ac14e3d54302cc8713f6ff189f6623c2078e9747fd6d533bca86f3abccbbd087

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Size

80KB
MD5

deaf7cfe5fcb4988b5cfaa8ca39c432b
SHA1

d3f8440a3127418365ddeeb2998370bebf8e6deb
SHA256

ac14e3d54302cc8713f6ff189f6623c2078e9747fd6d533bca86f3abccbbd087
SHA512

8e1e2d42c0b6d07279d0355563c0ce8f4b8ae4d74722a5bd674153315ed3c325bdab2dea7ac44a563563a42550be205d9fb5c9ee8e2d9be27bb80b24e3ba3651
SSDEEP

1536:IXtNzHGkoZtu36J81b8Cbci2LdS5DUHRbPa9b6i+sIk:IdVrKQ6qIvdS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe

Executes dropped EXE 31 IoCs

pid	Process
2604	Ojoign32.exe
3668	Ofeilobp.exe
2844	Pmoahijl.exe
4404	Pgefeajb.exe
1664	Bchomn32.exe
1948	Bjagjhnc.exe
2076	Beglgani.exe
4472	Bapiabak.exe
2644	Cfmajipb.exe
1232	Cdabcm32.exe
4972	Caebma32.exe
316	Cjmgfgdf.exe
2792	Chagok32.exe
1644	Cjpckf32.exe
3168	Cajlhqjp.exe
4408	Cdhhdlid.exe
4856	Cffdpghg.exe
3848	Calhnpgn.exe
2640	Ddjejl32.exe
4640	Dmcibama.exe
1496	Ddmaok32.exe
1820	Djgjlelk.exe
2124	Dmefhako.exe
4764	Ddonekbl.exe
1596	Dfnjafap.exe
2840	Dmgbnq32.exe
3784	Deokon32.exe
1100	Dkkcge32.exe
2360	Daekdooc.exe
3148	Dgbdlf32.exe
2420	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4020	2420	WerFault.exe	103

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2604	3472	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe	87
PID 3472 wrote to memory of 2604	3472	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe	87
PID 3472 wrote to memory of 2604	3472	deaf7cfe5fcb4988b5cfaa8ca39c432b.exe	87
PID 2604 wrote to memory of 3668	2604	Ojoign32.exe	88
PID 2604 wrote to memory of 3668	2604	Ojoign32.exe	88
PID 2604 wrote to memory of 3668	2604	Ojoign32.exe	88
PID 3668 wrote to memory of 2844	3668	Ofeilobp.exe	89
PID 3668 wrote to memory of 2844	3668	Ofeilobp.exe	89
PID 3668 wrote to memory of 2844	3668	Ofeilobp.exe	89
PID 2844 wrote to memory of 4404	2844	Pmoahijl.exe	90
PID 2844 wrote to memory of 4404	2844	Pmoahijl.exe	90
PID 2844 wrote to memory of 4404	2844	Pmoahijl.exe	90
PID 4404 wrote to memory of 1664	4404	Pgefeajb.exe	92
PID 4404 wrote to memory of 1664	4404	Pgefeajb.exe	92
PID 4404 wrote to memory of 1664	4404	Pgefeajb.exe	92
PID 1664 wrote to memory of 1948	1664	Bchomn32.exe	93
PID 1664 wrote to memory of 1948	1664	Bchomn32.exe	93
PID 1664 wrote to memory of 1948	1664	Bchomn32.exe	93
PID 1948 wrote to memory of 2076	1948	Bjagjhnc.exe	94
PID 1948 wrote to memory of 2076	1948	Bjagjhnc.exe	94
PID 1948 wrote to memory of 2076	1948	Bjagjhnc.exe	94
PID 2076 wrote to memory of 4472	2076	Beglgani.exe	95
PID 2076 wrote to memory of 4472	2076	Beglgani.exe	95
PID 2076 wrote to memory of 4472	2076	Beglgani.exe	95
PID 4472 wrote to memory of 2644	4472	Bapiabak.exe	97
PID 4472 wrote to memory of 2644	4472	Bapiabak.exe	97
PID 4472 wrote to memory of 2644	4472	Bapiabak.exe	97
PID 2644 wrote to memory of 1232	2644	Cfmajipb.exe	98
PID 2644 wrote to memory of 1232	2644	Cfmajipb.exe	98
PID 2644 wrote to memory of 1232	2644	Cfmajipb.exe	98
PID 1232 wrote to memory of 4972	1232	Cdabcm32.exe	99
PID 1232 wrote to memory of 4972	1232	Cdabcm32.exe	99
PID 1232 wrote to memory of 4972	1232	Cdabcm32.exe	99
PID 4972 wrote to memory of 316	4972	Caebma32.exe	123
PID 4972 wrote to memory of 316	4972	Caebma32.exe	123
PID 4972 wrote to memory of 316	4972	Caebma32.exe	123
PID 316 wrote to memory of 2792	316	Cjmgfgdf.exe	122
PID 316 wrote to memory of 2792	316	Cjmgfgdf.exe	122
PID 316 wrote to memory of 2792	316	Cjmgfgdf.exe	122
PID 2792 wrote to memory of 1644	2792	Chagok32.exe	121
PID 2792 wrote to memory of 1644	2792	Chagok32.exe	121
PID 2792 wrote to memory of 1644	2792	Chagok32.exe	121
PID 1644 wrote to memory of 3168	1644	Cjpckf32.exe	120
PID 1644 wrote to memory of 3168	1644	Cjpckf32.exe	120
PID 1644 wrote to memory of 3168	1644	Cjpckf32.exe	120
PID 3168 wrote to memory of 4408	3168	Cajlhqjp.exe	118
PID 3168 wrote to memory of 4408	3168	Cajlhqjp.exe	118
PID 3168 wrote to memory of 4408	3168	Cajlhqjp.exe	118
PID 4408 wrote to memory of 4856	4408	Cdhhdlid.exe	117
PID 4408 wrote to memory of 4856	4408	Cdhhdlid.exe	117
PID 4408 wrote to memory of 4856	4408	Cdhhdlid.exe	117
PID 4856 wrote to memory of 3848	4856	Cffdpghg.exe	116
PID 4856 wrote to memory of 3848	4856	Cffdpghg.exe	116
PID 4856 wrote to memory of 3848	4856	Cffdpghg.exe	116
PID 3848 wrote to memory of 2640	3848	Calhnpgn.exe	115
PID 3848 wrote to memory of 2640	3848	Calhnpgn.exe	115
PID 3848 wrote to memory of 2640	3848	Calhnpgn.exe	115
PID 2640 wrote to memory of 4640	2640	Ddjejl32.exe	114
PID 2640 wrote to memory of 4640	2640	Ddjejl32.exe	114
PID 2640 wrote to memory of 4640	2640	Ddjejl32.exe	114
PID 4640 wrote to memory of 1496	4640	Dmcibama.exe	113
PID 4640 wrote to memory of 1496	4640	Dmcibama.exe	113
PID 4640 wrote to memory of 1496	4640	Dmcibama.exe	113
PID 1496 wrote to memory of 1820	1496	Ddmaok32.exe	100

C:\Users\Admin\AppData\Local\Temp\deaf7cfe5fcb4988b5cfaa8ca39c432b.exe
"C:\Users\Admin\AppData\Local\Temp\deaf7cfe5fcb4988b5cfaa8ca39c432b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Ojoign32.exe
  C:\Windows\system32\Ojoign32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Ofeilobp.exe
    C:\Windows\system32\Ofeilobp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\Pmoahijl.exe
      C:\Windows\system32\Pmoahijl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316

C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1820
- C:\Windows\SysWOW64\Dmefhako.exe
  C:\Windows\system32\Dmefhako.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2420 -ip 2420
1⤵
PID:2400

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
1⤵
- Executes dropped EXE
PID:2420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 404
  2⤵
  - Program crash
  PID:4020

C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3148

C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1100

C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3784

C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840

C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1596

C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4764

C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
80KB

MD5
f56f9ce0cbd61644f9ac0d467fceecdd

SHA1
7e528ded58cf97fca3f808fe489cc7b73f4c082a

SHA256
20fdaee02bbaeb8a8830a6bc8eba6e8326ac8c643dbddea2a18617dd7aaac932

SHA512
5b93f4084e5890f959d0293595fb4a17adf03bdbc214a70d67f6a8c91f55b889b0e39e3dd429001a56444cd723b5715e0db808def50e7d1683598efad7ef669b

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
80KB

MD5
1fb89fb6f8e43fe23da620290f527e12

SHA1
39545df5b64753b8049b0ad3b97994b71eaea2fe

SHA256
3589df57ed137873c03b5eff416fe8ead9b0beace73c2c3df6751721d90068a1

SHA512
3a17b51f2a493c1f775d3f6be41413ebdb13d46082f392dd1abc63452ba9d9235df030be19a6fc703b876bea6a7c381ff785314b6ae0895519dfb8636c0ea0b2

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
80KB

MD5
2cc108220806d1f5856c918e253d54de

SHA1
f8219d73243a3db5b26026f756cc8547fd562c6c

SHA256
7b4fb717b30f2449fc6618595985f21e8b00d6a097be6a7d488ddbff8e6a6c15

SHA512
bda9e0f544c6949cbaf488ca45c813e2016c9a04bebb4fd5924da095270693ff131879b8571cb6beb20155c7da106d05f5c89026df9d7f16dfdfed1c24332be6

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
80KB

MD5
143b234c9befd9c893a2be68461a5b78

SHA1
e36141ae91e52a1b05b8aeb188442aed4676b834

SHA256
d79317ad484cb53ed1461edc79800ae412d29f144dfd8cf3d30dceab1bce1ed1

SHA512
9bdcd61de5c1dae8af8d2094cfeb2a64caacea1bf13b21f4440a9fde4a0945b48d1e187bd5c84792f511a0d9701be7b1ac6bb91f9a652ebe5b8478807a1bd257

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
80KB

MD5
e685fa5549bb9783c726311dc3d2d9cd

SHA1
4908ca6eed5fcda2c1f313966206af8d162026cd

SHA256
404ed18059fbe825d457695f9a1a3fe14862b6fca74ea097829b81d3a180f85d

SHA512
9c117c30ca155ba7fab180f7b08d7008668df055eece247ba249b97cb2ece10bb0d69fb8e6d728286516bcab23843492381c98260347e211f7d6f2cdaddd6927

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
80KB

MD5
1ee43fff27f6f60ff910fae7a74af1e8

SHA1
96fdc542c47de2d7b68992a459554ad7681d73b4

SHA256
3090e463a34fb4d7f02b3dc68c965713c0a7c834597f2ef97110f1c99b07a5cc

SHA512
6bee14ac71526dca4516b4184d7e299ee1681c5ead08fbaab3be0b583a29af39a4919b1624f1af1aa2d19d8544febae6d53b3e70328be29e54bf0e8e43299102

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
e1e0daa716ec8bd6a75934a6187ccb99

SHA1
ae7d63d634be1956b522e68e7427611d39bb0200

SHA256
f5c8d69004afc044470bb2fdef5c0bea44d620c0bbf5bb87d6b30a1e541a5aaa

SHA512
c2019991ae98972b6c48afdd7e409a73d94b3861c35aade6e0b6e83c00bae294ccf8ea2fe7806d9053dbda1987c661e01bc3a084edeb4a5cc14751aad2951430

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
11d2639d2b40ed0ebd419a0865419d7b

SHA1
8fbb7574725ac4df4da20ecd365fb0341ae7a195

SHA256
a80aeec09b916c304ec9ea0a4af9de9b0e4e1d96237fbd8b0f8465bf6df4ae07

SHA512
93e08f0e85a3772a87c7a0acc8a7ae94f26fc7b828cef440edf7cd7d65695e3629222db9ed351c307e27f5ecab21e90321e53ca2189c47c0236c6bbb0d3b7e97

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
80KB

MD5
3b498c48b3a1a2df67155fe2df4b9f97

SHA1
1ee9cf0ae14c40cb349ed42b3e1d22feb3a50915

SHA256
9532be55daa85c7173229ba0c57e461239f0bb5783843669d82c706be9d55347

SHA512
bd88cb7d6afdaddf44d3ccfadb1389247a8d6299707a7d9d87a091ff4a8c86f6a5a336c26316a6ec314f19ba1124120ccf41865c95cebbd65f4da6fae98c6100

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
80KB

MD5
97bdb34317bc1951863bb3db69933daa

SHA1
bfe762fcc271a556e988b1a23ef176923acd78be

SHA256
2f5671b7ac6ea8ac050482c21906e27136c53f3c31ec54d5ad809c7a05517df9

SHA512
b767d57108ad768c62847faf153e008bbfb6c1481ef2bcc19b2c10059f34e67836516976b531e7e99202e5a04a424f66130384281b4e9771f0dd92e4afb82c73

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
f4bc6274171fded3ff4f757f4eca44e6

SHA1
f5ac79ee61393cb8f3ca91380bf28f13e833dae4

SHA256
16a902158f7e666923a9778a2112b5e43a6c72af7550b1ecc2d22638591b604c

SHA512
d093bde7efccdda27fea8f8215d749acdc076dfc979f3396ad83a7342e16b390dd49eb8a648b4861a6144f28dc44cf78f317b2c3fd1199cc75ff30f2f5c5e285

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
80KB

MD5
9aa1a772874a4971cee70001631f65e1

SHA1
0cb511c9cd5fb72c88e46725a362892f5fda41ad

SHA256
a29edaaa0bd9f119132d7846d6d2497ae96fa5683053d2ca876ac7f32e233719

SHA512
15dcefef24fa101ee9b1cedad10c60bdf2c6d9ef23ba024fbb86555f8aea0212bb24196adadb77cf41dbe5bbf21b00f6046cdfa9604fae1032fc2ba421093eeb

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
80KB

MD5
3436fffe1f7a58c5487725cf0a2206dc

SHA1
64096d1eef8e2091a8447379dab71ec327d6538b

SHA256
044aa5ea082bca656d7f6c3a7d42a66a2cbf9add9b8dac84c179e2079893cb0c

SHA512
fb301a7cd49a7828d7789b10e2ced68237df78c779dc006208ac1da2a338beaf8c5d32710539beb837024f5187c89fdbd06bcd683d5e970c3cf7442ddd775fa1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
0f7da82d995677d8c8c6d30da85f626f

SHA1
7a8e3cb1545b253b22218c4c0e9d1b03cd705c57

SHA256
5fe15679d4d431ca9d8b9930c23870ede65b1bae7b68c17e8b81eb8feaed2ae0

SHA512
f20e7f0c81d771d7a1b147865dbdb35e74d0cba2c1758647653656f7de16172f0da886e88ecd7c23fa39e22aba9985eb3cd70c067715567470837b43ac72728d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
542e44137d9989a2d7945a80952afab4

SHA1
16a82b2bc2dccb0a8be516216dc7d8641e82c7b6

SHA256
b17105989f60bfa80a54db6871217d19da458462c2df9492133ec7a36df51b5e

SHA512
a5bcaa370ef07b202e6540906b09d34f405aee5cefda5da3556b62b41b47d9bc3c60272b5021e304365824aad9833e5f360208b31c80f3cf12346f52933c2b3b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
1bfe1e1c18ae0b0a5107340e4c568c36

SHA1
a94bc465956c949d6528dfa4de2912513ab97364

SHA256
8a06b9a1366a935c0e96c4ac20a4f18e508583abb5b8775d32c62672c6fa2678

SHA512
5d5b8f3fab9799ff96ae104ffb832f641d9a49abc102d9bbef04502dee5c4c6ae369fa6b54eb8e856c19b9e40dc18c5f3005ea85584cfda8f03af5d14b81a3db

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
0d0523fef4ffab0013d6f66c99ac015b

SHA1
4a8bc342f7c5fb65cbbe29f32d7dbf166e294723

SHA256
10a85cd5ef08891df6b627d08b66275070038392482b3645185d18beb763ae34

SHA512
2522ee75d415e3d880378a9f5939e2440b8557b6649b5f5d2cc8ed6ff383540b0396a16010abf663a929bcaa68de301c6fd5e3b0569d12aefcd3842873f34e52

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
80KB

MD5
9524c2ae6f0b5af5fd97da02a639ea0d

SHA1
bf98143385012f9b5f495f4c3691e74cd67da916

SHA256
0ff5e03e7c262ec7b3ec324baaf0209d6ddc9e2831058f045717faac73a7fea8

SHA512
cfa723225cdc35d752da81d4b0a393fc07e71d5ff8c36c04e694ab6f4827c4d108c63f17c0b9712d9906207e785f5459b02332c24fae06d2b478425424e5db94

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
80KB

MD5
4dee6d67c932f7e9946737712375d98c

SHA1
4cf327e0b5f55e5acf145d3d3fe5a86222b00c68

SHA256
e2482c7ffb4f435c79b28be65fe915e5b0c1222915b7951b45a2910dd246dd01

SHA512
5863b15e5f2bbb10d6a483c078ee4485e80c9d0bbf22c3afd8db5dac2ec08924f2a0c58befbb28107ccf17999dfe7ad4a5647beebca9be6f8d3c9d4ee1c20058

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
80KB

MD5
e0e9b793d14968511a3c06e95dd4752f

SHA1
db25e23be47ad456e25fe612aba7d6107c36792a

SHA256
4ebeb3deb85984b9631671f44abd0f63eb2f3b3e2ecee6466233c7bc8b60e751

SHA512
db261481eca58ac5b9e81f509157cf94cd875ea4f2a4f2a0262cfe84d1e7de32aee15667ceecff259425b940bb6cf10bb771bd5a53b449a9377b825135863bb6

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
80KB

MD5
06f4407d2f4eff24777c5d858b991458

SHA1
52795f08ff14ba5df67adf7d9b8f9f3dd01e5685

SHA256
bbabf6898e4d48986817c02a3c2fcb5b235ea6fde8f8f6b5e3f40080cd4cc2e6

SHA512
976734ed54e9ec7e4e5b7b0f1b9b007598654f635dee85b43ae81a5df436247e22af311f0a61df23a97f81d6b0bef78c6c20a29daacc31cad28e96cc21cd49d3

Download Submit
memory/316-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4408-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4408-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads