daconoae.exe	89
PID 2428 wrote to memory of 4908	2428	Dkkcge32.exe	90
PID 2428 wrote to memory of 4908	2428	Dkkcge32.exe	90
PID 2428 wrote to memory of 4908	2428	Dkkcge32.exe	90
PID 4908 wrote to memory of 1092	4908	Dmjocp32.exe	91
PID 4908 wrote to memory of 1092	4908	Dmjocp32.exe	91
PID 4908 wrote to memory of 1092	4908	Dmjocp32.exe	91
PID 1092 wrote to memory of 1668	1092	Dddhpjof.exe	92
PID 1092 wrote to memory of 1668	1092	Dddhpjof.exe	92
PID 1092 wrote to memory of 1668	1092	Dddhpjof.exe	92
PID 1668 wrote to memory of 5008	1668	Dgbdlf32.exe	93
PID 1668 wrote to memory of 5008	1668	Dgbdlf32.exe	93
PID 1668 wrote to memory of 5008	1668	Dgbdlf32.exe	93

C:\Users\Admin\AppData\Local\Temp\cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe
"C:\Users\Admin\AppData\Local\Temp\cfa9080c38d2a0bc433b7a0bdf1f956a14217a6155b41e3dcff0dc087061e76bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\Cnkplejl.exe
  C:\Windows\system32\Cnkplejl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Cajlhqjp.exe
    C:\Windows\system32\Cajlhqjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\Cegdnopg.exe
      C:\Windows\system32\Cegdnopg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 396
        14⤵
        Program crash
        
        PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5008 -ip 5008
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
428KB

MD5
98a78f221282e5843d7ee54aa553bcd8

SHA1
8120f3317479324265881116efa2e7fbe9a9642e

SHA256
b4b0480ad9a569837b353ce635a1cf4a08513f18103d6a4a19ae9446af25df3e

SHA512
9b08bb8cf7e6ca05265e7ca0d602eb4e9a278d146460843f6c2c5d9102d65e17fb9ef35f2ce495427319082fc92ae7e3ad36c2c9020b5cf4dcdd43539dcf1bce

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
428KB

MD5
35afb84bbbfb20c06a1ca483c71b3d35

SHA1
84a6996f0572c33eafb0bea33ca6bab130398a4f

SHA256
090508294a6881e62c8cb2cb1388a4d9a9f4aa8b4d610bd0c7efd8f807ec31e3

SHA512
fa03ef205fd1173a2fa96d379b32bcf6d203871e7dc0caccfdf41a5c8e791247e018738728e0d5e054f2c8ca4ad674923508dfb39d4bbaa4cb85bf4a4d54aef4

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
428KB

MD5
09c841c89f30193af8367295f4bfc5f9

SHA1
69cee9d5f7544ea4df5fee457d820dc06e9783f6

SHA256
29113827f5e4f9f6d21857a05903df2bbfefba8b14e0db426d6a3d8e1ba6ebfa

SHA512
dddec835c4d857b2b9095dc985a0ffb3407b9be2c35d62d3f77b27e6f6703c16d14852c43f5cf7f02699ae0b4facf20db9daa54e710c1fe3d0de9e968918eae9

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
428KB

MD5
81e26584670ed3977903667b53e0643e

SHA1
8fe21e4f46597b11596fe1c5aea4731bbd0f608e

SHA256
0c356e8f3cacefee4629f3316eb9b1fec693c497e84f31f0549a49ce26fdf69d

SHA512
b9fabbf19fb9d8e40192a059d04ea166968da52dbe5fb2b8cf7890f86c6f268b3e5c675bb05a07bbddac0cdd70fd6959a40eefda55cd931ad8e9e3cbb99ee38f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
428KB

MD5
34e4a9daf5430145ad37f9c1b58d699b

SHA1
6e7263cd6aca23cc2fcebd77f50137e0884f14b8

SHA256
e6823badcb8353b3fb4d982cd859bd849efb7d98d5f7769d8275e9e06cc4d628

SHA512
43b29c07161d3f456a0047ff5d7cb7273c1c4b1c075b3d9cd7fee59075e7dc319cda3b805b8f6bfa46d70790601d7d196f807936b22aeb8280f702b35bf79a42

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
428KB

MD5
086d5c5e29034ecc92de9f3014af34c1

SHA1
a414aaa585806c07327eb5bcaa5d0b80ef59b57e

SHA256
9037e6acfa1f4d68f980de5535add35e195be26843653c1e168b23a00f2127e0

SHA512
1abc025e86a95e347259ac469ce52c3830840fc86e8e0ab0b753f5e8b529896bcbeeec660879e16dd38a2a625f0ec3f2045b86a4380e050d319b7092fb24e5d4

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
428KB

MD5
36b8739e37ff56c1dbee17541efebc94

SHA1
e724030b8961e4aa5042bf5bc9252a5dfa6364f4

SHA256
ef0fd61edf39df18f23f79056cbba463ab0288936eb1af07299ad321194b4cc6

SHA512
6ceef5e844b1a30deabe5e5885218797aefa8fd6998ef7e439bb3a4867b50e09c92a248db312864e6fae14b45603322f5dd5013a8152a2eba6ab519989df6718

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
428KB

MD5
af48a4889414f741e313700b072a953d

SHA1
03828bbeb6edf8ca45df53d2cd66745adecde335

SHA256
8f79a9a1125cbeefce778698b09fc95fc4ae68316299b51f1c90d8784156cd2e

SHA512
83efe39dc2911d72effcd35a5f4d285d8be0fa453b42aab0e1c8d215f71da8be4c26c824915ed1ebf590fd9ee9f673dcb370338136b411c7ce41451af2912282

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
428KB

MD5
92719d3fa0daa3316848187cf2f4964d

SHA1
2799a9cc13e0a84786fc186ebae8d1f3d67e843d

SHA256
d22b247d533bebcd2ae2a25d8bdaa759664da50cff32b9efc4d303d364430a02

SHA512
7e7c4d2d580f09ebd687c68ee76e9c40eab019bd8093f3f250194fd361ffb73f54c0460ccd6a3f2592ca1bcc475318bb38587aafd0f922d7107d54780ccfe997

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
428KB

MD5
5d4ad7df77592458973edbe0dcd4e783

SHA1
11c9e87d9a125065db76b5ebe6ef8fe95bf94172

SHA256
c6574dd2a09962e2e2b5838da6ff54de1132aeb3334bce3a09a42fb0cdf62e3b

SHA512
274fcae35255668025f50fdb5750e5a1c1bc2793836c46c57e48475b1fed98fd7d2b293be4372a755d023618864c49a02d29e74189a8f15816c0cf695d539f49

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
428KB

MD5
0a6884bee80d9cc965435c5f483d42e6

SHA1
49dbccefd8654e8fe5b1c51f7d72bcb5e600735f

SHA256
d24577063d15fb2d679681e39240981478ec88e4f16919dbf90a95659b34bddb

SHA512
db899e0759ec32b526a76e65d3a8a349a005039312a2a835cde8ec2123dc60c7ebf0ee221a70a821b34d86904134756fd5ebe0b8c587a87624d9c8682b62f5ca

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
428KB

MD5
428ce342939ec375ff593071fce8661d

SHA1
bcbbf956f554295a0065db2e9c8da0c6418d3731

SHA256
80f5978c9eaa7758f6975013939d64ec895acfbd547c29d78e090d05e0ede03c

SHA512
1b43f9ca1cf14b0c8b88a082d73a65bd60d96e37e738831e8cba5e704d0dd3b8b883f6d70180166703e392ef5e4f06b1152c5db0cce1df1a2b2f1e6a5e5c8b73

Download Submit
memory/380-116-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/380-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/408-118-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/408-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/912-113-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/912-48-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1092-80-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1092-102-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1668-88-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1668-100-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2272-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2272-111-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2428-106-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2428-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2804-120-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2804-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3960-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3960-122-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4568-31-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4568-114-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4908-72-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4908-104-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4920-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4920-110-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5008-99-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5008-96-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads