054ce46a961da0957bb57eb9e10d925274334d135062186bb717535caa86949a

General

Target

2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Size

176KB
MD5

2713d79b6f1a38d3d42d4ccf5ff835e0
SHA1

1c44e01294d7684ee7d2b649869eeb8fc0319edb
SHA256

054ce46a961da0957bb57eb9e10d925274334d135062186bb717535caa86949a
SHA512

76fa0d425f94b988f676ff639afb86bbcf6e6e33e5d2b58060730b757f0f429d8d834178c554e9c526c66513950d1f07de366c4c26848b9b15e7d552c427f235
SSDEEP

3072:aIuOpNL6AoP9XckI9r7MUarlOGA8d2E2fAYjmjRrz3E3:aIrpNLoBct9AURXE2fAEG4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Executes dropped EXE 7 IoCs

pid	Process
3256	Dkifae32.exe
4184	Dmgbnq32.exe
4748	Dhmgki32.exe
4876	Dogogcpo.exe
3952	Dmjocp32.exe
4452	Dgbdlf32.exe
4736	Dmllipeg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1792	4736	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 3256	64	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe	83
PID 64 wrote to memory of 3256	64	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe	83
PID 64 wrote to memory of 3256	64	2713d79b6f1a38d3d42d4ccf5ff835e0N.exe	83
PID 3256 wrote to memory of 4184	3256	Dkifae32.exe	84
PID 3256 wrote to memory of 4184	3256	Dkifae32.exe	84
PID 3256 wrote to memory of 4184	3256	Dkifae32.exe	84
PID 4184 wrote to memory of 4748	4184	Dmgbnq32.exe	85
PID 4184 wrote to memory of 4748	4184	Dmgbnq32.exe	85
PID 4184 wrote to memory of 4748	4184	Dmgbnq32.exe	85
PID 4748 wrote to memory of 4876	4748	Dhmgki32.exe	87
PID 4748 wrote to memory of 4876	4748	Dhmgki32.exe	87
PID 4748 wrote to memory of 4876	4748	Dhmgki32.exe	87
PID 4876 wrote to memory of 3952	4876	Dogogcpo.exe	88
PID 4876 wrote to memory of 3952	4876	Dogogcpo.exe	88
PID 4876 wrote to memory of 3952	4876	Dogogcpo.exe	88
PID 3952 wrote to memory of 4452	3952	Dmjocp32.exe	89
PID 3952 wrote to memory of 4452	3952	Dmjocp32.exe	89
PID 3952 wrote to memory of 4452	3952	Dmjocp32.exe	89
PID 4452 wrote to memory of 4736	4452	Dgbdlf32.exe	90
PID 4452 wrote to memory of 4736	4452	Dgbdlf32.exe	90
PID 4452 wrote to memory of 4736	4452	Dgbdlf32.exe	90

C:\Users\Admin\AppData\Local\Temp\2713d79b6f1a38d3d42d4ccf5ff835e0N.exe
"C:\Users\Admin\AppData\Local\Temp\2713d79b6f1a38d3d42d4ccf5ff835e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\SysWOW64\Dkifae32.exe
  C:\Windows\system32\Dkifae32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\Dhmgki32.exe
      C:\Windows\system32\Dhmgki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 396
        9⤵
        Program crash
        
        PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4736 -ip 4736
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
176KB

MD5
2f44e99ade1bb3f5221a750d195a3675

SHA1
1faaa3dbd981959c910c61c52bd4034e1dc06914

SHA256
3d7026c938e14f4ec494f6aa4575c13bc41c5fae48f6d890734b208d834c0bb5

SHA512
1d00835c9e9092a988c728b70014def545c956beeb0526f6860209697b84561cfedbdd7e404b2ecceec6c4fb060c7351772c65a78bdffe09acbbca5b6260caf7

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
176KB

MD5
834e6f92a9df26185b46fab4a8de1486

SHA1
d4be7a152f63d05ec60565fec05a9e137fe781aa

SHA256
d016a2ca594985d92898708740d0560709276db9cc5fb9eb9d65a62c24a76b08

SHA512
2c376e2b9b62026be91d6693d6cd33e7f9902a2f0a195b4e39030e91553482a4afe82571b9b892f87e45d2ff1797c8ea918af8c6082b19402be83515b09ab5c7

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
176KB

MD5
74d0cfb23ad53cc498b2912018abb21d

SHA1
a7a71ef40d8d7ef5b9f6e8b6d5452d56cd50ba5f

SHA256
8ca6ff74bc665d50a08cb9f8ab33f7a6a4a22f52ff1d5e594e798c97a90b90c4

SHA512
426c3900f692d959791e466f95758b61e0582fa454050d0cacacb981fa854ee119dcde18c6f7505342dc6f7ae073b709a868c72e49fdee87218d889970973d41

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
176KB

MD5
1fa6f2f6b175d6f8cb0f5bc569a32233

SHA1
4cd4d3fb421ae8fc0c5f453735f09817a3007309

SHA256
55cf6685e492a08e1d81e2318d643308788c50d21db254ce4c0527140f101b09

SHA512
73f3d9a2c397b9d41432b34b39df89f82b8701536d903139405376b4bcbea61edbad44a85e4e8e7cb1dc7c9098daa22b2e8b863e0b342205349de514a7be7e7c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
176KB

MD5
216531212e944eb463c02e45b25a5807

SHA1
63747425e40546edc9dcbca4a628e1f72229288e

SHA256
e5638bac3362fd004349002ef4fbc4fdea5091e169676944a527ae7c310f8640

SHA512
3aafdb1af41ab2f33a41ccf3368f5cfaf34e083eb9724adc1a98dab5d65a03f788ad8a3a9eedfc117dd794065f507da143feda88ee5b10c6382c30b87d1e4a0a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
176KB

MD5
9fcd573de5e25f35706d4adcd0849ec3

SHA1
2dcf318998e7af5f72071314ce0729106e8a8860

SHA256
67e2ac567fa79df16657ad778b348e4aeec9bdb1841d8be925e894ab6e6a9117

SHA512
4967cf1963e550dcd3208bd7415e4f9d610b4d2618a59b2db270c3adbf6dc677ce8245cb2a6c42b49def99cf0eeba9220724bfe73f4d26a9fe68c32e9152e2a0

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
176KB

MD5
38256fcc0f37f64b5ef9f19e231d8599

SHA1
25ba778fdb34d32a364977c0fac433563806809e

SHA256
665bc620f6645dba2ec6205caa925571bebe1a94386e1ee09d8b852148c643eb

SHA512
c45d8251bb797dfdab67030677717b4d90a1c7a98ba61e0128260bb1e24df17441ce2306357aa84013f027b5c7eb9f3c24de627ad4b93406f43ddfa213f9b9a8

Download Submit
memory/64-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/64-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads