f1d918715a8b4dd682aebe2ddfd6b89dcc17843066087613b85cbe84a8a03272

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921b11cff176d817fec3b19fd8614c00N.exe
Size

90KB
MD5

921b11cff176d817fec3b19fd8614c00
SHA1

09f69438cf725282d2777c22deb7beccea05929a
SHA256

f1d918715a8b4dd682aebe2ddfd6b89dcc17843066087613b85cbe84a8a03272
SHA512

78b8f9e07388683fb5869ba8b8a91d5b4bac8cf9cf30b9784a480d45c0d85564972c40322d811872001e44a718e0775d04f961dd7b91c22ea8b27dc2283fedee
SSDEEP

1536:1ukk4gmagT5XTl+DnUmqBYU8Cc8G1aHBGOu/Ub0VkVNK:1bXg9yTI7n1gkkHBGOu/Ub0+NK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	921b11cff176d817fec3b19fd8614c00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	921b11cff176d817fec3b19fd8614c00N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe

Executes dropped EXE 25 IoCs

pid	Process
2724	Chmndlge.exe
4744	Cjkjpgfi.exe
1120	Caebma32.exe
4416	Cdcoim32.exe
2092	Cjmgfgdf.exe
5064	Ceckcp32.exe
2624	Cfdhkhjj.exe
1456	Cnkplejl.exe
440	Ceehho32.exe
1664	Chcddk32.exe
3124	Cnnlaehj.exe
4728	Cegdnopg.exe
4620	Dhfajjoj.exe
3480	Dopigd32.exe
2388	Dejacond.exe
220	Dfknkg32.exe
4500	Ddonekbl.exe
2728	Dkifae32.exe
3488	Dmgbnq32.exe
448	Dhmgki32.exe
2016	Dogogcpo.exe
1628	Deagdn32.exe
4928	Dhocqigp.exe
2424	Dknpmdfc.exe
4656	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	921b11cff176d817fec3b19fd8614c00N.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	921b11cff176d817fec3b19fd8614c00N.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3924	4656	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	921b11cff176d817fec3b19fd8614c00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	921b11cff176d817fec3b19fd8614c00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	921b11cff176d817fec3b19fd8614c00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	921b11cff176d817fec3b19fd8614c00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	921b11cff176d817fec3b19fd8614c00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	921b11cff176d817fec3b19fd8614c00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2724	4636	921b11cff176d817fec3b19fd8614c00N.exe	83
PID 4636 wrote to memory of 2724	4636	921b11cff176d817fec3b19fd8614c00N.exe	83
PID 4636 wrote to memory of 2724	4636	921b11cff176d817fec3b19fd8614c00N.exe	83
PID 2724 wrote to memory of 4744	2724	Chmndlge.exe	84
PID 2724 wrote to memory of 4744	2724	Chmndlge.exe	84
PID 2724 wrote to memory of 4744	2724	Chmndlge.exe	84
PID 4744 wrote to memory of 1120	4744	Cjkjpgfi.exe	85
PID 4744 wrote to memory of 1120	4744	Cjkjpgfi.exe	85
PID 4744 wrote to memory of 1120	4744	Cjkjpgfi.exe	85
PID 1120 wrote to memory of 4416	1120	Caebma32.exe	86
PID 1120 wrote to memory of 4416	1120	Caebma32.exe	86
PID 1120 wrote to memory of 4416	1120	Caebma32.exe	86
PID 4416 wrote to memory of 2092	4416	Cdcoim32.exe	87
PID 4416 wrote to memory of 2092	4416	Cdcoim32.exe	87
PID 4416 wrote to memory of 2092	4416	Cdcoim32.exe	87
PID 2092 wrote to memory of 5064	2092	Cjmgfgdf.exe	89
PID 2092 wrote to memory of 5064	2092	Cjmgfgdf.exe	89
PID 2092 wrote to memory of 5064	2092	Cjmgfgdf.exe	89
PID 5064 wrote to memory of 2624	5064	Ceckcp32.exe	90
PID 5064 wrote to memory of 2624	5064	Ceckcp32.exe	90
PID 5064 wrote to memory of 2624	5064	Ceckcp32.exe	90
PID 2624 wrote to memory of 1456	2624	Cfdhkhjj.exe	91
PID 2624 wrote to memory of 1456	2624	Cfdhkhjj.exe	91
PID 2624 wrote to memory of 1456	2624	Cfdhkhjj.exe	91
PID 1456 wrote to memory of 440	1456	Cnkplejl.exe	92
PID 1456 wrote to memory of 440	1456	Cnkplejl.exe	92
PID 1456 wrote to memory of 440	1456	Cnkplejl.exe	92
PID 440 wrote to memory of 1664	440	Ceehho32.exe	93
PID 440 wrote to memory of 1664	440	Ceehho32.exe	93
PID 440 wrote to memory of 1664	440	Ceehho32.exe	93
PID 1664 wrote to memory of 3124	1664	Chcddk32.exe	95
PID 1664 wrote to memory of 3124	1664	Chcddk32.exe	95
PID 1664 wrote to memory of 3124	1664	Chcddk32.exe	95
PID 3124 wrote to memory of 4728	3124	Cnnlaehj.exe	96
PID 3124 wrote to memory of 4728	3124	Cnnlaehj.exe	96
PID 3124 wrote to memory of 4728	3124	Cnnlaehj.exe	96
PID 4728 wrote to memory of 4620	4728	Cegdnopg.exe	97
PID 4728 wrote to memory of 4620	4728	Cegdnopg.exe	97
PID 4728 wrote to memory of 4620	4728	Cegdnopg.exe	97
PID 4620 wrote to memory of 3480	4620	Dhfajjoj.exe	98
PID 4620 wrote to memory of 3480	4620	Dhfajjoj.exe	98
PID 4620 wrote to memory of 3480	4620	Dhfajjoj.exe	98
PID 3480 wrote to memory of 2388	3480	Dopigd32.exe	99
PID 3480 wrote to memory of 2388	3480	Dopigd32.exe	99
PID 3480 wrote to memory of 2388	3480	Dopigd32.exe	99
PID 2388 wrote to memory of 220	2388	Dejacond.exe	100
PID 2388 wrote to memory of 220	2388	Dejacond.exe	100
PID 2388 wrote to memory of 220	2388	Dejacond.exe	100
PID 220 wrote to memory of 4500	220	Dfknkg32.exe	101
PID 220 wrote to memory of 4500	220	Dfknkg32.exe	101
PID 220 wrote to memory of 4500	220	Dfknkg32.exe	101
PID 4500 wrote to memory of 2728	4500	Ddonekbl.exe	103
PID 4500 wrote to memory of 2728	4500	Ddonekbl.exe	103
PID 4500 wrote to memory of 2728	4500	Ddonekbl.exe	103
PID 2728 wrote to memory of 3488	2728	Dkifae32.exe	104
PID 2728 wrote to memory of 3488	2728	Dkifae32.exe	104
PID 2728 wrote to memory of 3488	2728	Dkifae32.exe	104
PID 3488 wrote to memory of 448	3488	Dmgbnq32.exe	105
PID 3488 wrote to memory of 448	3488	Dmgbnq32.exe	105
PID 3488 wrote to memory of 448	3488	Dmgbnq32.exe	105
PID 448 wrote to memory of 2016	448	Dhmgki32.exe	106
PID 448 wrote to memory of 2016	448	Dhmgki32.exe	106
PID 448 wrote to memory of 2016	448	Dhmgki32.exe	106
PID 2016 wrote to memory of 1628	2016	Dogogcpo.exe	107

C:\Users\Admin\AppData\Local\Temp\921b11cff176d817fec3b19fd8614c00N.exe
"C:\Users\Admin\AppData\Local\Temp\921b11cff176d817fec3b19fd8614c00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\Chmndlge.exe
  C:\Windows\system32\Chmndlge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\Cjkjpgfi.exe
    C:\Windows\system32\Cjkjpgfi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Caebma32.exe
      C:\Windows\system32\Caebma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 408
        27⤵
        Program crash
        
        PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4656 -ip 4656
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
90KB

MD5
d4ae58ab9956d5a671b5fb347b81d75e

SHA1
e3da3c57fdbf442ec50279d8c8315f6cdf4b6399

SHA256
60232db08bec301fd9c4cd1930ec572dcfb80d44193cad5f43b8f69e94b8a8e4

SHA512
10b37c39d3048fc4015ef2b90fd587ff29b556371c9e840f5641198ffbf76d05ef061df2218f50345faf81b2b2067e183aaf14d38d62737a36166bb7a4ca3da9

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
90KB

MD5
c7a990dbdf7719e9ddb913fc36ec232c

SHA1
6d9ca7b8b5750a1d43fe5390743246b4ccf60293

SHA256
c5ecb38aec10b83e816ed99a049745b2b0168f98ca487e2b52ba3e7d50827a15

SHA512
3ae35845dcbde8d5f51ca4a9e0c96acecd236aadaf202b0ec05bc86876338053f742a7ef290aec6dd450c3ddbefdeaac8dae0633bd3b46e9cf08b86fb328b63a

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
90KB

MD5
fe1da27ef4d057e9dfd4ac699f847431

SHA1
537385d4d142dede54d4f234c206608be8957fe6

SHA256
5e1ae6643a810fb87fff90b0f72c77e77d10b9a9a2d65998aa328885440181bf

SHA512
3a72110e0eb6494d2b456729cdf56abb34397226aa4e75e29b3b662e62459ab3de2f3cbb3a2114717439e5d14c6d758fe7bb65313383df780e7ad186b77b1a36

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
90KB

MD5
b377868ae49312b7ac22a91a16ce892c

SHA1
73a474485131bebf7651dc285ffe8a5c83556561

SHA256
99ebfc95be06828255b4412e8b5e9a2610ef09a86342c3352f9ca62820095dea

SHA512
4e586be58240c08492755874729ea156ff6f1d04a970d7de4b83a9947552f8f995719070b61e67c4530752a42ea8831536d419b483f2d45e90dc13ff374b9c5c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
90KB

MD5
bb45a8db6e9b610899beebc4d11be192

SHA1
c9b5c400149668f1c0b0862c710d521f3e6af234

SHA256
57121a5350a62469258ceef1e4e36f0b056aea3db33eee6961ae728fab06038d

SHA512
5362440365fcabd12483d76a843bb568811501e30b64ae46b627d3e5c5a0c26efc4f1ea8bdc04a4bda7320e0f6c4e1abf1a7e8063317ee013b16291425cbfb73

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
90KB

MD5
87bc921f1085b8a65325e8f7ce0aaff1

SHA1
7645a9393f04e6b8e12db2951b331d396239ce19

SHA256
20b960002868550e22fb247fca1293ea249b7cea437db8541a7fe11c4788f42d

SHA512
28717c24569bcc4f709d5675c32f8bf145a164ed1effe569d296c4ad4684cae10ccacf761aa500f120d40acd2c1123d982b10e8dc1bfb6c596876c3cd6d253f2

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
90KB

MD5
64c09d83f29f531f1e020679bd2567be

SHA1
e3b319238d2349292468ff6cffc245bbfe53311d

SHA256
0e112e394ead4c859f41b3427e476dd4401dbca083cc9a3ca9c659ecbdd98d1d

SHA512
fc2cb40ee72fbbfc1fa476795aee7de4225fad1bc7448db5017d380fb9a68a5fc896484116ea91513e0a2f97c2551f73d19e02edf143c75c62763e706dd4f604

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
90KB

MD5
b7d7f3f8503ef08f4ab3e3f774b0f6cd

SHA1
b58f6389510ac4db9710f650498530c481c297ed

SHA256
3dae6c55c78b9e9adfe052d9549c71152326960c27dc4a9b0d5a66de4af0df77

SHA512
0d634de13f933c4e1cab81df2091dde3c6e6f54828dde58d77d6fba55c7bfc95e390c1b97d13894ac8b882bf26e651eb2d527bbe18ca9e402dfd9a6e070bd30c

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
90KB

MD5
a4e96746a660ea31d956f5a9bdfb43f3

SHA1
6a0af0163fd98b279703908b9e2bc8b45453be6d

SHA256
024e58a7eb7e07eeda8a3bb8ab522e474dec2cb1efccc4876b1db028f0a449ac

SHA512
d669f888996c3129499f647aa566135a8963d25110311b0e60aec5c00d736491fd9e92ebd1e3a3f46364462018e4ae2eba32e11d99aaeed09e3f61c440001f8a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
90KB

MD5
aaccdc3655c2158b812e6dd4cf04cdb2

SHA1
3a20bc5b793d857d0cac8c0803096529c732533c

SHA256
ba5466d3f61dc44c39cb3339f39cc4057f772d285593c676256c58bb5c040020

SHA512
6a18149881ba92e637ce7f9b81d4bb85abf6c054b316c5a41e663eba6d0ab473a82e23b4d1e59d450aa389dc427cbc9d18eb8b4ece7c0f9e83bbcfd61c135503

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
90KB

MD5
a40e68727d375254132e7bb7c4d1e24d

SHA1
0a265a5afd6fec8f8577bbf48ce3d5c16779dca6

SHA256
7424648f95d580e303d870458bb9659dba8c24975018abc218c4e8de6a813eee

SHA512
58b345d34ecc758d59aed59b5416689d194ea7f8ccfa8a4b9da0eb473cdd555de6a124ce771a290939a568af920a5f85842e699755edbd02cf70deb5a6468ea5

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
90KB

MD5
02ca847cfb83151e90aeb42f10839edc

SHA1
57766b0c0dc9c23bb0994517e5146bd441fbbd83

SHA256
1923da5c6581bbb03139f429d86faec74471fad60904c12f103b24bacbebc19b

SHA512
362891a8767e1862526bc2e5136d280cc5176258adac30d89df45a1bca8cbb055c83a3515741160f3239638bd3a2c2265ada7b1f1659703dc159026b9678bfc6

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
90KB

MD5
530a48b4ad763d668b7861148e4e4d24

SHA1
7ac3741988e8e5d618458bbeb14b19c5323e4273

SHA256
2fd08c84b99c1621919fa3faec6dd6aac9390c377e1f37820889c1db1bbbb207

SHA512
67e6550334f8ab8b491d36b0dcf2e9f082d1d90e87f1bf9011b4132320648fcf819a03d64e382c9b25b4bfedc3d4dcf5c363c618865075674d31e3cc5b0d1ae2

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
90KB

MD5
db69048f5bf7d81e017dd3e40d4f9613

SHA1
d858f7ebc7b6eb55bfcc276ead720d1e0280c346

SHA256
2c6bbeb41eb1c96babbc0818fe17857d9ce42373b145da570607809d3e59f51d

SHA512
52af2cb75e4826e258e1529b25abafe080e7013221227aa2e428dcccc0232b5f16ee97ac9caca625de2a882523abf2116cfd3e1851cb14fd1fb656916378f43f

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
90KB

MD5
d919c51623687296f7fae76c876b13c2

SHA1
423e7f7fdd6607761f0112e4c0586979d14d7934

SHA256
23a462327fd0965a8edbf8303fa1f8847af50c99837240d15e2cb6a764197f8f

SHA512
9eef5886dcdff598fe085bde305388ad000111ba61319b5c5fb344ff87fc525603d6fcf73af5518825ad3241f96f92183fb9a2ffcf6320907c2528c81901ce55

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
90KB

MD5
6dd4024ef56e5f66104faa866972c9c3

SHA1
1b7ec7960485d67d0e53824f82b4f0c533759151

SHA256
2b2d3bb472f27074732ee0f159ebe785c1ad213d7283b86a66dece7fba39aa6d

SHA512
20f99bc19906b49af27854f82ce83de531f691b5c74924114d5f49784dddba6938404b940030355a4af6b50b3e424c5330b65fbc577e2cfa68c404b5f7167c62

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
90KB

MD5
ac50a66ba00fdd3caf39a43e290a32c6

SHA1
7e8aa3f70c7c6882551975ceda9fd8e7a78092f6

SHA256
0ee67caee64df066044a373ebbd95a92772ac47e8bcc67852aaa15e8dd58f8e7

SHA512
277521ab52bd9afd0a47f2e6e130fa8770f1a2afc48a8f1cfd7a695f2d52ded77ebf3751fe13e655d25bb914ce5cc6bd958aaf01a274d5a4567b3fd57d43f886

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
90KB

MD5
c394fce4951c4bd793f674555087041e

SHA1
d825290d3cd2e0832ce434d48ae3db59aeac52a1

SHA256
4ac93c3392db43215cae174a190c782450663e3494853591364a25dcd79560da

SHA512
6eccd5dcd76f3055f70c541a35e43dadc467e76254cab643a50d9aa0e05ff559a9d4fa301c8d6a3b605346044f6b7ffc791c473cb37392d9517776cd49720d6f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
90KB

MD5
22ab457437aa8163f76fed2c809db4e0

SHA1
0d57db24acb90f43aa67db59bcd0b314d9fc32c0

SHA256
e1071c43fc0fedbae380372cd9c44f1019e92a0536441d7c76af0a1f875fc1d4

SHA512
10e12f503395715fda843755f8b445769f8ce33755bd034f3093e167b2516d66edd836208419006401e85af75730dacc7e752acbd6ae2f3f50fa89c9a76fcf47

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
90KB

MD5
859f77e2120d3f3cfd4050ceb9ac9786

SHA1
424a4551164aee3c7d48269ebf7337f9eaf08d53

SHA256
b718cc092c6d35ee4e767a640296ed13431938dcc15a959d8fd38f9146cab798

SHA512
bf05acf70cbc3263c2ce7ae8c4e3fd152c835e79f1413608429514b843b30eaa284314b25e2438b1c5eab2b6f6c12657537b72c81de5013a0cdac10181c3e070

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
90KB

MD5
ceafa7d372a43c3172404857fda15764

SHA1
07d90c9e628d7f4f9eed108e67bcb5b4787cb7bc

SHA256
f7e730faa79650b969ff24ce73dc2aa003060ecd9efd927bd2c38dbbe40ba5a7

SHA512
91124371fa08be46a05ef349b2be19e10a267de1c15522a94758a8f3bead6ce4493918780f3be2d1ef82fbf6ce7d13d5f6fcdbd84cd8cd9aa0111ee972bf800c

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
90KB

MD5
c002a06096c1badae57a66fbadbd532d

SHA1
6555cb3e9e4c8d7a0ea1dfdf7af9ccdceba8b4b8

SHA256
6de19e90fe9b7d190b24ed84b9d764922c3e90ed76ade320f41ff73e32a319d7

SHA512
177fce0f9af0a78040c03a875b6a7b6b42cd67f2d7d4021ca88d156eb22d4924e21947c6702a3553c7546eae4234226a33e1cad95414d31314cb504f4465a1ab

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
90KB

MD5
6958a7a6ae51d4bb89e1918e4fe9c05a

SHA1
22a5ed44ac32feded2e55f857d17bde900983b2c

SHA256
245677bced26ff95d7e6cb78fc8db86fbd611f5f116aa74c4fb4a97a99c89b75

SHA512
dcc6fc3b63b4cc4b6c47a492a3d9e1e08079f99f73b2e55a7a99c4747a5b843d861621493a2606a77d1c8200d04234237af61ed83dcabc4a059a056bf47575d4

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
90KB

MD5
aa5605dea4b44de9236073b5777e93c5

SHA1
8aad9ea1f6aae63f91423247eef3cd6b85dada62

SHA256
e4aff04ea770d5e63426a489b2908a901a6500cbb76be9483fe5e227cd60440b

SHA512
13550827503c739564fc2c903b708aa00e98d36d466f090f7d7cbe741fc4c803f337236b447dcb1bfde3fc83860e7232f24891cf3c0fb8d67965beb10f98bc98

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
90KB

MD5
751e2a80536993cc89d6aae809f99f48

SHA1
2dfe2e2ece72395b9955dad1af3b875052fab9a7

SHA256
2a9bec47e67c958dd6deae763a0a77380c86e9547fc60bce82a36778499ce5ce

SHA512
75904a60189cc2c60773190bdf0758053eaa9d23166a4833f490c6b3ca7337a73963ccf487bb01e6172dd0428a61125a0222d518146e66c5172af1c8c72d7570

Download Submit
C:\Windows\SysWOW64\Maickled.dll

Filesize
7KB

MD5
6abb442e0cd84c5079408169bc7fd5f3

SHA1
1418c8d9fd8956f77ed8b39897d6d1c4fef46e0b

SHA256
663e157e9689df8fe50e640d3a4e4f6d7c3d4b3378b43d7927ad19a6dcb0eb12

SHA512
66142fa0584438f8c17afe0058d645fd398feec7091c469f148e0ca0ea83017493bf2bda9454cd4cfca3e1d6bba4aa81ddfeb352e728f4c0a6c39eb5778580fd

Download Submit
memory/220-209-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/220-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/440-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/440-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/448-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/448-205-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-221-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1628-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1664-214-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1664-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2016-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2016-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2092-219-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2092-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-225-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2424-202-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2424-191-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2624-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2624-217-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2728-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2728-206-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3480-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3480-210-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3488-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3488-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4416-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4416-220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4620-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4620-211-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4636-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4636-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-201-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4728-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4728-212-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-222-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4928-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4928-203-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-218-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads