a782b31dca3e1d314ff5931d49636aecf3c11b710b401a102c882e0db015796c

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f211a8cbd006349798d58451db0750N.exe
Size

520KB
MD5

c3f211a8cbd006349798d58451db0750
SHA1

156f3ba77ba32e1d74e4c2f331c1722c42a9fabf
SHA256

a782b31dca3e1d314ff5931d49636aecf3c11b710b401a102c882e0db015796c
SHA512

1ab94142f867a7a8c09951748827b8a1026eea5fbed81a6e76d486e626b97d1fb1bd5cb8fb1d8b4f8eed4a68306cfa4c528aa94bd2c9505ec6763aad186a9f07
SSDEEP

6144:dAUQLFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8JcgEH:6dFB24lwR45FB24lJ87g7/VycgEH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe

Executes dropped EXE 16 IoCs

pid	Process
1072	Cndikf32.exe
3292	Cenahpha.exe
4376	Caebma32.exe
1604	Cfbkeh32.exe
2392	Cdfkolkf.exe
2436	Cjpckf32.exe
4256	Cajlhqjp.exe
1620	Cdhhdlid.exe
4296	Dopigd32.exe
2556	Ddmaok32.exe
1004	Daqbip32.exe
3100	Dodbbdbb.exe
1716	Ddakjkqi.exe
1976	Dogogcpo.exe
4952	Dddhpjof.exe
3068	Dmllipeg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	c3f211a8cbd006349798d58451db0750N.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	c3f211a8cbd006349798d58451db0750N.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	c3f211a8cbd006349798d58451db0750N.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4572	3068	WerFault.exe	102

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c3f211a8cbd006349798d58451db0750N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	c3f211a8cbd006349798d58451db0750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1072	4876	c3f211a8cbd006349798d58451db0750N.exe	84
PID 4876 wrote to memory of 1072	4876	c3f211a8cbd006349798d58451db0750N.exe	84
PID 4876 wrote to memory of 1072	4876	c3f211a8cbd006349798d58451db0750N.exe	84
PID 1072 wrote to memory of 3292	1072	Cndikf32.exe	85
PID 1072 wrote to memory of 3292	1072	Cndikf32.exe	85
PID 1072 wrote to memory of 3292	1072	Cndikf32.exe	85
PID 3292 wrote to memory of 4376	3292	Cenahpha.exe	86
PID 3292 wrote to memory of 4376	3292	Cenahpha.exe	86
PID 3292 wrote to memory of 4376	3292	Cenahpha.exe	86
PID 4376 wrote to memory of 1604	4376	Caebma32.exe	87
PID 4376 wrote to memory of 1604	4376	Caebma32.exe	87
PID 4376 wrote to memory of 1604	4376	Caebma32.exe	87
PID 1604 wrote to memory of 2392	1604	Cfbkeh32.exe	88
PID 1604 wrote to memory of 2392	1604	Cfbkeh32.exe	88
PID 1604 wrote to memory of 2392	1604	Cfbkeh32.exe	88
PID 2392 wrote to memory of 2436	2392	Cdfkolkf.exe	90
PID 2392 wrote to memory of 2436	2392	Cdfkolkf.exe	90
PID 2392 wrote to memory of 2436	2392	Cdfkolkf.exe	90
PID 2436 wrote to memory of 4256	2436	Cjpckf32.exe	91
PID 2436 wrote to memory of 4256	2436	Cjpckf32.exe	91
PID 2436 wrote to memory of 4256	2436	Cjpckf32.exe	91
PID 4256 wrote to memory of 1620	4256	Cajlhqjp.exe	92
PID 4256 wrote to memory of 1620	4256	Cajlhqjp.exe	92
PID 4256 wrote to memory of 1620	4256	Cajlhqjp.exe	92
PID 1620 wrote to memory of 4296	1620	Cdhhdlid.exe	94
PID 1620 wrote to memory of 4296	1620	Cdhhdlid.exe	94
PID 1620 wrote to memory of 4296	1620	Cdhhdlid.exe	94
PID 4296 wrote to memory of 2556	4296	Dopigd32.exe	96
PID 4296 wrote to memory of 2556	4296	Dopigd32.exe	96
PID 4296 wrote to memory of 2556	4296	Dopigd32.exe	96
PID 2556 wrote to memory of 1004	2556	Ddmaok32.exe	97
PID 2556 wrote to memory of 1004	2556	Ddmaok32.exe	97
PID 2556 wrote to memory of 1004	2556	Ddmaok32.exe	97
PID 1004 wrote to memory of 3100	1004	Daqbip32.exe	98
PID 1004 wrote to memory of 3100	1004	Daqbip32.exe	98
PID 1004 wrote to memory of 3100	1004	Daqbip32.exe	98
PID 3100 wrote to memory of 1716	3100	Dodbbdbb.exe	99
PID 3100 wrote to memory of 1716	3100	Dodbbdbb.exe	99
PID 3100 wrote to memory of 1716	3100	Dodbbdbb.exe	99
PID 1716 wrote to memory of 1976	1716	Ddakjkqi.exe	100
PID 1716 wrote to memory of 1976	1716	Ddakjkqi.exe	100
PID 1716 wrote to memory of 1976	1716	Ddakjkqi.exe	100
PID 1976 wrote to memory of 4952	1976	Dogogcpo.exe	101
PID 1976 wrote to memory of 4952	1976	Dogogcpo.exe	101
PID 1976 wrote to memory of 4952	1976	Dogogcpo.exe	101
PID 4952 wrote to memory of 3068	4952	Dddhpjof.exe	102
PID 4952 wrote to memory of 3068	4952	Dddhpjof.exe	102
PID 4952 wrote to memory of 3068	4952	Dddhpjof.exe	102

C:\Users\Admin\AppData\Local\Temp\c3f211a8cbd006349798d58451db0750N.exe
"C:\Users\Admin\AppData\Local\Temp\c3f211a8cbd006349798d58451db0750N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Cndikf32.exe
  C:\Windows\system32\Cndikf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\Cenahpha.exe
    C:\Windows\system32\Cenahpha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\Caebma32.exe
      C:\Windows\system32\Caebma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        17⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 420
        18⤵
        Program crash
        
        PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3068 -ip 3068
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
520KB

MD5
7ec369c6f0e31d4211b47b1b22af6b2c

SHA1
353fcd0a76d7b08bb16376433b402ddd983a5c13

SHA256
a3b90958bdb9729250ebdcca2707bbd14939a6bfcc5fba2b6b0c74d6a84d0d19

SHA512
6d56e5aa776f145a6d3b8e7d58f45859ff8fb05f96e694846f7747c000d3e74b0df65e60532e3396d45b5970673807ea87e2f7cf83665a241d4e36ae362055da

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
520KB

MD5
244c355652c596041bd6aedf12840871

SHA1
10ea5b759f66ee41cbbe2ab74a92849dc2ec7fa2

SHA256
bbee42adfd9568fd82aafc11374d51f19ea957d638a9a9bc06edbd135fbef6c9

SHA512
d0a805f4062b6c0993f45cba7e174c1e230cbe83a9f14aa32214748784775bb0bb73daa007759a5e69703888c7b61afab2540698d1ac62779110252d6353b858

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
520KB

MD5
f3b932e9ee8a80c8fc2c50276bd2a9f0

SHA1
36001e2f6d8447a7fa06308d94787e2b625569a5

SHA256
f82a10396e5ef532a715f7e6e1eae41ba4da89542628ca2a808d97636cd29bc6

SHA512
5fd4c7062ecd0058c6b74c782d890c9cbaabe51baaf967d1ed3f5d345ec7b186ec7b518632cc94c80761758c996a894a831565563f810594e5dda401d3b715cb

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
520KB

MD5
4035a94172c164c6ee4361d37fa96466

SHA1
524d6ccf158ecb7cf80e1bd6026b100595c64076

SHA256
8292f9071a0c7960f9954ebbb9c9d59ecba12be8f472c07e398e0df2822401f1

SHA512
30d0e00cf744061d3bc9c8a902722e1b25f58372c540763a8fecc95eeeee693de2dd786a6718470bc560c315cbde629d9454db9762c4c2d761ae53972876549c

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
520KB

MD5
3d838778212e2b24d55b1fccfb889c77

SHA1
40809c1e36e5365f2ddf336fd1ec4c07f7f5c17b

SHA256
863fd2de51407389f46efdf41289cbacb4ca8319245754c6ef5a377db5beb4bf

SHA512
a3c76fef5119c813d68e232915c36e986116a60e29d1c74375c5c5007988a9321cda3bfcb3995031753fd7c7843bf8a75a07bbd63dc02f1de3a4faa016756540

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
520KB

MD5
53ce9a4c9ab080fe7851074aa8e1c369

SHA1
34fdc96af6346e3ff28e85b75a1d7f73e5cf65bf

SHA256
fe655861353df5b9ad3dca95810a53c61f58104b6dbe562fac37f4de20258b2e

SHA512
cb99da544c26b9e57aa07925ca8a07ff9b13530896b240b0498b7ffd51f988a04d2dfdb8df1c9293027ab45589619091caec2a752b1946a4895b8273ca6de6e5

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
520KB

MD5
813945c9b185526da080746736bc4cf9

SHA1
2c65809d98ddbee206e5668ccd07c262ff7248b0

SHA256
aaf2b8c0fa8cd143856b97af42323c733573270a24d7e407d83fdaa117896719

SHA512
81b6ef1788ffc1f48515197cb6824068183adcc4e027c4bf136c9c3d007b3949a22afd50eec038d61634e020462391e3fb07ba5466b805634214237b223bb0a0

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
520KB

MD5
0b60660a2d718c03962f67fab771aed8

SHA1
beba1c504709916f476384557b08f37d780c11a8

SHA256
5ebe7266eda57f9f1b5f38ec1f2a5eb49577cb11d65f3783310c546a6054c1c0

SHA512
ea690167fc79374ebfaf739e6819b1f6be0ab497c80c0cc801dad9900f5205fd4df23fcf081e4003de759d31e2813fe6c0bbf655a47cb62d98dc28b01576471f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
520KB

MD5
c69680f680e6e2a23252fea77b976db6

SHA1
b7eaa18fbdbff1b2a942b0a9ef3420a2fe553c22

SHA256
ee956c2442cc46cad84a535ba92d6119cd9b13df24de329bb2ea0329c521e6e6

SHA512
3353714013ad28d8cda3ad61eb54402f28f432a0f31607eaecc75f11e7fb29f7ceedc17a97df30caab4f0020950894ec5bc527f5423c665f49f48f10272dc2a4

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
520KB

MD5
9c377afa1e75f139a175b637e56bed12

SHA1
9826e57d89c3661f92dfd22a0f55bd3637fcd0bb

SHA256
56120aab90080afbad6926b1f9161036eda887fb665a449a5b31b43c97e3e3b4

SHA512
bb546ca2c119e49d30a2e9cc4bde8fe3b98b3cf14c83429e5d5bcabe3d69bb8497c71417c6a97392476116e856a392e033629156aef45af603ccb63249c017bd

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
520KB

MD5
3dddb0fd6b4b70611b53f1f3b06a3f95

SHA1
2d7eb5f00b10af060ea8dbaf58f39b5f8ca43a22

SHA256
3f7a458fe69af042f2aa877fda5854bc334f1386f696a0d1efa2d381ca9e900a

SHA512
1404e3259321f504d9b7301b5d2862ae4d612762105e6169e7eea62d37ede2453ab415cc1e7e9188672c2db9fb8aea992101573127bb1c25a17c48ff94ed3dbd

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
520KB

MD5
60934b62eb4be515369ce16bce3c5545

SHA1
6cb78046357c27aa366b573b9ebcd965c82e535d

SHA256
5c4ed32c8e940a5ed3441aba76571bf5ad4fef8e406733f1b20eb78177dea4c9

SHA512
7f72cbab07a2239376ddf9abc498e2b2ed06e6b34d84a20951c71eb6fcad3e3960d19723e97b76e9bdbd9f4c298ebbad4ea5f000001bd7c312462c2d79a47e4d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
520KB

MD5
68935985159cb9b91f7e65f4d0e6c03f

SHA1
f4f182ef0184f0e5840a5bde315f97ae700e96ee

SHA256
61af6affb1f22f8803c1ab66f786d031e4b383fa796adeaa574934abcd6e23c4

SHA512
25b563cdfc04d53b3a5d28da634baae407aac1707ba88feb353a6f382dc1125d2a8652b7bc385f448735111fd2a04ed5b01f88260ee993827328b5d7718c097c

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
520KB

MD5
62c6e4a1d23fa04d186a3a615938b483

SHA1
1c0860bb0fee35df95210a36f6dd87e660531cc6

SHA256
69b115e3d861b3e3b3daf4d86102dadc54d649b0d98d95393e01967f963165a3

SHA512
f5045001e225a6b4a5d5ee681d9e8fe98c77e457a4303dea37f9683488377209d883b18393e050a4d3ff667442897e4b97391d961ca254cfd7807f900d1bacce

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
520KB

MD5
248fa4ede6632f518b37b3eca678b280

SHA1
eb273337d590b6d2fd73609f323c9ce752319b17

SHA256
3be47f79901b5c5bb3b0d28c49632fe799baf94c23f6a12701076308d22056b8

SHA512
e7ae9637ccb13abf11838e49e7d276ecf1cd2564046f0d33ce252bc2e980b76fd69bd8763cfd6c019ac2bf6afb2a7f3a0f33ae80377c1ac1890527abec0b5a82

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
520KB

MD5
e04cdf708c6990680bf16a8e29d651f2

SHA1
fd3a32d8ec261aed64644b833e49bda763ae0ffc

SHA256
ba542e0bf4922a0cb7616dd5cf0aec5eae7bf80fcccac01166578c2c364662b0

SHA512
ab3f21a238abbda141dce3e32117951a95c52630d6bffffe543f86fd3298495e8cf7366e16c6c3a92938e6865b0d44fbcc274bb83fb1d952f7c448e0204f8c52

Download Submit
C:\Windows\SysWOW64\Jffggf32.dll

Filesize
7KB

MD5
fe15eef101d47525b419920c73bbbd1b

SHA1
2e99affaf5138cb82e0e4d93c2932d22a6eda2c8

SHA256
c10badcd83699de585ba5f1e97bd834ae9c7fb0d1b70eec53f50091d312f2a3f

SHA512
4293dfa77bff94de7f992100b760a27704ee08520648828523eea4a9231eb010ba7c9d2615601ace4563ad336c3d0d4565e5742d1c028b84f80931d2f428a53b

Download Submit
memory/1004-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads