64522453c8479537bd303334124e303f7bcf1c732292e3375c37c63a3bed13c2

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921673d54ccce2195d8f720d0ef84300N.exe
Size

93KB
MD5

921673d54ccce2195d8f720d0ef84300
SHA1

3e931055bc5bb35a62d7b8cdf36ffd1bbe7f8d98
SHA256

64522453c8479537bd303334124e303f7bcf1c732292e3375c37c63a3bed13c2
SHA512

4c86e8b25d375deaf3c95f25b4b9698b8db7b80d6ffb0bb04ed09d7fe45d8fe951cf4a72634be0229c6fbe885c84a341341a95e00ec8dd1dda56194fddbf890e
SSDEEP

1536:IMII4SDbHq5I7uiDWQKCZcppUBpYTeW48M7eFlsgZsZubPJT0GsWiwTBjiwg58:c99bCWppKpYN4Gs9wVY58

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cggcofkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpmkbl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckkenikc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	921673d54ccce2195d8f720d0ef84300N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	921673d54ccce2195d8f720d0ef84300N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckkenikc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe

Executes dropped EXE 24 IoCs

pid	Process
1464	Bjiljf32.exe
2240	Bmgifa32.exe
2912	Bpfebmia.exe
2804	Bfpmog32.exe
2816	Bphaglgo.exe
2616	Bfbjdf32.exe
2676	Blobmm32.exe
1620	Bdfjnkne.exe
1872	Biccfalm.exe
448	Bpmkbl32.exe
1956	Cggcofkf.exe
740	Ceickb32.exe
1712	Chhpgn32.exe
572	Ccnddg32.exe
2428	Ciglaa32.exe
1888	Ckiiiine.exe
1144	Ccpqjfnh.exe
792	Cenmfbml.exe
1040	Chmibmlo.exe
1616	Ckkenikc.exe
1516	Cniajdkg.exe
1076	Cdcjgnbc.exe
3056	Cgbfcjag.exe
1112	Coindgbi.exe

Loads dropped DLL 48 IoCs

pid	Process
804	921673d54ccce2195d8f720d0ef84300N.exe
804	921673d54ccce2195d8f720d0ef84300N.exe
1464	Bjiljf32.exe
1464	Bjiljf32.exe
2240	Bmgifa32.exe
2240	Bmgifa32.exe
2912	Bpfebmia.exe
2912	Bpfebmia.exe
2804	Bfpmog32.exe
2804	Bfpmog32.exe
2816	Bphaglgo.exe
2816	Bphaglgo.exe
2616	Bfbjdf32.exe
2616	Bfbjdf32.exe
2676	Blobmm32.exe
2676	Blobmm32.exe
1620	Bdfjnkne.exe
1620	Bdfjnkne.exe
1872	Biccfalm.exe
1872	Biccfalm.exe
448	Bpmkbl32.exe
448	Bpmkbl32.exe
1956	Cggcofkf.exe
1956	Cggcofkf.exe
740	Ceickb32.exe
740	Ceickb32.exe
1712	Chhpgn32.exe
1712	Chhpgn32.exe
572	Ccnddg32.exe
572	Ccnddg32.exe
2428	Ciglaa32.exe
2428	Ciglaa32.exe
1888	Ckiiiine.exe
1888	Ckiiiine.exe
1144	Ccpqjfnh.exe
1144	Ccpqjfnh.exe
792	Cenmfbml.exe
792	Cenmfbml.exe
1040	Chmibmlo.exe
1040	Chmibmlo.exe
1616	Ckkenikc.exe
1616	Ckkenikc.exe
1516	Cniajdkg.exe
1516	Cniajdkg.exe
1076	Cdcjgnbc.exe
1076	Cdcjgnbc.exe
3056	Cgbfcjag.exe
3056	Cgbfcjag.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ljkaejba.dll	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Peapkpkj.dll	Bpmkbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Cggcofkf.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Ccnddg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccpqjfnh.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Cniajdkg.exe	Ckkenikc.exe
File created	C:\Windows\SysWOW64\Cdcjgnbc.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Bmgifa32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfjnkne.exe	Blobmm32.exe
File created	C:\Windows\SysWOW64\Biccfalm.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Hjnhlm32.dll	Biccfalm.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cgbfcjag.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	921673d54ccce2195d8f720d0ef84300N.exe
File opened for modification	C:\Windows\SysWOW64\Bmgifa32.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Hlggmcob.dll	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Ceickb32.exe
File created	C:\Windows\SysWOW64\Hlilhb32.dll	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Bmgifa32.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Bfbjdf32.exe	Bphaglgo.exe
File opened for modification	C:\Windows\SysWOW64\Ccnddg32.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Madcho32.dll	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Aceakpbh.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Cmpbigma.dll	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Blobmm32.exe	Bfbjdf32.exe
File opened for modification	C:\Windows\SysWOW64\Cenmfbml.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Iafehn32.dll	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cgbfcjag.exe
File opened for modification	C:\Windows\SysWOW64\Bfpmog32.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Cgbfcjag.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Bmgifa32.exe
File opened for modification	C:\Windows\SysWOW64\Biccfalm.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	921673d54ccce2195d8f720d0ef84300N.exe
File created	C:\Windows\SysWOW64\Bfpmog32.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Cdcjgnbc.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Ceickb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfcjag.exe	Cdcjgnbc.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Cenmfbml.exe	Ccpqjfnh.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Ckkenikc.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Bphaglgo.exe
File opened for modification	C:\Windows\SysWOW64\Blobmm32.exe	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Bpmkbl32.exe	Biccfalm.exe
File opened for modification	C:\Windows\SysWOW64\Cggcofkf.exe	Bpmkbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ckkenikc.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Ccpqjfnh.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	921673d54ccce2195d8f720d0ef84300N.exe
File created	C:\Windows\SysWOW64\Flhbop32.dll	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Bfbjdf32.exe	Bphaglgo.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Blobmm32.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Bpmkbl32.exe	Biccfalm.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Cggcofkf.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Cenmfbml.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Cggcofkf.exe	Bpmkbl32.exe
File created	C:\Windows\SysWOW64\Ggqbii32.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Ckkenikc.exe	Chmibmlo.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphaglgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcjgnbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	921673d54ccce2195d8f720d0ef84300N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmgifa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkenikc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biccfalm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpmkbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggcofkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccpqjfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpmog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfcjag.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	921673d54ccce2195d8f720d0ef84300N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cgbfcjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbop32.dll"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphaglgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	921673d54ccce2195d8f720d0ef84300N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckkenikc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckkenikc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	921673d54ccce2195d8f720d0ef84300N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	921673d54ccce2195d8f720d0ef84300N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjagic.dll"	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpbigma.dll"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	921673d54ccce2195d8f720d0ef84300N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll"	Ckkenikc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll"	Cggcofkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	921673d54ccce2195d8f720d0ef84300N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceakpbh.dll"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll"	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgbfcjag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll"	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpmkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll"	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpmkbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Ccnddg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1464	804	921673d54ccce2195d8f720d0ef84300N.exe	30
PID 804 wrote to memory of 1464	804	921673d54ccce2195d8f720d0ef84300N.exe	30
PID 804 wrote to memory of 1464	804	921673d54ccce2195d8f720d0ef84300N.exe	30
PID 804 wrote to memory of 1464	804	921673d54ccce2195d8f720d0ef84300N.exe	30
PID 1464 wrote to memory of 2240	1464	Bjiljf32.exe	31
PID 1464 wrote to memory of 2240	1464	Bjiljf32.exe	31
PID 1464 wrote to memory of 2240	1464	Bjiljf32.exe	31
PID 1464 wrote to memory of 2240	1464	Bjiljf32.exe	31
PID 2240 wrote to memory of 2912	2240	Bmgifa32.exe	32
PID 2240 wrote to memory of 2912	2240	Bmgifa32.exe	32
PID 2240 wrote to memory of 2912	2240	Bmgifa32.exe	32
PID 2240 wrote to memory of 2912	2240	Bmgifa32.exe	32
PID 2912 wrote to memory of 2804	2912	Bpfebmia.exe	33
PID 2912 wrote to memory of 2804	2912	Bpfebmia.exe	33
PID 2912 wrote to memory of 2804	2912	Bpfebmia.exe	33
PID 2912 wrote to memory of 2804	2912	Bpfebmia.exe	33
PID 2804 wrote to memory of 2816	2804	Bfpmog32.exe	34
PID 2804 wrote to memory of 2816	2804	Bfpmog32.exe	34
PID 2804 wrote to memory of 2816	2804	Bfpmog32.exe	34
PID 2804 wrote to memory of 2816	2804	Bfpmog32.exe	34
PID 2816 wrote to memory of 2616	2816	Bphaglgo.exe	35
PID 2816 wrote to memory of 2616	2816	Bphaglgo.exe	35
PID 2816 wrote to memory of 2616	2816	Bphaglgo.exe	35
PID 2816 wrote to memory of 2616	2816	Bphaglgo.exe	35
PID 2616 wrote to memory of 2676	2616	Bfbjdf32.exe	36
PID 2616 wrote to memory of 2676	2616	Bfbjdf32.exe	36
PID 2616 wrote to memory of 2676	2616	Bfbjdf32.exe	36
PID 2616 wrote to memory of 2676	2616	Bfbjdf32.exe	36
PID 2676 wrote to memory of 1620	2676	Blobmm32.exe	37
PID 2676 wrote to memory of 1620	2676	Blobmm32.exe	37
PID 2676 wrote to memory of 1620	2676	Blobmm32.exe	37
PID 2676 wrote to memory of 1620	2676	Blobmm32.exe	37
PID 1620 wrote to memory of 1872	1620	Bdfjnkne.exe	38
PID 1620 wrote to memory of 1872	1620	Bdfjnkne.exe	38
PID 1620 wrote to memory of 1872	1620	Bdfjnkne.exe	38
PID 1620 wrote to memory of 1872	1620	Bdfjnkne.exe	38
PID 1872 wrote to memory of 448	1872	Biccfalm.exe	39
PID 1872 wrote to memory of 448	1872	Biccfalm.exe	39
PID 1872 wrote to memory of 448	1872	Biccfalm.exe	39
PID 1872 wrote to memory of 448	1872	Biccfalm.exe	39
PID 448 wrote to memory of 1956	448	Bpmkbl32.exe	40
PID 448 wrote to memory of 1956	448	Bpmkbl32.exe	40
PID 448 wrote to memory of 1956	448	Bpmkbl32.exe	40
PID 448 wrote to memory of 1956	448	Bpmkbl32.exe	40
PID 1956 wrote to memory of 740	1956	Cggcofkf.exe	41
PID 1956 wrote to memory of 740	1956	Cggcofkf.exe	41
PID 1956 wrote to memory of 740	1956	Cggcofkf.exe	41
PID 1956 wrote to memory of 740	1956	Cggcofkf.exe	41
PID 740 wrote to memory of 1712	740	Ceickb32.exe	42
PID 740 wrote to memory of 1712	740	Ceickb32.exe	42
PID 740 wrote to memory of 1712	740	Ceickb32.exe	42
PID 740 wrote to memory of 1712	740	Ceickb32.exe	42
PID 1712 wrote to memory of 572	1712	Chhpgn32.exe	43
PID 1712 wrote to memory of 572	1712	Chhpgn32.exe	43
PID 1712 wrote to memory of 572	1712	Chhpgn32.exe	43
PID 1712 wrote to memory of 572	1712	Chhpgn32.exe	43
PID 572 wrote to memory of 2428	572	Ccnddg32.exe	44
PID 572 wrote to memory of 2428	572	Ccnddg32.exe	44
PID 572 wrote to memory of 2428	572	Ccnddg32.exe	44
PID 572 wrote to memory of 2428	572	Ccnddg32.exe	44
PID 2428 wrote to memory of 1888	2428	Ciglaa32.exe	45
PID 2428 wrote to memory of 1888	2428	Ciglaa32.exe	45
PID 2428 wrote to memory of 1888	2428	Ciglaa32.exe	45
PID 2428 wrote to memory of 1888	2428	Ciglaa32.exe	45

C:\Users\Admin\AppData\Local\Temp\921673d54ccce2195d8f720d0ef84300N.exe
"C:\Users\Admin\AppData\Local\Temp\921673d54ccce2195d8f720d0ef84300N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\Bjiljf32.exe
  C:\Windows\system32\Bjiljf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\Bmgifa32.exe
    C:\Windows\system32\Bmgifa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\Bpfebmia.exe
      C:\Windows\system32\Bpfebmia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Bfpmog32.exe
        
        C:\Windows\system32\Bfpmog32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Bphaglgo.exe
        
        C:\Windows\system32\Bphaglgo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Bfbjdf32.exe
        
        C:\Windows\system32\Bfbjdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Blobmm32.exe
        
        C:\Windows\system32\Blobmm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Biccfalm.exe
        
        C:\Windows\system32\Biccfalm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Bpmkbl32.exe
        
        C:\Windows\system32\Bpmkbl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Cggcofkf.exe
        
        C:\Windows\system32\Cggcofkf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Ccpqjfnh.exe
        
        C:\Windows\system32\Ccpqjfnh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ckkenikc.exe
        
        C:\Windows\system32\Ckkenikc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cdcjgnbc.exe
        
        C:\Windows\system32\Cdcjgnbc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Cgbfcjag.exe
        
        C:\Windows\system32\Cgbfcjag.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmgifa32.exe

Filesize
93KB

MD5
34bf4d819421c14d5a69b420e286294b

SHA1
de85a86237139709edec0411e026cec7a577ff56

SHA256
99f29743f5ed1535a3fd17ac41ddeb1b20f6d02ccad88ac2c1d920084d6bf24d

SHA512
a75fcc55f9904019b3abefd3aa6186874d90d49670b643f65ad336d3e1537828132debc270dd14ca7fb7f3cb522923aecd9045aa697767e530b8967e758279d1

Download Submit
C:\Windows\SysWOW64\Bpfebmia.exe

Filesize
93KB

MD5
a3cc9db4da85c4854b91cb91bce39196

SHA1
d2786be1fe14b438adc8368abbb4872848eee801

SHA256
4a3ca6dd6940e650761afaf68d6a43c3f8f055c56a10497620f5d00115344a9d

SHA512
d0abd9ed10d9c051867b88fe31ee857847e0549ced8c4ba0d005bf1e3bf8d4ab592410bc9453dde6d4a9e0986820964d624caf604fe7605e2c42ecc1afebca16

Download Submit
C:\Windows\SysWOW64\Ccpqjfnh.exe

Filesize
93KB

MD5
0e6363d3c1c488e430f6043a55590543

SHA1
5c39123401de4bde6b4bf75c2f47dc760ab4557e

SHA256
9f78bafe1825e98a0a7fe7acbecfd178b14c4f25eeffca88cac5c3d845e445c1

SHA512
dcee464b8fedb44d693718a640ba3dfdcd38b9df575252c155569d15735f4e4e37ffbae4a79bbbb428823c15af54de7a5944236b05ccc3627a8d69ba05faf586

Download Submit
C:\Windows\SysWOW64\Cdcjgnbc.exe

Filesize
93KB

MD5
1f8075c7f6529861fc3ba5c6d51eeb9a

SHA1
6b9c791baeed9b2c27ffac5caac115f49d548d39

SHA256
eae0b9966e6e0065345f0419a0ef9bced493c739295b5644357c02ff31a688fc

SHA512
1461740ab81e7302822c5f776575753e7fe70ed90f847d194aee81ca9be029f0ea67eebd6d21c2c260d1e3395ca598af29bfdfd314d8955cf4a2881ce750d178

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
93KB

MD5
c56f9f3f16171790370182950e282f36

SHA1
b09a50e1ccfe109834bd7275f7e428067276bc39

SHA256
7142e484a5df5b9715acf7b842e3a2ff11894878d2423ce08d15aa3bb076a159

SHA512
e7031fa82ff7c55ea4d6a6e2c0791630331a1facca0fda694e78bf6618aaee5706f0108b2392ee4645e361ed6784ecca80f6d2d2398ef8097cc008c70b3f0380

Download Submit
C:\Windows\SysWOW64\Cenmfbml.exe

Filesize
93KB

MD5
0c55569747e9a064af748e3ccfbd5485

SHA1
4bdc6eb122caebefe416d067c5ffd12244d64e21

SHA256
8621182ef91834bc2a3fca0ce78513ff7fca186b8145185b8f1bc5c4d51188b9

SHA512
3a68816d7f33a3c77eefd3f606409558f6116a350c808418dfe94a94f337bec224016bf2f1cc821e3895b58057f73b82645df8236d3a63e9c9c2e296e397838e

Download Submit
C:\Windows\SysWOW64\Cfjjagic.dll

Filesize
7KB

MD5
d3461dc094b1e72d6452ca92d32c737b

SHA1
197f0a87b9d4fc9a8912b99b33b31a79937fd1b3

SHA256
23c3ae6b45742ed417bdcc7dc97311a7f13e590e9da0f0b589af3ffdf6948949

SHA512
5768566c3144b8908519ab7ea24ff1e73239775f9061cb0d9a87197a67522ceb45c180451892ebb6c10110587d02c3b5c36e27c6bf6f8b29158f43412adbb35e

Download Submit
C:\Windows\SysWOW64\Cgbfcjag.exe

Filesize
93KB

MD5
b0480e902073fb78cd42a970f344bed5

SHA1
a62b205cc647cdf04560641148854526c3dcd27c

SHA256
c638d23b1128fbff8a375b4caa8b4ea04e971c16674e94d9c575b56b6f41e2ec

SHA512
0ec3658aa6b9df279321fce26c68b220a0c5138c0af17de7750ee8070651b15c30977efe96a5af488086ecb6887d0697cce01bb27d9bad137d6a6d7bda195856

Download Submit
C:\Windows\SysWOW64\Cggcofkf.exe

Filesize
93KB

MD5
61e8dd1262e052e1badace8971c4b689

SHA1
1ae9987f2c8d447fa0a7bca076007542de8a41f3

SHA256
2a387e6498afedd6c5c57ba1c5f3a5c18076139a50d97abe1ea389582dfb2710

SHA512
9f78422f5ef7edafe0a0a998354c673f5b2a54555ec1ff8cc4aa0bf266a9d1ac61ab9519b26bdd3627d5176acba7e12df0e525c95ad1b271de4cf8dc41014db3

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
93KB

MD5
a4492e1b76ff11dfbb44bc817741703f

SHA1
de1d471515df5e1d256f52b01a3aca8e471007bf

SHA256
646b146fb76b764e31fea50d8de5d1ce8ebd09e6b6e18810eb5b0707c8580d11

SHA512
d83ab8c167acc1c31e406f022b2a27f38cb6682d826e9d4313daace4f9dd60312bbcddfba671e023fad2076f77a660620fa968bf6580f85354290a7797467663

Download Submit
C:\Windows\SysWOW64\Ciglaa32.exe

Filesize
93KB

MD5
2bbc3036ac5a93f8070d88dd9a509913

SHA1
ffa5d049bef3aa5252adfe14439d8a9476100336

SHA256
f6edc05a81d2556946e7b04ea63cf312f8b4170984088a7f8c10c80a448122ce

SHA512
19953d2280de04ac44854eaefa615d9c8bb3ff67235aa04e03747d19f9c9b69fb5aa760e9987ffd10c75d522f97c92dd2765b54983e32c9cb70da92f7c251ae2

Download Submit
C:\Windows\SysWOW64\Ckkenikc.exe

Filesize
93KB

MD5
c8d1ca018b39bd0f6c850f463deb1afd

SHA1
7c69a9797768e7a3557cc8829356d9d0bd9b84fe

SHA256
f87c7c214345030c578829f5f59ade6721ead8aad60c426901a6e2bdbf0d7077

SHA512
ae4fdc5b6eaca200bb33e747e74f47658e5134eba8d58482c71681aa83c74c35d165a040e54e19c121c38fb17434aa76525577ec08bae439672a211a88249ea9

Download Submit
C:\Windows\SysWOW64\Cniajdkg.exe

Filesize
93KB

MD5
a956bc1432c1080e38a7f09dc1004833

SHA1
12ab4982ce97bf6d9e3e0235edbbeffd6922114d

SHA256
218f600f12e280624998217701dd9fc90ca8bd0043b383cc6bf1bb9c8182bb9e

SHA512
57fb1fe63b534fc6895bb11107fc47f33af035f7bdfbecc1751977a6bcf4f12741b91841ca6392689ff509f62f84b202af5e4c43ec568c5e00f35ec8610013d9

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
93KB

MD5
39ff6464338f16f1949e9c9a319c6299

SHA1
492ddf0a8e2bae17ac4bb497d22f5b3e1f6a4477

SHA256
db1458f42443a52a7684a85933e42717ebb3fe2d83b366d183f7cc3c597fe88c

SHA512
6127b740d8c8a625f44ff802911fc68780606259d7d8ad1a55abc383e9be5624094f971a507c5d00b15599705fb502dcc78703ace2aae71ff874c2fe6a7a6fe2

Download Submit
\Windows\SysWOW64\Bdfjnkne.exe

Filesize
93KB

MD5
7750b21b37a4294ad64ec9761ee9ea9a

SHA1
a8297a03780d0c250ce6fbe168cfbc1e4b7ddf63

SHA256
3f88a7760573522487dc3fb4ff5b86ca25a1010f11e8704fd616b4ad52f78818

SHA512
0fc6139ed221a6e9f6c0ec3fd5855a297a9af5cfa0e8b6fe95d8ff2dbf5cdf5743a17f411d5ccc81518e6d6fb1f995cf72b5be7cabb46c9384643a24e88d97af

Download Submit
\Windows\SysWOW64\Bfbjdf32.exe

Filesize
93KB

MD5
e9bf0be6131232fa560aeb56f2511f8b

SHA1
bcb9522d482b20e5461dee96f43ab692eefa1839

SHA256
12f5a4906492e44306754e2b4319931e56f8dfe64ac0752e714267abaf24dd30

SHA512
b3e7bf1144d4a16ae1c0d24d861e10e5eba57dba337f19b83f315228b58286e6c4c62f34ecfef0989094a91cb5f896a23a31e6efac20ce5c21aad7799acac559

Download Submit
\Windows\SysWOW64\Bfpmog32.exe

Filesize
93KB

MD5
3f006b0ef413a6d32b058d26b7e2dda3

SHA1
bb0fd30c570ae21e7ab9a065b5fd01866308f01e

SHA256
ab7a9df5534246378219e43d3c88c53c8816e3bde8b0503cbe1322840f6c97ab

SHA512
503fa8190f71c056155b8a988314a1f5e2ade164777caffefa40cb7bf8a2b69647d48bed23ac865d3b6966399e1801e911256b73327b1826907ae7a1e2550304

Download Submit
\Windows\SysWOW64\Biccfalm.exe

Filesize
93KB

MD5
fd3e4142b59869d48e5315c4f435e162

SHA1
1e4f9846be1595c9e9e93d78dfe0d92492fd3830

SHA256
a2a6dd4a570ae52e9535391fcf37d8b72159c05f787e3bdeb43544541be9c828

SHA512
006be7aa1b324878b1a9e6d11b58d05c8acdd1c3b0d703f6221471cadee47eede37efbdb4396554ab98c4214eb4c943d5bbf54e5648e91f4bc60c16387ac649f

Download Submit
\Windows\SysWOW64\Bjiljf32.exe

Filesize
93KB

MD5
24bb115fa022384a2b0d0475a1ac324c

SHA1
8f46956b36fe5ac758c1b3691b3f5c36e14543ff

SHA256
293e531111ba8cf476e3301adfc7b764d6a7896af374ab6a1333545237b63d24

SHA512
89c435c4b7495ae405f1a958f450f9bc6214d7e765fcb960a8cc89f19853605b807e810457c91da335bad7478fe48fa27234344ff2587376b9a608817498c55f

Download Submit
\Windows\SysWOW64\Blobmm32.exe

Filesize
93KB

MD5
a02675383739635787824469971aed58

SHA1
0d66970b4ffc096d51fa3982a703fce9c1f10cc3

SHA256
2b91588536058124adca42e3f702c1feb70f838ee2070676568dff44ae009aa2

SHA512
d9c117ed75819cb6e369612fae4516e9f35702a6f9f9d7e676ff83a5be0e27c78923f1dbd8625ee27399b26ecc847e71288f395c5ec3b8940124473b60516fe2

Download Submit
\Windows\SysWOW64\Bphaglgo.exe

Filesize
93KB

MD5
762ec6eb0c54171c4bccff2a86800342

SHA1
42e5ea932849cc37a92900287f62be2e5a0804c0

SHA256
35c97fe93937124ec292bcaa8700f8deec18089a0b73a033e45d8e4f2bd450d8

SHA512
777d2650dc619356fa037ad5bff1b261c301218a256254d4c1aeeb57fd374bf01e6c95643a51bad42cfc0ccb930d3d4abe03dc5a2c665ca110fc90962a94f599

Download Submit
\Windows\SysWOW64\Bpmkbl32.exe

Filesize
93KB

MD5
2efc1bbd10d892f320610158e53153de

SHA1
fb915e30fbb75ab2023c05ded03f1627533aa52e

SHA256
ebf222b6260234c8cf47fcbe97944474e6c554c3276661ef134f0ab2d05dfd8d

SHA512
2e2d57ad800b03acf8c60bb795afcdd24a69dfaff7c9d37d78bdd33786abd43a68d0d5b08817913343042ea029fee94d508704a5fbc16cd7bedf387393c8bcee

Download Submit
\Windows\SysWOW64\Ccnddg32.exe

Filesize
93KB

MD5
cae6712e8cc38107ee8d54b4616e0490

SHA1
6fbb240d2a20405867e3b1286ebb7a04afcb6f8c

SHA256
11fbf6942f6c3f3654d4b36e331190226c3e2f9ebcd40ee0e913deaf9440b8f0

SHA512
a0837a0b89e9c9b93a3c94956424823b6a080b20c7fc21c055a88e0fc9ffb489648c04eac45180878cf7c46258f02660ec47fdb8e7877721a0f63eac8912b29f

Download Submit
\Windows\SysWOW64\Chhpgn32.exe

Filesize
93KB

MD5
f283281b9f275bbb23eaaf22fe1c156e

SHA1
180e2c79d9f8e4cf587349a18e8b30a3775b5dd6

SHA256
21a90043d33ba27046e39c5f3a360cbe8aac4efefbbb1c534b864c1027019ac2

SHA512
aadf54951b4bfc7a1723a3546c6143b927c534fe62196adf4315c161d37312bca777ca9d6dbfd22c79ac2b0dfe56cc49e1df063beda7b6a9095a0872b2b1e056

Download Submit
\Windows\SysWOW64\Ckiiiine.exe

Filesize
93KB

MD5
8f3b64941ded1b30fd876c1092048c82

SHA1
3542012c4cb57f605e83f234ff48c28dcb08e8fa

SHA256
72e57f29e581108f8330d833e8a9305da7fd80dd478a99d24438db12a1ddf0bd

SHA512
2611078717d0747028ab00f35b0de1b681f5d1216adf073ccfb1a1f70f984d737a24a188bc2957153599749eb1e942661bedcbe67a0db4c36fb3a5e0b0fb5aa2

Download Submit
memory/448-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-147-0x0000000000450000-0x000000000048F000-memory.dmp

Filesize
252KB

Download
memory/572-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/572-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/740-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/740-168-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/792-237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/792-241-0x0000000000370000-0x00000000003AF000-memory.dmp

Filesize
252KB

Download
memory/804-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/804-12-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/804-13-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1040-251-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1040-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1040-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-283-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1076-282-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1076-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1112-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1144-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-273-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1516-271-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1616-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-258-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1616-262-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1616-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-129-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1888-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-155-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2240-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-94-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2616-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-102-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2676-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-66-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2804-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-75-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2912-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-293-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/3056-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads