efcc1ce391ad815e9607f05e30fb357fb6c5dbef8791749fc9aa3a7ce3e5b8c3

General

Target

c036ddf69fe716a2b1802efec4009220N.exe
Size

242KB
MD5

c036ddf69fe716a2b1802efec4009220
SHA1

b7adbd90d29474501f129f5065111a0b1954542c
SHA256

efcc1ce391ad815e9607f05e30fb357fb6c5dbef8791749fc9aa3a7ce3e5b8c3
SHA512

6180aa0612132acfe88a4eaaa78ecde3167e5f977069bfe5da47f3ca1d6d27c2c13175565613111e4f2035fc9bbb971bbaeff49232ed87cedca9c29c2667b58a
SSDEEP

3072:VTvmwGCXNI3KUV6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KC:VTewbXN1UV66LB6X62UyHEYa0

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c036ddf69fe716a2b1802efec4009220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c036ddf69fe716a2b1802efec4009220N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe

Executes dropped EXE 7 IoCs

pid	Process
3584	Ckggnp32.exe
3920	Cmedjl32.exe
3604	Cmgqpkip.exe
4304	Dgpeha32.exe
1136	Ddcebe32.exe
4644	Dgbanq32.exe
2592	Diqnjl32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	c036ddf69fe716a2b1802efec4009220N.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	c036ddf69fe716a2b1802efec4009220N.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Cmedjl32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgqpkip.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	c036ddf69fe716a2b1802efec4009220N.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Mbddol32.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Ckggnp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	2592	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c036ddf69fe716a2b1802efec4009220N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c036ddf69fe716a2b1802efec4009220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c036ddf69fe716a2b1802efec4009220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c036ddf69fe716a2b1802efec4009220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	c036ddf69fe716a2b1802efec4009220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c036ddf69fe716a2b1802efec4009220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c036ddf69fe716a2b1802efec4009220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3584	3112	c036ddf69fe716a2b1802efec4009220N.exe	91
PID 3112 wrote to memory of 3584	3112	c036ddf69fe716a2b1802efec4009220N.exe	91
PID 3112 wrote to memory of 3584	3112	c036ddf69fe716a2b1802efec4009220N.exe	91
PID 3584 wrote to memory of 3920	3584	Ckggnp32.exe	92
PID 3584 wrote to memory of 3920	3584	Ckggnp32.exe	92
PID 3584 wrote to memory of 3920	3584	Ckggnp32.exe	92
PID 3920 wrote to memory of 3604	3920	Cmedjl32.exe	93
PID 3920 wrote to memory of 3604	3920	Cmedjl32.exe	93
PID 3920 wrote to memory of 3604	3920	Cmedjl32.exe	93
PID 3604 wrote to memory of 4304	3604	Cmgqpkip.exe	94
PID 3604 wrote to memory of 4304	3604	Cmgqpkip.exe	94
PID 3604 wrote to memory of 4304	3604	Cmgqpkip.exe	94
PID 4304 wrote to memory of 1136	4304	Dgpeha32.exe	95
PID 4304 wrote to memory of 1136	4304	Dgpeha32.exe	95
PID 4304 wrote to memory of 1136	4304	Dgpeha32.exe	95
PID 1136 wrote to memory of 4644	1136	Ddcebe32.exe	96
PID 1136 wrote to memory of 4644	1136	Ddcebe32.exe	96
PID 1136 wrote to memory of 4644	1136	Ddcebe32.exe	96
PID 4644 wrote to memory of 2592	4644	Dgbanq32.exe	97
PID 4644 wrote to memory of 2592	4644	Dgbanq32.exe	97
PID 4644 wrote to memory of 2592	4644	Dgbanq32.exe	97

C:\Users\Admin\AppData\Local\Temp\c036ddf69fe716a2b1802efec4009220N.exe
"C:\Users\Admin\AppData\Local\Temp\c036ddf69fe716a2b1802efec4009220N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\SysWOW64\Ckggnp32.exe
  C:\Windows\system32\Ckggnp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\Cmedjl32.exe
    C:\Windows\system32\Cmedjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\Cmgqpkip.exe
      C:\Windows\system32\Cmgqpkip.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 400
        9⤵
        Program crash
        
        PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2592 -ip 2592
1⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
242KB

MD5
246987b8aecbe79ba56fbe18e30b8390

SHA1
1dcb7dc9fb6b76d41ac4eede3e7a87543b9bb781

SHA256
b56455f0cb49ce57453de49209863cb21bc2025cef7aff2ba9ef5072d409d8fa

SHA512
5e63a245f0293b0aa8ab5b025084c779143f98cd1b5215453c67c40beafa80f8eac71d292bd8089e1f886cfcd5b2f1ed2943b5b190ae33853e14811e92e32f8a

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
242KB

MD5
92f1b2b824b0ab50296c15f790b634ff

SHA1
ecdf3ceb89d59affa91a8850ac2d2532cc979e3f

SHA256
a814198e9a6a36180181329831d9c67b006e5a2cab75897a0d3059aa99b06525

SHA512
0e2b5843c58ced3513326628457af593f6ca307fc73eae5c228b398313b70d25ddafe1aa6519b5ee5769fe73de8b8aeb9ea34a3de380196e5c8a7bd73a73137e

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
242KB

MD5
e116a1cf8c322cbe67df8649040a25ac

SHA1
cd348e633516a793cf36df522d377472ee60e17b

SHA256
393534baadf8fa0a5d27218e5d2c21e723a906977c747b6390e5ed278267db60

SHA512
776eff45a5360c0dc0c55d3321e39328fbd82850f4701da73504d29a8a680227faa1ee8c7c05fe63fbbcbcb9035845450cd2b02b44d592abe04ddc0a44c8f56b

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
242KB

MD5
87820dc75e1ad975dad2dee4c87f8100

SHA1
48c74cf9d6d4d9da93b5d323ddc1fb1a1cf8bbc7

SHA256
2c375e0afc2dd1584eb32418ae71afece6e5d05cb8c1ab78f0976025d4bd9e25

SHA512
88464e41791dd9585cb9248a6050b3e036ef684964fb44804cc6750183f5b77ca19620e90e61337bddc939cb9738628a1467141e3a5eee39210ceac2c74c59cd

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
242KB

MD5
dad294fb51762387202c77ce005644c0

SHA1
a588f74dad84c158c79f97574e32f7c37fdebb34

SHA256
cb0dcebe31b5144bf4d89c3a3d6c493d3a23f4f400e94007e9c46d931dd098b4

SHA512
5ad1a356479d3eb2693d70562dbec2fb3befd302e2761467ddd34f47a22c51118127ed55654b7b35707d7be3e1be5deac5f6e6a2495d9cacbb2b5672b441972e

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
242KB

MD5
c04ba9be9a9951cc96a42ef6387f27c7

SHA1
95dac83fa326a53e5ad105f963c184848a5ed3ad

SHA256
8ebba3ddc8ecb483b1de0454c31f39980922eeddd0082bb0f590998661fef998

SHA512
ccca0108cf8ab86344b8185429349f1ed58bff82c0b9ba7d392679f7672dd9f20efdaad08a284f0463cc0df02a03a000689622255f06b2ac8ab6a2a75d942376

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
242KB

MD5
536e8768249cd1bfb75c8673003a69dc

SHA1
53d5692183757be85dc162b29f3b5b11b1953a25

SHA256
877bf394740ffa7de3a939330645b8fa5f096a7665685c1263308c3d86b1d6eb

SHA512
1eb4626076bcd9bdb5c54f371d99022271ff268a6b77708501f2d234e38bb4795df8baaa9bbed29d80c3cd840d81b158b63d620bc939372c1fac641910d9a5a1

Download Submit
memory/1136-40-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1136-62-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-60-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3112-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3112-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3112-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3584-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3584-69-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3604-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3604-67-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3920-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3920-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4304-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4304-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4644-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4644-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads