Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe
Resource
win10v2004-20240802-en
General
-
Target
b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe
-
Size
89KB
-
MD5
dcfb14e4f1b8e2afc404021c7efd7380
-
SHA1
49daf6476815d8aa0a92b54fbdd9c1986089edfb
-
SHA256
b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522af
-
SHA512
5ac7e20cda937b315a97bd3f8d5ba52c82549b50c3b63f64aea5538e049ccea7de4319945ea8e5702368c2fd0d78f6527730e1f15e43871e287c9c6fc0965f89
-
SSDEEP
1536:5nZr6C0pPeJQNjL3J7DJKYJTPOGDY4GDrbbbbbbVEI0Pc4lExkg8F:5nZr162J83zVY4GDbKc4lakgw
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boplllob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobhal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfamff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpjlnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cphndc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdanpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgpjlnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdanpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbfamff.exe -
Executes dropped EXE 10 IoCs
pid Process 2736 Boplllob.exe 2916 Bmclhi32.exe 2696 Bobhal32.exe 2660 Cpceidcn.exe 536 Cfnmfn32.exe 1588 Cdanpb32.exe 2204 Cgpjlnhh.exe 2512 Cphndc32.exe 1596 Cgbfamff.exe 1824 Ceegmj32.exe -
Loads dropped DLL 24 IoCs
pid Process 2844 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe 2844 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe 2736 Boplllob.exe 2736 Boplllob.exe 2916 Bmclhi32.exe 2916 Bmclhi32.exe 2696 Bobhal32.exe 2696 Bobhal32.exe 2660 Cpceidcn.exe 2660 Cpceidcn.exe 536 Cfnmfn32.exe 536 Cfnmfn32.exe 1588 Cdanpb32.exe 1588 Cdanpb32.exe 2204 Cgpjlnhh.exe 2204 Cgpjlnhh.exe 2512 Cphndc32.exe 2512 Cphndc32.exe 1596 Cgbfamff.exe 1596 Cgbfamff.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe -
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cgpjlnhh.exe Cdanpb32.exe File created C:\Windows\SysWOW64\Lbonaf32.dll Cphndc32.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Imklkg32.dll Bmclhi32.exe File created C:\Windows\SysWOW64\Cpceidcn.exe Bobhal32.exe File opened for modification C:\Windows\SysWOW64\Cpceidcn.exe Bobhal32.exe File created C:\Windows\SysWOW64\Cfnmfn32.exe Cpceidcn.exe File created C:\Windows\SysWOW64\Cphndc32.exe Cgpjlnhh.exe File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe Cgbfamff.exe File created C:\Windows\SysWOW64\Aoogfhfp.dll Cgbfamff.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Boplllob.exe File created C:\Windows\SysWOW64\Mabanhgg.dll Cpceidcn.exe File created C:\Windows\SysWOW64\Aincgi32.dll Cfnmfn32.exe File created C:\Windows\SysWOW64\Dojofhjd.dll Cdanpb32.exe File created C:\Windows\SysWOW64\Lopdpdmj.dll Cgpjlnhh.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Boplllob.exe File created C:\Windows\SysWOW64\Ceegmj32.exe Cgbfamff.exe File created C:\Windows\SysWOW64\Bobhal32.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Cgpjlnhh.exe Cdanpb32.exe File created C:\Windows\SysWOW64\Cgbfamff.exe Cphndc32.exe File created C:\Windows\SysWOW64\Liggabfp.dll b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe File opened for modification C:\Windows\SysWOW64\Cgbfamff.exe Cphndc32.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe Cpceidcn.exe File created C:\Windows\SysWOW64\Cdanpb32.exe Cfnmfn32.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Boplllob.exe File opened for modification C:\Windows\SysWOW64\Boplllob.exe b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe File created C:\Windows\SysWOW64\Ndmjqgdd.dll Bobhal32.exe File opened for modification C:\Windows\SysWOW64\Cdanpb32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Cphndc32.exe Cgpjlnhh.exe File created C:\Windows\SysWOW64\Boplllob.exe b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2792 1824 WerFault.exe 40 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobhal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpceidcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdanpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cphndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmclhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpjlnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfamff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceegmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boplllob.exe -
Modifies registry class 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll" Cdanpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdanpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cphndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boplllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll" Cgpjlnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cphndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" Cgbfamff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpceidcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgbfamff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bobhal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpceidcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgpjlnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgbfamff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" Cpceidcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdanpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll" Cphndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll" b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll" Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpjlnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2736 2844 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe 31 PID 2844 wrote to memory of 2736 2844 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe 31 PID 2844 wrote to memory of 2736 2844 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe 31 PID 2844 wrote to memory of 2736 2844 b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe 31 PID 2736 wrote to memory of 2916 2736 Boplllob.exe 32 PID 2736 wrote to memory of 2916 2736 Boplllob.exe 32 PID 2736 wrote to memory of 2916 2736 Boplllob.exe 32 PID 2736 wrote to memory of 2916 2736 Boplllob.exe 32 PID 2916 wrote to memory of 2696 2916 Bmclhi32.exe 33 PID 2916 wrote to memory of 2696 2916 Bmclhi32.exe 33 PID 2916 wrote to memory of 2696 2916 Bmclhi32.exe 33 PID 2916 wrote to memory of 2696 2916 Bmclhi32.exe 33 PID 2696 wrote to memory of 2660 2696 Bobhal32.exe 34 PID 2696 wrote to memory of 2660 2696 Bobhal32.exe 34 PID 2696 wrote to memory of 2660 2696 Bobhal32.exe 34 PID 2696 wrote to memory of 2660 2696 Bobhal32.exe 34 PID 2660 wrote to memory of 536 2660 Cpceidcn.exe 35 PID 2660 wrote to memory of 536 2660 Cpceidcn.exe 35 PID 2660 wrote to memory of 536 2660 Cpceidcn.exe 35 PID 2660 wrote to memory of 536 2660 Cpceidcn.exe 35 PID 536 wrote to memory of 1588 536 Cfnmfn32.exe 36 PID 536 wrote to memory of 1588 536 Cfnmfn32.exe 36 PID 536 wrote to memory of 1588 536 Cfnmfn32.exe 36 PID 536 wrote to memory of 1588 536 Cfnmfn32.exe 36 PID 1588 wrote to memory of 2204 1588 Cdanpb32.exe 37 PID 1588 wrote to memory of 2204 1588 Cdanpb32.exe 37 PID 1588 wrote to memory of 2204 1588 Cdanpb32.exe 37 PID 1588 wrote to memory of 2204 1588 Cdanpb32.exe 37 PID 2204 wrote to memory of 2512 2204 Cgpjlnhh.exe 38 PID 2204 wrote to memory of 2512 2204 Cgpjlnhh.exe 38 PID 2204 wrote to memory of 2512 2204 Cgpjlnhh.exe 38 PID 2204 wrote to memory of 2512 2204 Cgpjlnhh.exe 38 PID 2512 wrote to memory of 1596 2512 Cphndc32.exe 39 PID 2512 wrote to memory of 1596 2512 Cphndc32.exe 39 PID 2512 wrote to memory of 1596 2512 Cphndc32.exe 39 PID 2512 wrote to memory of 1596 2512 Cphndc32.exe 39 PID 1596 wrote to memory of 1824 1596 Cgbfamff.exe 40 PID 1596 wrote to memory of 1824 1596 Cgbfamff.exe 40 PID 1596 wrote to memory of 1824 1596 Cgbfamff.exe 40 PID 1596 wrote to memory of 1824 1596 Cgbfamff.exe 40 PID 1824 wrote to memory of 2792 1824 Ceegmj32.exe 41 PID 1824 wrote to memory of 2792 1824 Ceegmj32.exe 41 PID 1824 wrote to memory of 2792 1824 Ceegmj32.exe 41 PID 1824 wrote to memory of 2792 1824 Ceegmj32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe"C:\Users\Admin\AppData\Local\Temp\b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ceegmj32.exeC:\Windows\system32\Ceegmj32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 14012⤵
- Loads dropped DLL
- Program crash
PID:2792
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD504687c70ba2112df73827303e6b6ae45
SHA1c7606eca48d64ab8b2f1967cf9b2e24a319b62b0
SHA256fe24edd2aeac3b63ccae0d81d3f5c591714415a0daf6f365172c76713f5e5a07
SHA5122b1653867a9f86421f5de00566e81490416ccf0df0ca3e918a2adef8182e87528cd7afd21cfa4b00b2063dd5c5451b77141125de0140a74311bde363ba9f9d9a
-
Filesize
89KB
MD5a7da3aad6bb4bf99632ac61e1dbf6513
SHA1359039bb211e7d93e5716275ea07b8e92b23d608
SHA2565684da8b2dd22cbeb5f905e69aeb896bc7ff42f368dd98b2184d0fd47c116b0b
SHA512decf2e3a4a1e897a047fe9ced20381efd911a75fdc22f1bed4fa274d39bf7671a7480321fa06526a68e9f53f5bd48945ea651d9a89e585ab086c2ea9fc8f2780
-
Filesize
7KB
MD54556658aa16af96df9adba3f30bae7fb
SHA165e3ef24db7f1d9eab9823660b2bd99f6370bc98
SHA256fc4393f42affbb274595e556833b16db2d16d93c4898f2d9db38307f17bf0ad2
SHA512842d59170393b8a17e5cfbd16fc09dbe27168bbf3a6e86cfc2ee0a17d463ecef82dc5270caba52b80ddb88ed78b4fbde55e35f40248a1143ee60880f9820a76f
-
Filesize
89KB
MD53b60d6a598f371d10a8bce4189302bfa
SHA1e99cea3526663afe578157ab051b8dfa99fd16a1
SHA2562f0fd5acfdcc8aaefabab4a5cbb2514949bf79d65c575eb2dd94a227dcb4e226
SHA512b7e3d79e34d966e778d8c414a774ffa3dfc1957efe2773a171ee487e23f775017aff1d5a06066e37c6e49cca75b67bcf887700a0dcc46b74582d9bbab2f79ed2
-
Filesize
89KB
MD51fcc28c91ca76ec36535ce3d993fec51
SHA17572d67dcd1327f78fd9aafc00b31d56ceb9c92a
SHA2563f507b48a769583f604ad90d616264b8935f4bf974dbde557ec53461775a7a6b
SHA512ee89b279a60191d850f7932f09c4595d7ebd8054e14833a30b701624dd9b0856093076dd139f6ea7ee95371cf994411ae08e7250ee0a1d35b6f334e75ac5c71a
-
Filesize
89KB
MD54ecf3e2ba79beb68e04669c2c6a98d11
SHA1b67aa0777e04af5972847f05baa46787db256957
SHA2564fa691710558c6217f25661fd094b6cbf7c4906bc5b06a0bdef54d1454bec76f
SHA512ffea3b7b305b09d93528b57639cc783643a0b649b1848f6285857ea4998ea15ad6126acf4d7b17083fa33d4718f078d84e41764a60b32a3a8889f77a863158c7
-
Filesize
89KB
MD5ce676005fdd31127836b4ccbcbe09ab5
SHA114270eb9527ffee6aee665047b29ac9e93ebe9a4
SHA256c8bd0ce18276b16b0245af7fc596e8d14b9c3b5e568ee89a7cef7439759e5ce9
SHA5124277f7c5432728f8019740a64a69e3487792e7477a0308f3228209fb72c6ef1eecdf8fe60b4e3b085ce129af351f4778a707b247777df87c890d90b567a1c5dd
-
Filesize
89KB
MD534d40306fddf19154e292695d3d6548c
SHA141e6919f5336678d722eade54c2e993191da67ac
SHA25695ab213921a76776678e767440b772f3a92bd4726541884cbf804e7a3327a6e8
SHA512e8c365c0afafc6a9e7bb5dcef61fcb2b28440fa405062ab502d978f5612b75772a4b825710e02623e3d1c243bbb77d98389fb25b5e2d95d2b51433d5205ff05c
-
Filesize
89KB
MD5a0dde63e09b1506811b380688b07dd82
SHA18480504aff9e1b91a1184dcaa5fe0a005522298c
SHA2566f56ad8776aa9847506c8d3d6ea02274ce31bccebfa3d9c06b55da02eac5ed51
SHA512c7089d69e31538138a152b69dd12a065e9d282a1e9e41a0744a35aa34de94bac6741b6b6b1729b23f0abed3c66d9876b1dd6805fce94fcb4494fb6036f4646b1
-
Filesize
89KB
MD579d8bedbc6345e139a72179d82684262
SHA13ed45e87a7576c03ff3c2a5601d8a9a8bc99c9e2
SHA25656f660d338a2e9e877ffce0f6413247a6fc3a082c35539a4d0159bd5551250fc
SHA512e6f5aef849752e18a460e21f89f97d0acc20d566d0f3e0b9912df8de3f4aeb007801aec2d6a025e5a2a43089c72ac52397edbb646b798d691b0fcfe6ae40c792
-
Filesize
89KB
MD50c7e8f25645835ccb4027ead73ae435a
SHA151e98e5bb3af23472d9da74891bee50fe811d554
SHA256d1e6012b79dde3ca09e35711b33862c49642cf3b02ae4092dc45d010a54d80f8
SHA5120175ad669140721556b6fe36e3726b39dca2515a7c3fdf158bb080dc27f4d61031b521a45eb8b1a4ebbb11480a2eb8aedd497a210e58a0be7c03657386a168c8