91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Size

128KB
MD5

d8611c6026216292087ee51cd3d4b2be
SHA1

96b27ce6212901edc8e1ed1aeea30d82d5f92178
SHA256

91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f
SHA512

fbfe77a31f30df6a5e30986da8abdfd3dc3a036645ac964de86c706890e26dc5228d13d3021392df3d5e23ad8641e06f91f8d33f2df1bab936feff7d82c4147b
SSDEEP

3072:HcXUsWloIxFC1dyGrgagHq/Wp+YmKfxgQi:85GxF4rgaUmKyZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe

Executes dropped EXE 8 IoCs

pid	Process
3028	Ckhdggom.exe
2696	Cgoelh32.exe
2660	Cagienkb.exe
2556	Cnkjnb32.exe
2484	Clojhf32.exe
2588	Cegoqlof.exe
2672	Dnpciaef.exe
2768	Dpapaj32.exe

Loads dropped DLL 19 IoCs

pid	Process
2284	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
2284	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
3028	Ckhdggom.exe
3028	Ckhdggom.exe
2696	Cgoelh32.exe
2696	Cgoelh32.exe
2660	Cagienkb.exe
2660	Cagienkb.exe
2556	Cnkjnb32.exe
2556	Cnkjnb32.exe
2484	Clojhf32.exe
2484	Clojhf32.exe
2588	Cegoqlof.exe
2588	Cegoqlof.exe
2672	Dnpciaef.exe
2672	Dnpciaef.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	2768	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Clojhf32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3028	2284	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe	30
PID 2284 wrote to memory of 3028	2284	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe	30
PID 2284 wrote to memory of 3028	2284	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe	30
PID 2284 wrote to memory of 3028	2284	91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe	30
PID 3028 wrote to memory of 2696	3028	Ckhdggom.exe	31
PID 3028 wrote to memory of 2696	3028	Ckhdggom.exe	31
PID 3028 wrote to memory of 2696	3028	Ckhdggom.exe	31
PID 3028 wrote to memory of 2696	3028	Ckhdggom.exe	31
PID 2696 wrote to memory of 2660	2696	Cgoelh32.exe	32
PID 2696 wrote to memory of 2660	2696	Cgoelh32.exe	32
PID 2696 wrote to memory of 2660	2696	Cgoelh32.exe	32
PID 2696 wrote to memory of 2660	2696	Cgoelh32.exe	32
PID 2660 wrote to memory of 2556	2660	Cagienkb.exe	33
PID 2660 wrote to memory of 2556	2660	Cagienkb.exe	33
PID 2660 wrote to memory of 2556	2660	Cagienkb.exe	33
PID 2660 wrote to memory of 2556	2660	Cagienkb.exe	33
PID 2556 wrote to memory of 2484	2556	Cnkjnb32.exe	34
PID 2556 wrote to memory of 2484	2556	Cnkjnb32.exe	34
PID 2556 wrote to memory of 2484	2556	Cnkjnb32.exe	34
PID 2556 wrote to memory of 2484	2556	Cnkjnb32.exe	34
PID 2484 wrote to memory of 2588	2484	Clojhf32.exe	35
PID 2484 wrote to memory of 2588	2484	Clojhf32.exe	35
PID 2484 wrote to memory of 2588	2484	Clojhf32.exe	35
PID 2484 wrote to memory of 2588	2484	Clojhf32.exe	35
PID 2588 wrote to memory of 2672	2588	Cegoqlof.exe	36
PID 2588 wrote to memory of 2672	2588	Cegoqlof.exe	36
PID 2588 wrote to memory of 2672	2588	Cegoqlof.exe	36
PID 2588 wrote to memory of 2672	2588	Cegoqlof.exe	36
PID 2672 wrote to memory of 2768	2672	Dnpciaef.exe	37
PID 2672 wrote to memory of 2768	2672	Dnpciaef.exe	37
PID 2672 wrote to memory of 2768	2672	Dnpciaef.exe	37
PID 2672 wrote to memory of 2768	2672	Dnpciaef.exe	37
PID 2768 wrote to memory of 2936	2768	Dpapaj32.exe	38
PID 2768 wrote to memory of 2936	2768	Dpapaj32.exe	38
PID 2768 wrote to memory of 2936	2768	Dpapaj32.exe	38
PID 2768 wrote to memory of 2936	2768	Dpapaj32.exe	38

C:\Users\Admin\AppData\Local\Temp\91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe
"C:\Users\Admin\AppData\Local\Temp\91797caf80b238c24a33ad947b736f01ba2f6541f379dea7f65c55c5e1ce1a9f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\Ckhdggom.exe
  C:\Windows\system32\Ckhdggom.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Cgoelh32.exe
    C:\Windows\system32\Cgoelh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Cagienkb.exe
      C:\Windows\system32\Cagienkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 144
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efeckm32.dll

Filesize
7KB

MD5
c2ea1017d4ae188e75334d1ad0c50065

SHA1
4d56e8ff965e610b47b21eadcf3849bbf93e1c90

SHA256
b652f620b1acfdac46181f98152797c5622b33b44a91291ea2d00449205162ae

SHA512
6815451459fcdcf44677a5b6451400d309338651d325a4abff058f6fce38353bc400386b912f8aafd353ccbfd5578ed06cc606081c603747999a06b899c984af

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
128KB

MD5
de5e9c387b7b17f29d570489fbba7600

SHA1
9428102e8ed5c35dac14abca86f6ce26d4467ac9

SHA256
e5e78eefeaf3f36194cf4920452a862473f422e386630166d4edf830fa02ff0d

SHA512
26d5e7d20e2e585f2a314221f2b60603e5ad597b71f0d63ce9ae7e9ea889b90ff0d5522f4b9293dd07825af183dd1f72dd08f433f0864d4fcb21258ada20674e

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
128KB

MD5
82198ec8bbfc4c9b25fc3778d3f8b8f1

SHA1
59c8fa617bc650b50940082c34e11f30be26ceca

SHA256
49c29928d2cc1f73cea7707b9bbaea285dde287d20ead2872a0740400b843bfd

SHA512
80c0fcd4e67ea019d67dd5972087c21367c994c7846e1794b3a4ca0d2c32b95513125f5accca310ba556a94b66f997751c6f70350af362c2d63fd8f036f89e93

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
128KB

MD5
4cfb737d576d71ef8ce70a8e246ac642

SHA1
c989cfc41b56b11316471581be0bdb350d93951b

SHA256
7b7bc8c36cef15c314949608ef27e33a319edc3c9c9c3c63c7abbff8148cd95f

SHA512
b0e234d073a118a893cb3d133776141e1bdc7203d72bd301248200a4e5b26f99e50e954a9610dd09b61b3406537e606af66b4224e25a8858c511a2ac26bf79c3

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
128KB

MD5
8e22f26eb4bd1a3ceeeb12e6492c4eb0

SHA1
7c50fb6c3256152f59dff62c652cacbd824be6ec

SHA256
210d42471e1c7cf8c6fd28ec36e80bac0a20d8f3f65de3f3db23b3353beeae6d

SHA512
6cdca93560a65848a3e69288f0c85a6ffc37130680ce2f029a77f3a58f818cf06833200d7b997b1b7f0a17b1ee16b22ccbaa4d0a3db51e8652f19e214ba2bf9e

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
128KB

MD5
f5e4e5fe658f201a039b6b57806eb3c5

SHA1
472ce24c7a3dcd19caecfd2787dfd5916cf70ac2

SHA256
f4c3c350d1b7245af4de945398b957566e08ec644387c364e4f4da829f3f6a02

SHA512
c4cf6c997faf4c18a55a4ad72594e0c6a2f6aef32bb3be5a0d86d33a9aa4717f908d5a2cc0acf085d39f3af47980ba5bebe8d803a9ba8d5159d62dea0a96799d

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
128KB

MD5
6b799435e47ecf51f2b353d4eb4637c5

SHA1
48d42107f40c3a9a7110ec37fff0d0664d63131f

SHA256
ff15029a9f7bab78d773cbed5a4d4d4e9b14f3e73cd623f44652721c7efa6e9d

SHA512
42bd793ed6e22eb2671c84d247edfc53148f3e5246e8b6ea90b53f77a45cf3f420f0be214fca5dca4e7c33e73553026020de28d5bcaec70c104c051a746f644f

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
128KB

MD5
22568fcc16a0c8b6890c3896de88213a

SHA1
903b1f91b9e6f1b9c5d8d18ef8b95d677cc084eb

SHA256
a36d411d69759684b1b290b0cac38d0052bb67b1552c85bd969ea00b19e7644c

SHA512
1c324cd6ef7b175a0ce8bda368c62dd19c114aa6bf4c6679cc057d2afb4faedd03572f8320b6d41af3eaecf8cd6351d2a19d1e8c04362065ca47f2f3e428fe54

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
f3ecb41b195963077d3ca0befa1e23b2

SHA1
3869e7e6c78b0d53bb210fa4357abd8476a80cc4

SHA256
61ae520bc49c0cf73a86acb50aa694b9ddb60211f879a83f5b885b026a32d33c

SHA512
aa1b4a17b2568292aea85c9042627633960148e875349e2198dccc780d567416788755f371bf132e549f35dfeb92073fe0faf2ffa3313213205183fdae80841a

Download Submit
memory/2284-7-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2284-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2484-78-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2484-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-60-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2556-66-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2556-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-87-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2588-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-46-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2660-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-107-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2672-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-33-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2768-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-20-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads