4b127124706dfc7fbb9a379685d078df44993b9a2a6c7ce7e07f72f14efd6cd6

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Size

92KB
MD5

ec094a16f1ffc5c421f04bdc72e80ea0
SHA1

05d7245993cce25cd073d704efcacf70f340e30f
SHA256

4b127124706dfc7fbb9a379685d078df44993b9a2a6c7ce7e07f72f14efd6cd6
SHA512

9cdbd7dcf164a88ae35fc6b49e75e73a20e9545263c55b3ef61947357fd5d7d064d1076341b375bd25ca0ea0159989b2120faf95085b89d171244bbc3851b741
SSDEEP

1536:ouNs1Ce0L+s7wmnUQoREHuvtii3jXq+66DFUABABOVLefE3:ns8e0S+nuEOd3j6+JB8M3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe

Executes dropped EXE 15 IoCs

pid	Process
432	Cegdnopg.exe
4724	Dfiafg32.exe
3996	Djdmffnn.exe
4168	Danecp32.exe
2680	Dfknkg32.exe
3340	Dmefhako.exe
1320	Delnin32.exe
2664	Dodbbdbb.exe
4996	Deokon32.exe
4432	Dfpgffpm.exe
4704	Dogogcpo.exe
3360	Deagdn32.exe
1628	Dhocqigp.exe
3992	Dknpmdfc.exe
4840	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4980	4840	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ec094a16f1ffc5c421f04bdc72e80ea0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 432	1688	ec094a16f1ffc5c421f04bdc72e80ea0N.exe	83
PID 1688 wrote to memory of 432	1688	ec094a16f1ffc5c421f04bdc72e80ea0N.exe	83
PID 1688 wrote to memory of 432	1688	ec094a16f1ffc5c421f04bdc72e80ea0N.exe	83
PID 432 wrote to memory of 4724	432	Cegdnopg.exe	84
PID 432 wrote to memory of 4724	432	Cegdnopg.exe	84
PID 432 wrote to memory of 4724	432	Cegdnopg.exe	84
PID 4724 wrote to memory of 3996	4724	Dfiafg32.exe	85
PID 4724 wrote to memory of 3996	4724	Dfiafg32.exe	85
PID 4724 wrote to memory of 3996	4724	Dfiafg32.exe	85
PID 3996 wrote to memory of 4168	3996	Djdmffnn.exe	87
PID 3996 wrote to memory of 4168	3996	Djdmffnn.exe	87
PID 3996 wrote to memory of 4168	3996	Djdmffnn.exe	87
PID 4168 wrote to memory of 2680	4168	Danecp32.exe	88
PID 4168 wrote to memory of 2680	4168	Danecp32.exe	88
PID 4168 wrote to memory of 2680	4168	Danecp32.exe	88
PID 2680 wrote to memory of 3340	2680	Dfknkg32.exe	89
PID 2680 wrote to memory of 3340	2680	Dfknkg32.exe	89
PID 2680 wrote to memory of 3340	2680	Dfknkg32.exe	89
PID 3340 wrote to memory of 1320	3340	Dmefhako.exe	90
PID 3340 wrote to memory of 1320	3340	Dmefhako.exe	90
PID 3340 wrote to memory of 1320	3340	Dmefhako.exe	90
PID 1320 wrote to memory of 2664	1320	Delnin32.exe	92
PID 1320 wrote to memory of 2664	1320	Delnin32.exe	92
PID 1320 wrote to memory of 2664	1320	Delnin32.exe	92
PID 2664 wrote to memory of 4996	2664	Dodbbdbb.exe	93
PID 2664 wrote to memory of 4996	2664	Dodbbdbb.exe	93
PID 2664 wrote to memory of 4996	2664	Dodbbdbb.exe	93
PID 4996 wrote to memory of 4432	4996	Deokon32.exe	94
PID 4996 wrote to memory of 4432	4996	Deokon32.exe	94
PID 4996 wrote to memory of 4432	4996	Deokon32.exe	94
PID 4432 wrote to memory of 4704	4432	Dfpgffpm.exe	95
PID 4432 wrote to memory of 4704	4432	Dfpgffpm.exe	95
PID 4432 wrote to memory of 4704	4432	Dfpgffpm.exe	95
PID 4704 wrote to memory of 3360	4704	Dogogcpo.exe	96
PID 4704 wrote to memory of 3360	4704	Dogogcpo.exe	96
PID 4704 wrote to memory of 3360	4704	Dogogcpo.exe	96
PID 3360 wrote to memory of 1628	3360	Deagdn32.exe	98
PID 3360 wrote to memory of 1628	3360	Deagdn32.exe	98
PID 3360 wrote to memory of 1628	3360	Deagdn32.exe	98
PID 1628 wrote to memory of 3992	1628	Dhocqigp.exe	99
PID 1628 wrote to memory of 3992	1628	Dhocqigp.exe	99
PID 1628 wrote to memory of 3992	1628	Dhocqigp.exe	99
PID 3992 wrote to memory of 4840	3992	Dknpmdfc.exe	100
PID 3992 wrote to memory of 4840	3992	Dknpmdfc.exe	100
PID 3992 wrote to memory of 4840	3992	Dknpmdfc.exe	100

C:\Users\Admin\AppData\Local\Temp\ec094a16f1ffc5c421f04bdc72e80ea0N.exe
"C:\Users\Admin\AppData\Local\Temp\ec094a16f1ffc5c421f04bdc72e80ea0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Cegdnopg.exe
  C:\Windows\system32\Cegdnopg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\Dfiafg32.exe
    C:\Windows\system32\Dfiafg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\SysWOW64\Djdmffnn.exe
      C:\Windows\system32\Djdmffnn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 408
        17⤵
        Program crash
        
        PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4840 -ip 4840
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
92KB

MD5
0eb07cea368b084f2a1b25d930944a3e

SHA1
b7bd1b21c122c6e7839b4ca10e422f7fad5f4939

SHA256
e47ba78289ac027472f6e94e05884ae9ab62d0b88b1311a32531a033294c1af9

SHA512
c85649216f72f9eeee20d2f10c5e5735c2a73a5727055544b1227142a9566fa705b9c13a3686ea177c1f1071724feb97fc1681bd842719702a946b73ee0bb5ca

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
92KB

MD5
7824981bf36c13383e68716afa3b11d9

SHA1
0c9e23488dd5f1b61872660ee82feedc36ec0ff6

SHA256
db2227d0a0a9508e324b6a8b93140e0c497b9d19d46630e9116ffe7911355f38

SHA512
5463b66cac76f9e4c39ad08cd6407920d00b0b17e950563c36a8ba3297014512e91db484aba661e82c71027f9a9f02c54c5f499d787b49f3f22879200c4e7b1d

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
92KB

MD5
b488401b858c94291df2c5adb976fe60

SHA1
c4da58c5e8220a0cf88edc687b2a3e6677f262c6

SHA256
35aa4ecf96053556b060021647d8e88659f9f06a1e6d43081814522190fd7528

SHA512
f648dccae5c731a6981f4227426a5f0f210a74fac34e5db7f995e0a62593d958505f2e8b87371002dd58de8892b1aa45c1a4a3509738adf762450418b894919e

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
92KB

MD5
fce0c5b4ecb3c4f469966aa2c0e2363e

SHA1
06a087cf1a86261d946b2fd26ec42dacfad98eb0

SHA256
678273916651eb4118491baad15fb6aafed05378b5e57c1e93ea071c00c9eab2

SHA512
fbb035235801fa36180ed01483f897280e873a39a78f6e7e91b5c59abc941177b2652f859a3bcf49d700c9678b25ae0eae274eccf288c610eb5b1c18c57364e6

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
92KB

MD5
cf04624d4e10602de31b2c118f843cac

SHA1
d3e10e64d89779f377ad1357f78db29ad1f9cbe2

SHA256
cf28803efea771aada306183b93aff76dcb98d1afae22d45c037f2d5503db728

SHA512
3f4fe3a85cb4622f94dbbbef7c263dc952c733c476730e06343ca486a577248f332222eceff25f4284d419070436d319a42ac029df89984342071c2ad8537f30

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
92KB

MD5
715874bf429950144e807ceb77bc63b3

SHA1
431df9e742dd731ac569f374ef4e33bbe6416ff3

SHA256
00b26fbd65aadee71a4b93dd3cbe4765ce860a6ceb3e10ace44771a8567ca73b

SHA512
372ad6843d1f153b62b695a41b91d1e559743654a48001625233f77de84bef1fdf887edb588c141c09c64077de5fe5c3850d6ef7ae1dfa69e1ab4f5786355763

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
92KB

MD5
675436d1922b7c278891d1ddb4e57ced

SHA1
99958a1e968ef25e21041b3c79dd44f660b39da0

SHA256
629d31366bb805f5bd2ba3d693687af16f378e3a56725ab0af2edee0633a4a0e

SHA512
fcdc065310685a981f2b8f7699a6763390daca5b233f9b9280ffe8cffe0789c0e63ef50802f2a380efb00b9d00f12ad860e2caeae5e358f76bfec43ff10f64d6

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
92KB

MD5
3b5aabaec8e31b019cd109ec0e538d15

SHA1
82cc9fdab08ea163607e6f4f0e2174bbc3d2ad51

SHA256
93f7714f749113e52403e599854ccfe17237f48a471999f0f119effd0ea5b274

SHA512
7962ac23625e3b8eb14e7b5d5b070bc3d72c8e5fc5a7b30e0f2399b6cf5bfcaa1756dea45b64a8a41a6fc20d0ae3fe7770698679cccb931c5933c648e458bc5f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
92KB

MD5
61397877455229caccc4f661107d33a4

SHA1
90fc051e97af222313779eaca8198012216e4556

SHA256
1764536a8383574ea59ae540978a5fc361cd5956b7bdee4124f9ddc71e47af7a

SHA512
69fe6aa13f0aea1421751e01e99edecc6dd13975d9605fa4b417c669e0bea466055013cfcb4ff80f7ba05300c9ca579ed268e9469537da862844fc03b7c800ec

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
92KB

MD5
29fede12de3fd940467d71e02d8ca71d

SHA1
5614d7bf4abb5116eb1fa5b40a1ab8feae9a58bf

SHA256
2c1db30c5fe70157bc12c44a36a7fd4d8b5692c1917f0dd65ddc809cce2ae835

SHA512
bdf047e4e1845d47d78fe594d73c609de184d294684873cfe5ff38c0971e6f69c2563f7a96454ccec71d794f6b18bbadf8924f6cbbd966ce58c37cc9c10a5577

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
92KB

MD5
e309e76484998d3ddac127273abcaf94

SHA1
d99feada652dd36c186b4500e04c0bae8da3d712

SHA256
a85f750eaf72fb1fd64886938ddf464b88ec8b69d0fbda1379cc754c8a4c8899

SHA512
ef9b44e2c1f5b8c41306a164aff52d350993193dd12121dcab3095582c835970e8dd49c123598a6b95a8260ac86c21507d1a1be38dae5dd72a61b9c83385dd85

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
92KB

MD5
fb3f9bddc76a187ff6b42301d9180421

SHA1
f887fc5161c5f26cd3a756f41a2dc1dc586e0a94

SHA256
1693efccf84a8d352d9a2f797d2f258b0644baabee0d12a6776fa46ff8d05743

SHA512
062fa7c3eae19738d3fcc9c91b2f51bce5151277f7ec8391b9cfcfc022fc8cba529efd252d1f34ca68ed0862743f9ecc447eaaf91f615be289f76843d57160d3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
92KB

MD5
304cdf45db76b10e374ad6189c80cc28

SHA1
bb28a2e8ba9d7014cd7fc74717634c9fb84a7d42

SHA256
bacd31d5777290af08611a69cb3634fff3b8e477d308e5572a9009686e703416

SHA512
f8ee2e191e019d2da5ae6a3ef7d6e956223b3e38d5be3f9ca0c88471a1bbfc927690f23afbcaa05d6df4d6d97f5a09a58f1dff45d1e6bd3e48d0da713d8ef164

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
92KB

MD5
e78b0088a123f6bdc3891697029f834c

SHA1
a3fc30b61e3b619f6d4cfce1a6a29d0f556a4a3c

SHA256
b6e7a10836aa6a989aa659e3b39407ec52062330750bcb7bef11aecb07f46ba1

SHA512
1c8ec787fbac01969abcbc7311143a82f47f43fc6d307aebdc715b33c9344a0e84bfe3ad5ebcf5c39faae8900eb8c1d1ffeb5fe4f1a132e805fc6cff2ef8ab57

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
92KB

MD5
1c8803111b8beadcfd79cb203fb97df3

SHA1
800e9e14b7fa4477be4979ee3ffd08eced88efa7

SHA256
0c9c90438feb77fad830574e1fc5e9e3de20deb97aed1d05ebe79cbbb150a423

SHA512
7a21512d22b90e222b617eea5f814b8b19a2491c0b51332f7bf5a5e22e516081be0e52a74b8c777dd4d7c430688f1dfa5415b249e28ec8340ca5445f0122b2cf

Download Submit
memory/432-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1320-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1320-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2664-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads