5998a12b8f4083e701092b765a43b44e9adf310703a75c39a4dff60a407e53a6

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd03ed39e671f97ef712d4d476f5c8e0N.exe
Size

704KB
MD5

bd03ed39e671f97ef712d4d476f5c8e0
SHA1

f17e9fb8edb8476c245455173346f87f0106f012
SHA256

5998a12b8f4083e701092b765a43b44e9adf310703a75c39a4dff60a407e53a6
SHA512

5f99a4d3baba465f16c3a461b10738e447f7f64f3b238630514ecb19d9ec5834d158b10b78cad45889a34c72a17c0646bfd37d0912e44c2a36d1e9f3206d1559
SSDEEP

12288:hMXaph2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsR4P377a20Rw:hKaph2kkkkK4kXkkkkkkkkhLX3a20R0Z

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Executes dropped EXE 15 IoCs

pid	Process
4052	Cdhhdlid.exe
3564	Cffdpghg.exe
2872	Cnnlaehj.exe
4628	Cmqmma32.exe
2848	Djgjlelk.exe
2436	Dfnjafap.exe
1228	Deokon32.exe
1764	Dhmgki32.exe
2620	Dkkcge32.exe
1484	Dmjocp32.exe
2984	Daekdooc.exe
2096	Dddhpjof.exe
2468	Dgbdlf32.exe
4328	Doilmc32.exe
3412	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	bd03ed39e671f97ef712d4d476f5c8e0N.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	bd03ed39e671f97ef712d4d476f5c8e0N.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	bd03ed39e671f97ef712d4d476f5c8e0N.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process
3000	3412	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bd03ed39e671f97ef712d4d476f5c8e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4052	4320	bd03ed39e671f97ef712d4d476f5c8e0N.exe	84
PID 4320 wrote to memory of 4052	4320	bd03ed39e671f97ef712d4d476f5c8e0N.exe	84
PID 4320 wrote to memory of 4052	4320	bd03ed39e671f97ef712d4d476f5c8e0N.exe	84
PID 4052 wrote to memory of 3564	4052	Cdhhdlid.exe	85
PID 4052 wrote to memory of 3564	4052	Cdhhdlid.exe	85
PID 4052 wrote to memory of 3564	4052	Cdhhdlid.exe	85
PID 3564 wrote to memory of 2872	3564	Cffdpghg.exe	86
PID 3564 wrote to memory of 2872	3564	Cffdpghg.exe	86
PID 3564 wrote to memory of 2872	3564	Cffdpghg.exe	86
PID 2872 wrote to memory of 4628	2872	Cnnlaehj.exe	87
PID 2872 wrote to memory of 4628	2872	Cnnlaehj.exe	87
PID 2872 wrote to memory of 4628	2872	Cnnlaehj.exe	87
PID 4628 wrote to memory of 2848	4628	Cmqmma32.exe	88
PID 4628 wrote to memory of 2848	4628	Cmqmma32.exe	88
PID 4628 wrote to memory of 2848	4628	Cmqmma32.exe	88
PID 2848 wrote to memory of 2436	2848	Djgjlelk.exe	89
PID 2848 wrote to memory of 2436	2848	Djgjlelk.exe	89
PID 2848 wrote to memory of 2436	2848	Djgjlelk.exe	89
PID 2436 wrote to memory of 1228	2436	Dfnjafap.exe	90
PID 2436 wrote to memory of 1228	2436	Dfnjafap.exe	90
PID 2436 wrote to memory of 1228	2436	Dfnjafap.exe	90
PID 1228 wrote to memory of 1764	1228	Deokon32.exe	91
PID 1228 wrote to memory of 1764	1228	Deokon32.exe	91
PID 1228 wrote to memory of 1764	1228	Deokon32.exe	91
PID 1764 wrote to memory of 2620	1764	Dhmgki32.exe	93
PID 1764 wrote to memory of 2620	1764	Dhmgki32.exe	93
PID 1764 wrote to memory of 2620	1764	Dhmgki32.exe	93
PID 2620 wrote to memory of 1484	2620	Dkkcge32.exe	94
PID 2620 wrote to memory of 1484	2620	Dkkcge32.exe	94
PID 2620 wrote to memory of 1484	2620	Dkkcge32.exe	94
PID 1484 wrote to memory of 2984	1484	Dmjocp32.exe	95
PID 1484 wrote to memory of 2984	1484	Dmjocp32.exe	95
PID 1484 wrote to memory of 2984	1484	Dmjocp32.exe	95
PID 2984 wrote to memory of 2096	2984	Daekdooc.exe	96
PID 2984 wrote to memory of 2096	2984	Daekdooc.exe	96
PID 2984 wrote to memory of 2096	2984	Daekdooc.exe	96
PID 2096 wrote to memory of 2468	2096	Dddhpjof.exe	97
PID 2096 wrote to memory of 2468	2096	Dddhpjof.exe	97
PID 2096 wrote to memory of 2468	2096	Dddhpjof.exe	97
PID 2468 wrote to memory of 4328	2468	Dgbdlf32.exe	98
PID 2468 wrote to memory of 4328	2468	Dgbdlf32.exe	98
PID 2468 wrote to memory of 4328	2468	Dgbdlf32.exe	98
PID 4328 wrote to memory of 3412	4328	Doilmc32.exe	99
PID 4328 wrote to memory of 3412	4328	Doilmc32.exe	99
PID 4328 wrote to memory of 3412	4328	Doilmc32.exe	99

C:\Users\Admin\AppData\Local\Temp\bd03ed39e671f97ef712d4d476f5c8e0N.exe
"C:\Users\Admin\AppData\Local\Temp\bd03ed39e671f97ef712d4d476f5c8e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\Cdhhdlid.exe
  C:\Windows\system32\Cdhhdlid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\Cffdpghg.exe
    C:\Windows\system32\Cffdpghg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\Cnnlaehj.exe
      C:\Windows\system32\Cnnlaehj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 396
        17⤵
        Program crash
        
        PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3412 -ip 3412
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
704KB

MD5
b5a7e69f0307b96d1e8ba58595d9c92e

SHA1
9afc11631137b96bdaf38fe87b8d5453baecb863

SHA256
a31741a1e4db5f97f284df41e7b6110545efc804824ddd70241579a52ca623b3

SHA512
a554b4c785409306ee543591d02b673947ca06353b1f58b7e2f1684a4c6ec2d74147060f529bc6e6797e3d0f82946113a9aa247e0e66a6cee00286fd4b92f554

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
704KB

MD5
b2f5ff6e1e9f3855ec4d963dfeb0e6e1

SHA1
b90daf425ac37b11af17ed3c98efe1617f940d8e

SHA256
76de8b2417a2691d0ba0778b70e761d018b0612e896681d37c83064f39744195

SHA512
9e3646bfe9c897d44b63f5c57b1c337b68911a22685d8472abd1dac54c2e04cc86d6c0a87e30fd16730fdab248fc844612758f105f6de5b87eef68b71d3e8cde

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
704KB

MD5
0f397b7d3332422e46d4c218155962c6

SHA1
faa92390e8c2241c1ced3ed948625da646420cdb

SHA256
5970a8c5ee1234a23f4dbc244e3ceae271809370343c3d2fc43d962aa63ebe17

SHA512
bb6f86948eb26a9e30e8521bd7fb55a07a8e6b8635d05ef962b1f265ce5d18a678bdd2e42f997fea0a0f331216088ad28fc05791c17f47a6ce7a5b3f47dd5c80

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
704KB

MD5
70bcfef98bd1c53ac159838b0ec36400

SHA1
72b7c5d591f2b843af0eda717bd8208dea169904

SHA256
bc40782080fae3baf98e8144a40d37c1a6fee7eccc4fed24ec9a51463a7959d5

SHA512
4ae263b6fa4b65924d5dbd6eb328d5f5ca2d35ecc9a116d9544c2fbb3f94aa5504587a8debef6114d7f967efe73bb5576f1b52032ce883350fef3a38c1efc66a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
704KB

MD5
2d9366a91e1ca3f486a4dabf3285f397

SHA1
c5f28b3c5ec76e8374950399b00c5c3349c0ee11

SHA256
af0111aa86fccda79634dc86ed319b45db09da816336faba6fb2d41360e13534

SHA512
3904f09962b71f098ee380bed3f9caf6db3d63688ed3b2c1be3b11da54a35cda8e69036055d3a99215841579c057e33c352d2e85a46b16b1e9579ec962528cf1

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
704KB

MD5
99c602e8b09a8a10e1a12ce39406a70c

SHA1
83204e72d143be7cc22694d718db690a22c49b49

SHA256
86d190e0bb3c4dedd010cb8b52c1e28cdd70b70e744aca0f07f3cb3c5b5b0ea9

SHA512
ec0d268e35a666ab852058109931cf5f69fe738541dae6f4e70ad2da60f242a5859860436deda66d1cb0a0e1713e46d079b4fda1c0cfab9e3f3f5f1312f29ff1

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
704KB

MD5
c46793aed8e4fe393bf4a24fbb07db0d

SHA1
fff9905f40ad45590373ae44f183b1b9519b95b2

SHA256
a3ae8324feb77fcd75fd5dbc3fe7589f31a0664511c9ae386c8c7837fb13e5e3

SHA512
fe75356326a8b30ad73856f9d73941468f97f7c15c34a91de06504f4591ecb309fdd7e0fab51b8aa04a9fac62bb7e63e8e2c306056be8a0ab5ec39238de171d9

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
704KB

MD5
183289485d054d72295527aa9e60291f

SHA1
a0ce70f5d8dcb378c442872cdf4addd8d039a944

SHA256
cb7d1aae47d0afb59564a3226339e4336faa3d546ebeb0bb5d2942a980eb89f3

SHA512
d482d48e53d2890996626d85650eec30e78bc24302bcbc4d511ecff252ee3516efefdce76295f4dbc63827126b0c1f896f5f0f724cfc40602e38d734dec769e0

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
704KB

MD5
62b59e88e31913a1845f9ec5a4ec3c48

SHA1
19dbefde79cd32d3907c3d10ed5836a11b4b1d1f

SHA256
3dad432dc21974db8b5791f163da8f565998009f5b8d06c18fc5c299b551890c

SHA512
ae27748429e0446f1c7044f11fba3b7e3bb0777ac67eb4a12726123210f70a72a48d5ade31388fc468a824c0f48af06e5027485753239eeb0c1a5fb88742a668

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
704KB

MD5
01c95021fb2c7a9fa2af29841b918f86

SHA1
0f5e573cfdda2b5851c1d92efb95500d2bad760e

SHA256
d62c7f22e4107571c685fc5d0e9607fe66454b8372614bae6efd7425648afc5e

SHA512
de4cc7ba6a14b1036ee78363552ce075c4eeacf5bc56ed7e12bb98d4fbe5c22b727616b156434ed87c6ba9bd265407be3aa4318b715669a8dd1ba44fc683773e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
704KB

MD5
f4edbb1f546b7152f866dfbcb46119bd

SHA1
a04d18a4b4e6f08d2eb994828cd5795db7406169

SHA256
0f203ac279df7f364538177c7f6ce9c1a2f3e22c29d8e8870c8d82ba4c55ef8d

SHA512
3f9b95735b9e56f9cfcc778b0cb3ebc205f167073d55abcede321da4b79e94f021069f6b253a9838fdc1a8a4872b8790059c40fe734b99064bac0191efb8ea9f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
704KB

MD5
4a81c07790e715b06f046b6e98896e8a

SHA1
180538e7b081fd08b961758d02c9fe24a47f80e8

SHA256
99789e9c8f05a15d6efe1c44ae3ce80e69f6205b077372f5b52ef138444130fc

SHA512
329de5c493b5405105df1d2cb759fe1f1354b14d0b30f15bfdb39491127deabc9e57d81c0f93d8cdd896a5ef998c1fbb2cbfaf944d27ee7c6f30f09bdbe98edc

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
704KB

MD5
7d18fbb08c582af8f68e54f6df0b1877

SHA1
cdf20683d89e27d789dc9366e87211ef7fa4dccb

SHA256
b60de9a4ec4a0bed60aa2d83972df4f8c132c57638c5d2fc062ceb77b79efe75

SHA512
c967e2ac5e9e63d324b1c7f01cf70b4e272d426a4deff835b3ec97dfe1a272ae8d9f4a30814609f31feccf527dd84b0daf29c87fa0f315b9dcfc4c41cba0aab9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
704KB

MD5
5f7f2c89777772780bafd40407bdf0d0

SHA1
1549f73f0b6dc21c345a9be6f3b4b64f589f2c68

SHA256
17b0fd8bde648df71e2bf0d58c0175d87dda63f6f89dc6de2271f3c94aa40d1b

SHA512
9ecc869bb84456a13a496b9b8d46ab7e64fdcbd0fe89830e097f0db31086d630203f75b7d04662f94f214230e06336daaa7e9dd1f76ead378c535d760dbe7339

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
704KB

MD5
fc4a651433f824afec4156788c578e58

SHA1
00cb47eb4195d6b755795846c4748bf690c1dbd5

SHA256
1e0c3ceda5275c31e39678df86270d3aa68d4be29e4aa92b8adad8f78c70100d

SHA512
d12168125372b7ca90567b31baf50c472d5fed3838c2eac9afa0c1d58dc9d83fa2c0f9bd27425c01349595926c468b11360c39fa5910abc008db59d84a12b842

Download Submit
memory/1228-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1484-85-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1764-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2096-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2436-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2436-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2468-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-76-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2872-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2872-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2984-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3564-102-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3564-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4052-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4052-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4320-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4320-84-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4328-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads