gozi | 1455ac1e000c7e55e15fc44504c4d561e5348eb2bf763100bb3fac6d656ee7a1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b649a883dfc98e9787437836c85b40f0N.exe
Size

163KB
MD5

b649a883dfc98e9787437836c85b40f0
SHA1

b1bfd8d181d17990c2a0cb9703c1c0c717f51f47
SHA256

1455ac1e000c7e55e15fc44504c4d561e5348eb2bf763100bb3fac6d656ee7a1
SHA512

b281181dbc736817c962b831c6d21c07a7b43e0a47d93ceb1adcff47d10cd9613b3d1a7460dc9b677070e3c1e6d7ef622db251a6bf97ee2709f250f3d544105c
SSDEEP

1536:PyVEvZRq/FgBfs76AsGRh4tphBvrlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:GyR2F2fs76AsGRhm3rltOrWKDBr+yJb

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b649a883dfc98e9787437836c85b40f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b649a883dfc98e9787437836c85b40f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 14 IoCs

pid	Process
1652	Bmpkqklh.exe
2496	Bcjcme32.exe
352	Bbmcibjp.exe
2840	Bfioia32.exe
2576	Bigkel32.exe
3060	Cepipm32.exe
2580	Cbdiia32.exe
2620	Cinafkkd.exe
1992	Cnkjnb32.exe
1680	Caifjn32.exe
2876	Cmpgpond.exe
2460	Cegoqlof.exe
1936	Dnpciaef.exe
2428	Dpapaj32.exe

Loads dropped DLL 31 IoCs

pid	Process
2360	b649a883dfc98e9787437836c85b40f0N.exe
2360	b649a883dfc98e9787437836c85b40f0N.exe
1652	Bmpkqklh.exe
1652	Bmpkqklh.exe
2496	Bcjcme32.exe
2496	Bcjcme32.exe
352	Bbmcibjp.exe
352	Bbmcibjp.exe
2840	Bfioia32.exe
2840	Bfioia32.exe
2576	Bigkel32.exe
2576	Bigkel32.exe
3060	Cepipm32.exe
3060	Cepipm32.exe
2580	Cbdiia32.exe
2580	Cbdiia32.exe
2620	Cinafkkd.exe
2620	Cinafkkd.exe
1992	Cnkjnb32.exe
1992	Cnkjnb32.exe
1680	Caifjn32.exe
1680	Caifjn32.exe
2876	Cmpgpond.exe
2876	Cmpgpond.exe
2460	Cegoqlof.exe
2460	Cegoqlof.exe
1936	Dnpciaef.exe
1936	Dnpciaef.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	b649a883dfc98e9787437836c85b40f0N.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	b649a883dfc98e9787437836c85b40f0N.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	b649a883dfc98e9787437836c85b40f0N.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	2428	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b649a883dfc98e9787437836c85b40f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b649a883dfc98e9787437836c85b40f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b649a883dfc98e9787437836c85b40f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b649a883dfc98e9787437836c85b40f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b649a883dfc98e9787437836c85b40f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	b649a883dfc98e9787437836c85b40f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b649a883dfc98e9787437836c85b40f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cegoqlof.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1652	2360	b649a883dfc98e9787437836c85b40f0N.exe	31
PID 2360 wrote to memory of 1652	2360	b649a883dfc98e9787437836c85b40f0N.exe	31
PID 2360 wrote to memory of 1652	2360	b649a883dfc98e9787437836c85b40f0N.exe	31
PID 2360 wrote to memory of 1652	2360	b649a883dfc98e9787437836c85b40f0N.exe	31
PID 1652 wrote to memory of 2496	1652	Bmpkqklh.exe	32
PID 1652 wrote to memory of 2496	1652	Bmpkqklh.exe	32
PID 1652 wrote to memory of 2496	1652	Bmpkqklh.exe	32
PID 1652 wrote to memory of 2496	1652	Bmpkqklh.exe	32
PID 2496 wrote to memory of 352	2496	Bcjcme32.exe	33
PID 2496 wrote to memory of 352	2496	Bcjcme32.exe	33
PID 2496 wrote to memory of 352	2496	Bcjcme32.exe	33
PID 2496 wrote to memory of 352	2496	Bcjcme32.exe	33
PID 352 wrote to memory of 2840	352	Bbmcibjp.exe	34
PID 352 wrote to memory of 2840	352	Bbmcibjp.exe	34
PID 352 wrote to memory of 2840	352	Bbmcibjp.exe	34
PID 352 wrote to memory of 2840	352	Bbmcibjp.exe	34
PID 2840 wrote to memory of 2576	2840	Bfioia32.exe	35
PID 2840 wrote to memory of 2576	2840	Bfioia32.exe	35
PID 2840 wrote to memory of 2576	2840	Bfioia32.exe	35
PID 2840 wrote to memory of 2576	2840	Bfioia32.exe	35
PID 2576 wrote to memory of 3060	2576	Bigkel32.exe	36
PID 2576 wrote to memory of 3060	2576	Bigkel32.exe	36
PID 2576 wrote to memory of 3060	2576	Bigkel32.exe	36
PID 2576 wrote to memory of 3060	2576	Bigkel32.exe	36
PID 3060 wrote to memory of 2580	3060	Cepipm32.exe	37
PID 3060 wrote to memory of 2580	3060	Cepipm32.exe	37
PID 3060 wrote to memory of 2580	3060	Cepipm32.exe	37
PID 3060 wrote to memory of 2580	3060	Cepipm32.exe	37
PID 2580 wrote to memory of 2620	2580	Cbdiia32.exe	38
PID 2580 wrote to memory of 2620	2580	Cbdiia32.exe	38
PID 2580 wrote to memory of 2620	2580	Cbdiia32.exe	38
PID 2580 wrote to memory of 2620	2580	Cbdiia32.exe	38
PID 2620 wrote to memory of 1992	2620	Cinafkkd.exe	39
PID 2620 wrote to memory of 1992	2620	Cinafkkd.exe	39
PID 2620 wrote to memory of 1992	2620	Cinafkkd.exe	39
PID 2620 wrote to memory of 1992	2620	Cinafkkd.exe	39
PID 1992 wrote to memory of 1680	1992	Cnkjnb32.exe	40
PID 1992 wrote to memory of 1680	1992	Cnkjnb32.exe	40
PID 1992 wrote to memory of 1680	1992	Cnkjnb32.exe	40
PID 1992 wrote to memory of 1680	1992	Cnkjnb32.exe	40
PID 1680 wrote to memory of 2876	1680	Caifjn32.exe	41
PID 1680 wrote to memory of 2876	1680	Caifjn32.exe	41
PID 1680 wrote to memory of 2876	1680	Caifjn32.exe	41
PID 1680 wrote to memory of 2876	1680	Caifjn32.exe	41
PID 2876 wrote to memory of 2460	2876	Cmpgpond.exe	42
PID 2876 wrote to memory of 2460	2876	Cmpgpond.exe	42
PID 2876 wrote to memory of 2460	2876	Cmpgpond.exe	42
PID 2876 wrote to memory of 2460	2876	Cmpgpond.exe	42
PID 2460 wrote to memory of 1936	2460	Cegoqlof.exe	43
PID 2460 wrote to memory of 1936	2460	Cegoqlof.exe	43
PID 2460 wrote to memory of 1936	2460	Cegoqlof.exe	43
PID 2460 wrote to memory of 1936	2460	Cegoqlof.exe	43
PID 1936 wrote to memory of 2428	1936	Dnpciaef.exe	44
PID 1936 wrote to memory of 2428	1936	Dnpciaef.exe	44
PID 1936 wrote to memory of 2428	1936	Dnpciaef.exe	44
PID 1936 wrote to memory of 2428	1936	Dnpciaef.exe	44
PID 2428 wrote to memory of 1908	2428	Dpapaj32.exe	45
PID 2428 wrote to memory of 1908	2428	Dpapaj32.exe	45
PID 2428 wrote to memory of 1908	2428	Dpapaj32.exe	45
PID 2428 wrote to memory of 1908	2428	Dpapaj32.exe	45

C:\Users\Admin\AppData\Local\Temp\b649a883dfc98e9787437836c85b40f0N.exe
"C:\Users\Admin\AppData\Local\Temp\b649a883dfc98e9787437836c85b40f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Bmpkqklh.exe
  C:\Windows\system32\Bmpkqklh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Bcjcme32.exe
    C:\Windows\system32\Bcjcme32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\Bbmcibjp.exe
      C:\Windows\system32\Bbmcibjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:352
    - - C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 144
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
163KB

MD5
e19e3461d4b99c61f0f2358f08d6dbe3

SHA1
8e956dfee3773304cd55d53553d66fb7c87c73b8

SHA256
ce004f8c3c1dbbf7fb85bc7554a0e6f39531aa23b2f5d999136d96f68475d9fc

SHA512
363d1dcfdda4f261300071644763f26f622cd5924e4ff4b00db78e5f9e2364a7d53b7b0b19e2efa0ee40384a04da5f7be3fe1ca11fda90fe58fa2eee7e2cd849

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
163KB

MD5
c1944db8b25c84c7b095770c76bda184

SHA1
092476e1e4a0c8d6d770134b9923122c298ee24c

SHA256
185f4175e11da4d58c682c52942c676b1456eb66fa0ad65030ef1eabbf9d7621

SHA512
b94511d1831e7e1c5f1c38f034fbcc8e1a1d547246c4cb06ac5d61c678bf92cc67bc8b045c8232fcc72e2d85b7e0b55e783461e3259002ec5d89f2d413769d3c

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
163KB

MD5
3df6384376af95f35ac1ae85be8db9a4

SHA1
a61eb3eb884a0a715a64e25b2d79b729e7ddc06b

SHA256
7aa57a10557613a02b264187b936a72bd3484006ac67836a48b1ff1a2a12a93a

SHA512
458ab03df7a4e50ebfa520fc6b297b29e70719afa99de2d69a7ee2b55b9c9bba0ad5fc63c7e5e22745b3d8ec0fca2b3da9ab24e69bd9e4ab1957a06e05dd472a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
163KB

MD5
9547af900fdcb8dcc96b02e27a60b239

SHA1
a97d208e15f9b2962a4516cf1eff9358743954db

SHA256
47370d6cee45acf32229cc786b75edce9fc4b7e060e2750bc21c02efaf66bf9f

SHA512
621c4a320a34aa9c62cef23f11e9b142df6170f80d39db38ed7f46d73d61b56abdddd39ef1bde6c2937aae78171cf8854c1ef022c99fc01142244346ad244817

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
163KB

MD5
edcc7ef14efa3bdca3637b3749eddfcb

SHA1
adc7b480e34b5966233a3aa8188f98b767b873dd

SHA256
37271151711964620ec607189243a947da065e5982a818a6342609da9b8fc80c

SHA512
db743bac994ebd84c04ed24ff004efe611563cb19f0b8efcf9beb4e69555e56cf8dbd306d39c90332bf6213cf165afd5e1e18883450ca32a8906ed386a164aa9

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
163KB

MD5
9f8680089e4a47d66f95e60b8e69f2b3

SHA1
975711c06a68e6aed16e735beaeb3fa4ce10c239

SHA256
522ba265bfc9709a37d47c843bc5296e41eb5200e1b02a6c3bdfd2d64283a162

SHA512
e50101d07626238231cec1d3f1409b4aaf85af7921d2d846fcd3ddd6ec82e5ab491234688937729403d90ad646f0c7a2c75d022a25f53a26c1144b202ebb6802

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
163KB

MD5
bdee452e439ddf26e40a09792b44df0c

SHA1
2934673203a0823a8d0c6068354887efd7ad8fe4

SHA256
1325bb34e0257637d5c0e83e935547eb88f628184901ebb0e379f6a20674f904

SHA512
00341bc3830b1d696d97534eee8810d76e98222bf6cc927071225d3e4154c2a431ad57b5bc7452a2c7157f94b8d9480b10766da5fb1c85f2446e232ffba22ceb

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
163KB

MD5
31ae6bc413f0791b462f14febe360cea

SHA1
b7f74343adc915dadbfb071841aa524e933527c3

SHA256
aed0a90be927fac1b45c03404229e1d4b5c87a48c6495766d88b78e570005ec8

SHA512
7f99389fd9a193246f35a86eecbbdc1e2404666bab2e87a9344ecd3b21936cc5d2c08d8eb48ba99895e94bf2a33c8089cbb691b3a5e91cc3e5fdce224ba9b353

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
163KB

MD5
8baaf1680635bb565743e19f95c6b2f9

SHA1
5351502b49d18767762c59dd3af4bfc0cbba7f39

SHA256
3cb29296fca1db039798cb31fad9b1000981c8f56fec9ce8eda6243602695e93

SHA512
bc7333dfb01aac67dc1b1420d000488699110a50057582ae693dd384dbac2773cf5831ef51a6bbeec0a7a4efed41e7f363d218cf4948ee12b0671a7f0b2d3dc9

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
163KB

MD5
4968c1ec5fb4b47e790fbab1462fff47

SHA1
a770054a09518721387e45f250f886a295d6aa43

SHA256
9fb35e2f5ead7aa6547cad18a6bcedc7e7724ca1a60c57c0fc6d2de85781ce4e

SHA512
cdac41a4fe8c24eeb11d55825aa396502aadf2b743ae5f4223e1d37cfead07b7f46b0c35465acc0fd570b31032ece7ac613659b548ce30061749d896fbe8c969

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
163KB

MD5
499cb0a4777cd0771843d708f88fdb07

SHA1
5a31a8d850b1cab25fcc10b7e85e9dffbcf2f118

SHA256
81f936fc1e355808e0bccbc492583030d2870dc9666c70d64fdbd0159ee903b7

SHA512
2e640ab16bee233fea10761fe5261ff96e4ca67a31eba44435ee2602d978b32c253e53b3dd8e8cb8d00ac30675897714dba71323b851fa95a80082ed53409faf

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
163KB

MD5
dac46313aafdb456b0c7240e83c43fb2

SHA1
1d2ed739be1815d5c0692d78bebae8d0bc3e7f6b

SHA256
ca17c5189502509786d007515eb6fbd4ae0cbdac41b8f9488bcd67d6aedcffc3

SHA512
651ac53f4a24b0ed540d04710a8b236cc5a69d45851ce2d5085665bae34fcf46775ed36a46d1faffa5a1b8afa809bc31e765d79d9a6927a8da83a4c408ffe8bc

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
163KB

MD5
48a33c7ea36d7a36174109bbae32728a

SHA1
ba34244a2ef68732cae4ddf2b7da1ac12b882d8a

SHA256
3dfea5d27de9ecec8a55fd2b693fc4e67d181dbd705e2c128bfe9478b1674572

SHA512
1c69f43d7f85449afef5d82cad558b41c411f154f313e8dc628546cc370ee4d432372cad915f16d30021e5013ed5b2e6dac7c3cc11c1c9c1e872ad53a63c0c6e

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
163KB

MD5
68c684c70f8eb8f8aed42ec151529314

SHA1
b0914972248d510cd24ada2a87afc58916184ead

SHA256
b2396c0e8f45fb65301f0b71934d7620d8a848afdfe2e457a1c13f53abd7c5c2

SHA512
6efdfaf47714ba64d9c3a88bbe85a18442561eab665fed2e0f1e8c118b3d164d15a26ed081bfdbda491ed88b5ed155ca401d9ff922d2520e1a66486e41dc4b71

Download Submit
memory/352-235-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/352-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1680-144-0x0000000001F60000-0x0000000001FB3000-memory.dmp

Filesize
332KB

Download
memory/1680-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1680-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-183-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1936-171-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-12-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2360-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2428-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2576-74-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2576-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-117-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2620-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-60-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2840-65-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2876-251-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-86-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads