26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2

Analysis

max time kernel
94s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Size

80KB
MD5

d4120ce0770f74127ee91eef639b04c0
SHA1

503b35fc2784ad24924bb30e33473c2ee4a1debf
SHA256

26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2
SHA512

23844fe8787faea2407851ed74950ed2194dfaf6ac0f56ab947a6dd59f763fcb0203386361c482a5dee047817f3d073dd80ae7f5c176b9e9f8c9356b4dd5e045
SSDEEP

1536:do+kmssPaGa9xz2M06a2L7J9VqDlzVxyh+CbxMa:dobmtaGa9xzN57J9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe

Executes dropped EXE 28 IoCs

pid	Process
1688	Cjinkg32.exe
1032	Cabfga32.exe
2648	Cfpnph32.exe
4032	Cmiflbel.exe
1608	Ceqnmpfo.exe
4916	Chokikeb.exe
4336	Cjmgfgdf.exe
3132	Cagobalc.exe
4168	Cdfkolkf.exe
1864	Cjpckf32.exe
3924	Cajlhqjp.exe
2932	Chcddk32.exe
5108	Cmqmma32.exe
4992	Cegdnopg.exe
372	Djdmffnn.exe
2208	Danecp32.exe
64	Ddmaok32.exe
5048	Djgjlelk.exe
4560	Dmefhako.exe
2388	Dhkjej32.exe
1288	Dkifae32.exe
3576	Dmgbnq32.exe
3732	Ddakjkqi.exe
2920	Dfpgffpm.exe
4828	Dogogcpo.exe
4284	Deagdn32.exe
1828	Dhocqigp.exe
3588	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1856	3588	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1688	2116	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe	82
PID 2116 wrote to memory of 1688	2116	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe	82
PID 2116 wrote to memory of 1688	2116	26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe	82
PID 1688 wrote to memory of 1032	1688	Cjinkg32.exe	83
PID 1688 wrote to memory of 1032	1688	Cjinkg32.exe	83
PID 1688 wrote to memory of 1032	1688	Cjinkg32.exe	83
PID 1032 wrote to memory of 2648	1032	Cabfga32.exe	84
PID 1032 wrote to memory of 2648	1032	Cabfga32.exe	84
PID 1032 wrote to memory of 2648	1032	Cabfga32.exe	84
PID 2648 wrote to memory of 4032	2648	Cfpnph32.exe	85
PID 2648 wrote to memory of 4032	2648	Cfpnph32.exe	85
PID 2648 wrote to memory of 4032	2648	Cfpnph32.exe	85
PID 4032 wrote to memory of 1608	4032	Cmiflbel.exe	87
PID 4032 wrote to memory of 1608	4032	Cmiflbel.exe	87
PID 4032 wrote to memory of 1608	4032	Cmiflbel.exe	87
PID 1608 wrote to memory of 4916	1608	Ceqnmpfo.exe	88
PID 1608 wrote to memory of 4916	1608	Ceqnmpfo.exe	88
PID 1608 wrote to memory of 4916	1608	Ceqnmpfo.exe	88
PID 4916 wrote to memory of 4336	4916	Chokikeb.exe	89
PID 4916 wrote to memory of 4336	4916	Chokikeb.exe	89
PID 4916 wrote to memory of 4336	4916	Chokikeb.exe	89
PID 4336 wrote to memory of 3132	4336	Cjmgfgdf.exe	90
PID 4336 wrote to memory of 3132	4336	Cjmgfgdf.exe	90
PID 4336 wrote to memory of 3132	4336	Cjmgfgdf.exe	90
PID 3132 wrote to memory of 4168	3132	Cagobalc.exe	91
PID 3132 wrote to memory of 4168	3132	Cagobalc.exe	91
PID 3132 wrote to memory of 4168	3132	Cagobalc.exe	91
PID 4168 wrote to memory of 1864	4168	Cdfkolkf.exe	92
PID 4168 wrote to memory of 1864	4168	Cdfkolkf.exe	92
PID 4168 wrote to memory of 1864	4168	Cdfkolkf.exe	92
PID 1864 wrote to memory of 3924	1864	Cjpckf32.exe	93
PID 1864 wrote to memory of 3924	1864	Cjpckf32.exe	93
PID 1864 wrote to memory of 3924	1864	Cjpckf32.exe	93
PID 3924 wrote to memory of 2932	3924	Cajlhqjp.exe	94
PID 3924 wrote to memory of 2932	3924	Cajlhqjp.exe	94
PID 3924 wrote to memory of 2932	3924	Cajlhqjp.exe	94
PID 2932 wrote to memory of 5108	2932	Chcddk32.exe	95
PID 2932 wrote to memory of 5108	2932	Chcddk32.exe	95
PID 2932 wrote to memory of 5108	2932	Chcddk32.exe	95
PID 5108 wrote to memory of 4992	5108	Cmqmma32.exe	96
PID 5108 wrote to memory of 4992	5108	Cmqmma32.exe	96
PID 5108 wrote to memory of 4992	5108	Cmqmma32.exe	96
PID 4992 wrote to memory of 372	4992	Cegdnopg.exe	97
PID 4992 wrote to memory of 372	4992	Cegdnopg.exe	97
PID 4992 wrote to memory of 372	4992	Cegdnopg.exe	97
PID 372 wrote to memory of 2208	372	Djdmffnn.exe	98
PID 372 wrote to memory of 2208	372	Djdmffnn.exe	98
PID 372 wrote to memory of 2208	372	Djdmffnn.exe	98
PID 2208 wrote to memory of 64	2208	Danecp32.exe	99
PID 2208 wrote to memory of 64	2208	Danecp32.exe	99
PID 2208 wrote to memory of 64	2208	Danecp32.exe	99
PID 64 wrote to memory of 5048	64	Ddmaok32.exe	100
PID 64 wrote to memory of 5048	64	Ddmaok32.exe	100
PID 64 wrote to memory of 5048	64	Ddmaok32.exe	100
PID 5048 wrote to memory of 4560	5048	Djgjlelk.exe	101
PID 5048 wrote to memory of 4560	5048	Djgjlelk.exe	101
PID 5048 wrote to memory of 4560	5048	Djgjlelk.exe	101
PID 4560 wrote to memory of 2388	4560	Dmefhako.exe	102
PID 4560 wrote to memory of 2388	4560	Dmefhako.exe	102
PID 4560 wrote to memory of 2388	4560	Dmefhako.exe	102
PID 2388 wrote to memory of 1288	2388	Dhkjej32.exe	103
PID 2388 wrote to memory of 1288	2388	Dhkjej32.exe	103
PID 2388 wrote to memory of 1288	2388	Dhkjej32.exe	103
PID 1288 wrote to memory of 3576	1288	Dkifae32.exe	104

C:\Users\Admin\AppData\Local\Temp\26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe
"C:\Users\Admin\AppData\Local\Temp\26fa56783c1e09e369bb2198adfb7f4a30c0d8a684787aae200afb176deb08f2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\Cjinkg32.exe
  C:\Windows\system32\Cjinkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\Cfpnph32.exe
      C:\Windows\system32\Cfpnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 400
        30⤵
        Program crash
        
        PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3588 -ip 3588
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
80KB

MD5
61d202b279de36a4b8ed7ca27e32cd13

SHA1
ee853ee50de9e5eaca04892ea765c10965f54672

SHA256
dc77807809384aa65f9838100bee34959831912b8682dbf55c0a765253d80a41

SHA512
093a2885a9f7bf214b48605f1c96f32e12e5a7b1c56e57b742c42e6f5f5d8c93e39f01dcebd4793ed7a194faf44c5b396e0802e4776686c162d7a5f0f470e904

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
fd7e9c12ecbc177fb49741bedac1e49e

SHA1
4655c7c6dda0cdf5bb41a539022086dbe2dbb1d8

SHA256
2751dfd14fb615159a54352649a99089bead9d56ea203602b8670124474a56b7

SHA512
8e32c8ad4b4b8bdd2b035b30133a14dc1635307a220256d84aab366fd7c6d1860accdb100464c28d5f112d964c9601be0088cc6b547adedde45b4f040e1c6e0c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
80KB

MD5
d4bed4f6b0941ef1ffee58aa83dbd21d

SHA1
613445dbdfdc97d9eedf3e7986aac5083ab9f233

SHA256
05eb472354a33dfcf4836465ecd57a0ab64d99fe8be53bdc6b19bac953a0533a

SHA512
b200e0c3ae734c0b0b49e5c58962dc616cff93be4745aeaec07d784eac1fe2135415dd5bb5a8cc6b133ab250850cba31d3408fc45e5e5c33839a262032a4e5e3

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
5d87d24f469415060dc21b90c2354db8

SHA1
cba51b359ff619b3c006ceeaaca2343e234f7a5f

SHA256
5910a8ed88bc97343d0a82a777bf1e3f655e74d74157e803fc3deedd80e09d7d

SHA512
3ad26fe5a62dcacb948d3cde2a35879d603208d705f9797febf08422d5a304317a89b7bf138b68d96035cd360b5b97b3f3be6b9df2e757fee4d26cfd24f36878

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
80KB

MD5
deba87ec03ed1b58b77aab6c4ac7d959

SHA1
eb913eddb6519236adb5a26bc4e5c76bc9346ae4

SHA256
4d0801346585fd67c13e956de8ea0f9e43dc8a73628bccd2da79f7541ea99f7b

SHA512
52e1c1694e010d79073fef24f4aa4501193fa7bcd06b5f33d8cc3e808c531e9b2c0a992df776d8e99aacdc2b9beead1e655a5a810cc52203649b3de47dc43cef

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
80KB

MD5
e9caeac81674453f1be386a07c0315b3

SHA1
4b01e1a3713edc5e3a376ffc98f6e79b3994e647

SHA256
6aa6ca1629bd2f94688f493d764891c131accebce3caad442eaa69cad3a181b5

SHA512
57f08368129b64513074a4b7ad161b92edcd0c282404ea86af85c140315a86b5adee52ae0e800638ba7c5ec6dcf72993f2bea7291a3ae098ec322f2b6b90cafd

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
80KB

MD5
d20f76b29df0c78f6dd181537806593b

SHA1
0c0e1b9a19d29d9038a1b962a6e4d2967b5c0062

SHA256
efa45f9f92e9b4585326d1aaab68177a4273a810e24ba0d40332eb38030b581c

SHA512
62d9667da6ef4e82bcee6ca1aea863d6b2cb096595e90229a8567543e59fd5500b64ac924470fe76508901a9f295214c2eab77a84561ddac3c9bc62f9c873ee6

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
8536f51b3b8c45c77590b1ab5241e5aa

SHA1
7ddcbc858efa5dc0d5b26499cf9bb6641688cf32

SHA256
1f1ce07a7f438e718d7eceae15a598158ad6b92621d14f9f3b45d852f1f7d442

SHA512
a4ec00713fce186cacb9c0d00dc85d50777b95011e8091056eda677586b02197479dc0f4698a66d7bb03ae33acc4e56748edc4e659dbb50234123298bd83849c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
80KB

MD5
e250e56f643aae4517f098af40670d0e

SHA1
90be060af4ce86ae354276bf44f6eb7bf8fcad5e

SHA256
8478f48fe1a3b0de1f959162fbfc13152294f1a2759e826081f41993768401f9

SHA512
0ec0d1a3b12a7245d14d39bff674110af4b9d64b65497b8c4b1f8518ff6b40f75251c15cbb854e8452d8ce8c3ace930696d1d3fe0bb6e3439804c1217752fc9f

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
80KB

MD5
ca66587c6bba3761e38efd60378ec53e

SHA1
e802372a6620c43ebab72a288993374efe77c2ee

SHA256
fb8e11d494a463f54be4df6a1703cd762468f18c443db6ccd1cd82bc82a239f8

SHA512
d4480e7a4b10c974fa109f2896bbaf0ec96f35e52fccc4267cac853f3c90af04b7a9155282ca3726a0d5baf1f4302e8bee93c69431d8a881d4c0a771671b907f

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
80KB

MD5
bc183a8ab8a26dd5167502b45a8b3068

SHA1
13d46f85eefd6a86bda146f29a24c80c4540ef23

SHA256
5eea52dc6e68774c6ae1fbd04eb4922424a7972293d9a361ca2ab87ee6044e70

SHA512
4db41316488674a1ae02e60bbfc21b1a3172702262d62fd6b66bc5888a6cad4d7b69d354e5f612dd06ddd6d38f73a40e8eeac01d6c935839592b305813d00a49

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
20599fbc3c187957e1434cd49a3fdd83

SHA1
117ffb77d8f9d0510df5e03c275d9c0deada2d5f

SHA256
c702daaf8cf3cbfae3067f7f09c1be8a6d1d768f711e07a7e004d45b1b853b54

SHA512
0e78e923a61d2e9aa978223ba31fe8ec90ad226e42ef8d5477ad08f21a439082602bc55a9436f2163883611a4d34f04c43b6b7cb3496a2b0a1c4580c68d990b0

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
fb40f5d82f2768a2d3ef64a888c4f5da

SHA1
585913574b95c289f36412e6ba09b71a3abdccfe

SHA256
49fc90e0bdf0b1d4c50dfc02218b2c61da0f86fc60c2cd01d6804012c3c14a50

SHA512
16537a313553916e78d01627f07f00edb9b9ea2a0d6be38d3afe5978933e1acb7e26ce4acfe166d285e1f1fb2ca20c5833c2f6612a7fd760b9ba95890f210195

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
1e6bdb0e761a384d592c8be942d7f2d6

SHA1
41394c14bd0d9f992963235f23ffb699181a074b

SHA256
4ca5324672f990dea820ca207436acc43c4b5a1378a442b322c0e247ab837cce

SHA512
e7bbb4e7589b78c5b0dca451585355fb5bd8ae03063a08205697d6ea7d8d94df857c6a9a2869c4964ddf5702ee9301cae6d2ee238647320fffa6c50d2d05c789

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
80KB

MD5
2e66467b8f30d43e37610ee8459a0e6a

SHA1
a821b27362f8e8a034914ce8a69cef55f50bac97

SHA256
4d685617d32e43fa818e8babd39616779137fd4ab8f81bb1b8993c1f2e464aec

SHA512
0ff082ccd167410dae60404ec9fab13d8758965682fdbfa79f3eb9abe725a039faf8e83c50dcfba17a1d89cd00cd0658d5e1fe76221abc9bf66e3bbbee31cec3

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
80KB

MD5
d22d48abca9b0fd1bcb91011507058b7

SHA1
862c0477e686d9b34271ca32dcb099880272657c

SHA256
638fa93b9995650e54262919fb3064b3decd4bcd2d100b85d9ec31da23844d78

SHA512
52e4ba682f01c9414c7bdf2b117494826eb1403ddde62862ec497c52555b2d8db9d7d10c0dc17eff8f35e7bdec9879ac392098fe3593883d00ca007a5e0ed11e

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
e08832b3440e9459259192ff6a3cbdb3

SHA1
f3ac46c29a3c45fb585468602315d8a3e786dbc9

SHA256
08e658f5652babbd584ad7d61e909cf155e1431a00e90b40834792a238e1db1f

SHA512
f57b3d9253a9a6e578204b06a4026e2082ebfa8306cb9f6a4ebb2c796cc8def6ea54c696dd31d8f40982f7ed686137c412506c1289ba88e9ba13b052509df32a

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
ad58de9adf5fe68e325b537b473df5bc

SHA1
ccffb48af7d82efccd1e0385ecb14a7d0e49e913

SHA256
79180d1666b58f510b291c773fd973b858b412feeae9d20417d7808b8e408205

SHA512
92b05156cc18042315997484e85fa31fa5323f1b98d60a2dbe4e7ccda6e26bd0ed7a1c1a897c86f9b994658032fe84914f90cb01592c48af3a107fa98db404b5

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
80KB

MD5
478283e5b1806bd59325052de13dd8d1

SHA1
eda72cf4935a7fcfd8783b9c1325a632c1573d6f

SHA256
97270731456d86711919d8f60d6e41472bd395cecb70b94ef1f863635c272d7a

SHA512
f8097fa76631e59bc4e49eea99005a6acda411d7ecad76a5e747d16c16c2d89c5f87a17bdf76016fbced52eba03e38a5b2518ecd9789428b9b56cf5a58098da1

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
80KB

MD5
44b2668e73c1bcba066444aa058433d6

SHA1
b22808c310dbc93836b758da69f96e8ecdfd5a4f

SHA256
251a2c1d9b26394d8748b08327ceb659307297f25c60d8e25bc4deef81a98a8c

SHA512
42573e1ed39dc0574e49c9a4722efbc6be8df25455572973cb0557b98d149fba6d97410e1be0cabd1e3d6368d14e13281db8ef908433af3ac41afcd4a7d1f769

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
80KB

MD5
e074b0c246ff4b85333e7b0610b62649

SHA1
69fdde55588c530c926102f546882046c47bb0a3

SHA256
bbf34e47b4bee89ead3536ad729cd3e9f67748b2e7ace7e28d8ec0fa2135e4f0

SHA512
72c980feae8d89d2d061af24c88ae092407ab467e6fb01921fd0321869984ab93e76dd0482cb483606d7d4963a69c295e0abbcd42909888f87aa450562894282

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
f0122daed4e9872fc5762b191dd258bc

SHA1
632bf8da8f6341c683b862e1c150c923d177d2e0

SHA256
089dd03c8a3b834a222ad644a7edba588fe3264adf84a8193b93ed7fd32c1fd5

SHA512
b4ac5952c6310f9f8f6c92dfb863fb4ec8ad300ee140d21766bd5b8f59359a64807e7fdca40922f54b14347dec7038b5401daec70b3fc09227fc00068c000542

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
8ab03c35c66840aa240b7934e5831099

SHA1
b39eb0004b3c1ac3fe90b6c50f7ace0a256f4ee7

SHA256
1d309b9d219b8a7bc03c323c3ceb15c8b199344467e8c86788701508199c29e5

SHA512
6ee0cad67ff12ab6021e6c46090b620ae7c4ac79d84ab7c97475e95454f84631a533ccc12fa18b94fdcdc047939620c821e74f231f82b745329ba8902064ba20

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
80KB

MD5
ea866af248687bf064d7537955711c73

SHA1
f46708e3bdf1f1cd84c8e3a48644715b855bad0d

SHA256
995f4b1b02819169b7b27a97d0f0fcd98f864fe81ba9f33c82ffc6812dcc2cfa

SHA512
00aa32d1b299d59a3ac1a3cbff4f8adcb39fd3a50f5f16fcbb507d18e08188cebdeb338ec5e2bb1beb79fe448499a5ac09635ecee652fea6c9d21156d00aed0e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
80KB

MD5
dd64a2c097e862d94fe9adeedebdfe9f

SHA1
6feb8d3a8344e216e27fb1f04a8a3ff24486bcc2

SHA256
b9f34f33c52f1996ffed099c25fbf430f8ca354f70fd36f6d2c101ac9a6cc94e

SHA512
82e4d3b115b1ee1551a09143509fa69b6b549fd745563fc352859ed81cea2816ad548b0b0eced1e628a242fdafeac4f360564eb73573107e589b122a66ba5044

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
9d47296a806862274d170e30ab08d444

SHA1
5e2f8f37e471d07857e236cb748882daf041dd0c

SHA256
374863ecf02abf6408e488d7363c04318b23d98f3e37f165300a665648bdf370

SHA512
f7defb00b6468e39cf39353529a23f86f7a34b1b08a661eeec4d8153b5cc83cf72babc0f2ba2da36a2caf3d5c056ae8b5511547159c5d28676fae5cef229bd2b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
a284c595939885c4dd6d713d684e7f2b

SHA1
56145554964f0184cba97aafc5fa84300ca1915e

SHA256
c24a6f659146f8d14c07906c950afecc0bb0a86fbcc0ccae7ea8e5d791050e7f

SHA512
941b633f5c75b8a855cfa5015a92677d9bda1f89cdf97022c0d92b6435a8bfa9414acbf1630e12033b464248db3a19147a2ce4edf759336cf790b2c74c147257

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
b58cc24cfd2a2a80c7419e569e889b86

SHA1
d6af17d8d89cce0899344e035a8c8494265654ea

SHA256
dfeabb274ebe304600c7d942d6eb661dc1edc9098dcb00f023f8a99e29f4652c

SHA512
461fc24d842ae8a20d86ff7debca6dfdf7db0aaa192a98392d439e79148cf6c24cca1e744804a6047cb85390961c71951fe92d4b98612fcce7ddaca063b0313d

Download Submit
memory/64-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2208-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads