a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165af

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Size

88KB
MD5

5106ff3be1cde831ccac3f1c57eed0f0
SHA1

030adc2f4047638fb3f49b6ef7a8b6add99ce951
SHA256

a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165af
SHA512

23562e4e9f8efcfff31abc3e574128603f65d2a295091abacfb596b4b18177c9eea5899e07ff9f45eff6d281b72cff658818f68f27f162a2d8afa30fb8a66196
SSDEEP

1536:y7nMbyqgV1D0oFK8bWF07RZHwFL8QOVXtE1ukVd71rFZO7+90vi:y7yxCD0KK3F01ZILi9EIIJ15ZO7Va

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe

Executes dropped EXE 15 IoCs

pid	Process
4976	Cnnlaehj.exe
3988	Calhnpgn.exe
2456	Dfiafg32.exe
2372	Dopigd32.exe
1428	Dejacond.exe
1772	Dfknkg32.exe
1672	Dobfld32.exe
4704	Delnin32.exe
3320	Dfnjafap.exe
692	Dmgbnq32.exe
5076	Deokon32.exe
3612	Dogogcpo.exe
4884	Deagdn32.exe
1508	Dgbdlf32.exe
4360	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1512	4360	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4976	1688	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe	84
PID 1688 wrote to memory of 4976	1688	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe	84
PID 1688 wrote to memory of 4976	1688	a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe	84
PID 4976 wrote to memory of 3988	4976	Cnnlaehj.exe	85
PID 4976 wrote to memory of 3988	4976	Cnnlaehj.exe	85
PID 4976 wrote to memory of 3988	4976	Cnnlaehj.exe	85
PID 3988 wrote to memory of 2456	3988	Calhnpgn.exe	86
PID 3988 wrote to memory of 2456	3988	Calhnpgn.exe	86
PID 3988 wrote to memory of 2456	3988	Calhnpgn.exe	86
PID 2456 wrote to memory of 2372	2456	Dfiafg32.exe	87
PID 2456 wrote to memory of 2372	2456	Dfiafg32.exe	87
PID 2456 wrote to memory of 2372	2456	Dfiafg32.exe	87
PID 2372 wrote to memory of 1428	2372	Dopigd32.exe	88
PID 2372 wrote to memory of 1428	2372	Dopigd32.exe	88
PID 2372 wrote to memory of 1428	2372	Dopigd32.exe	88
PID 1428 wrote to memory of 1772	1428	Dejacond.exe	89
PID 1428 wrote to memory of 1772	1428	Dejacond.exe	89
PID 1428 wrote to memory of 1772	1428	Dejacond.exe	89
PID 1772 wrote to memory of 1672	1772	Dfknkg32.exe	90
PID 1772 wrote to memory of 1672	1772	Dfknkg32.exe	90
PID 1772 wrote to memory of 1672	1772	Dfknkg32.exe	90
PID 1672 wrote to memory of 4704	1672	Dobfld32.exe	91
PID 1672 wrote to memory of 4704	1672	Dobfld32.exe	91
PID 1672 wrote to memory of 4704	1672	Dobfld32.exe	91
PID 4704 wrote to memory of 3320	4704	Delnin32.exe	92
PID 4704 wrote to memory of 3320	4704	Delnin32.exe	92
PID 4704 wrote to memory of 3320	4704	Delnin32.exe	92
PID 3320 wrote to memory of 692	3320	Dfnjafap.exe	93
PID 3320 wrote to memory of 692	3320	Dfnjafap.exe	93
PID 3320 wrote to memory of 692	3320	Dfnjafap.exe	93
PID 692 wrote to memory of 5076	692	Dmgbnq32.exe	94
PID 692 wrote to memory of 5076	692	Dmgbnq32.exe	94
PID 692 wrote to memory of 5076	692	Dmgbnq32.exe	94
PID 5076 wrote to memory of 3612	5076	Deokon32.exe	95
PID 5076 wrote to memory of 3612	5076	Deokon32.exe	95
PID 5076 wrote to memory of 3612	5076	Deokon32.exe	95
PID 3612 wrote to memory of 4884	3612	Dogogcpo.exe	96
PID 3612 wrote to memory of 4884	3612	Dogogcpo.exe	96
PID 3612 wrote to memory of 4884	3612	Dogogcpo.exe	96
PID 4884 wrote to memory of 1508	4884	Deagdn32.exe	97
PID 4884 wrote to memory of 1508	4884	Deagdn32.exe	97
PID 4884 wrote to memory of 1508	4884	Deagdn32.exe	97
PID 1508 wrote to memory of 4360	1508	Dgbdlf32.exe	98
PID 1508 wrote to memory of 4360	1508	Dgbdlf32.exe	98
PID 1508 wrote to memory of 4360	1508	Dgbdlf32.exe	98

C:\Users\Admin\AppData\Local\Temp\a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc48c1d694d1dedd62e1268944b00e9871f1f8f6146b2dbc5f3673c9e165afN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Cnnlaehj.exe
  C:\Windows\system32\Cnnlaehj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\Calhnpgn.exe
    C:\Windows\system32\Calhnpgn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\SysWOW64\Dfiafg32.exe
      C:\Windows\system32\Dfiafg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 396
        17⤵
        Program crash
        
        PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4360 -ip 4360
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
88KB

MD5
0acf78aba2340d5b3c3ad81ec684dd93

SHA1
aed2709d8e2daf1660b2c5ef74803458eafbe52e

SHA256
930c04e67465c4085f6a2d35f97085512822e4d0edcc05cc4be002497fbee891

SHA512
65532160ffe8c082a3699287110764f65db93f89258d121d30f793afd598a62f27daf52c18a57e4258925520b02edd4f038a7ec2dd3f58ce76c116d5dd38bf9e

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
88KB

MD5
9563adeace95676a7f06a522acaa4ff2

SHA1
6fd8c314b8d534410564dd6a0fb31d361dedbdea

SHA256
47845c1770ebfb6d87bee1b6e16bad2ceb2e85d9bdbac5499d0a6c523baa885a

SHA512
954d5e8e0092b5152b78c68da386785f5d1301640c385c033f60d7321a757d085101be3953f2432d55b778160de482402e186fe5d6e164a4eadbaa65cd65c7a9

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
88KB

MD5
9f9432205002b533bf50d693a1648f63

SHA1
f1ee422c1435583e2b4039e75f2e2ec934ee2656

SHA256
0e45a759f048009ed44444571bc9d3a7034a374ba248782c9ca916cb73748c5b

SHA512
ce30ce555a801c32e31ad3a4964bbda06133a499fb127ad5cf32b8f9f7a177783a198881697e6b92f7f822adc17169cb082f5d8acd59ffb99518de8a5def0946

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
88KB

MD5
ab5f6a3cc0d5a2cc97fd9485a484080a

SHA1
c7a49cc29abd174049e3318390748efcad12fda7

SHA256
3a903ba3a48bf93c9ac7a3a4d0842cd5c307cca133bd6d5f34128c1f83f2a443

SHA512
a72140d1815388b0f19e69f25d72cf79f1ec80b5a065ba6dc1a8eff69c4e45a4fddb4d7223a5c621d84ed8d0106359e53883a3edf3aecc9198392e7832374255

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
88KB

MD5
1cd6aabd96106218552bb6d4472e37dc

SHA1
891d82f59a8265a0a34a1fb975a2bf9a35673ecc

SHA256
f002e6be9dccbae7672f3c385ce59e5e1e520dc150fae38245b5e418f9555330

SHA512
697d879e9b1c246c1f1ccd960f7861d8876f33481e9a8dab9ba2fb3a1bacf4ffb3bdde8dbb5af581c31f26f84d47cd2df9849f725d7558ee6c5894804c643613

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
88KB

MD5
ee87baeadad8a5229beba09e2ff644ec

SHA1
59a5708faea17c63567abaa6dee65042431295de

SHA256
94923d9ea6842dfa0f6bbcc452d14012f7953c34a6fc2f764341dc0c780d11e3

SHA512
b02d8620498ef0dc80d78615f99f0b88033d8ad3fe094035507fb7beb56673dc7529fb5a7a25f22593bc6c0cda9c2fbf57ef017171d5d50eced3922e42622fd7

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
88KB

MD5
6d4478772b1c2adeadf03710eca81235

SHA1
84bb8bd559344b99e3abaa0217f48394368887b8

SHA256
21010f06b0c315268613a6bbd4ade71d5196c5bb87af0892a9abeb30d794dfb8

SHA512
73d4e733f5b7cc7718531fccfe67e1ba625b637090b66206b758df896991bcb115f837a035458b3eec6fcc3842a1bcf54cea7de2fb3183ae5ff2e1ac1aada71b

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
88KB

MD5
77934030217a6b9160333f1408bbf51f

SHA1
28d8de17a44970b3d755c26ac9ae63f32a0cd755

SHA256
e93955b57242bfa5097b725c4972a45589c49741dd8bb4190bad6621936d1e8b

SHA512
f9054d82a32748e69f7c9c399ddeaec722d5ad4d6bc80ff32213e561e2961c7b050f78f618f1a0facb6246b80753bbcce6effa5321e41035011141d0df5a5e24

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
88KB

MD5
1eb341f80bfd990184cba5690fc9d3b1

SHA1
768ef89bbdc49012cc3aac2ee34bc4ea95d13f2e

SHA256
2d99ce630e3b6d24d0f0850ecf4c497fcf60b2d1118b5bfd9fbcc9cd43de245a

SHA512
d8b3bde8ac5035e656b3790caa0f79d209a34f39d400524d00aead7e95f79b47c4fdf27a622a053d43976622c3da2bdc4cc7f7b278302337e25257e5b289e354

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
88KB

MD5
1cae914c44572e51bd8f9de5c940d633

SHA1
23a48fa8965f68e48e626e31768f997d1229c6cc

SHA256
e4edb59a013b985256ba405cc1ab552f290f6a68b23dc84d2657eecd2cdb3954

SHA512
202428a028df711a330b0d552715abe8c41ea9b8e6d0edae5ae272d438dea20d16ce9fedbdd2aaa0b05d15d15aba81cc1c4bf72256d706b9fccc297212df2fde

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
88KB

MD5
77fda0a937bcb0ccd7f6d226caf47f2f

SHA1
32a54ac6d0a7510b3abf446a87ecc5584ae64fd3

SHA256
45b7908cad0c8f90c8699867df893f4761a1da122601b1e892fc3ad233f16d43

SHA512
275d7211e90c17e89a0642b87ba7029117416965aaf6d7a4124fe1974343854a973c5b05e103426f07839d506ec4af45d26ce0634da9c8d14fe5240a6052cf5b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
88KB

MD5
350774381ad8e891de8957da5fc8c8ba

SHA1
f97bd403cef22045a48778e276297917c5a97ce7

SHA256
797ef11b4fc08b4366a9553b812b5d3098029de79c51a6e91f9291257518d8f3

SHA512
502808e1c6b13bd353bc36b965a00a6e2b025f221c57fcba09edd9e7343c5e92404d7dd4becd18d70dcd25d1d42dec056cf537175cd76a2e35c36c2055006905

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
88KB

MD5
90a10b14b88bb11d94f139f7e5c69c4a

SHA1
f617b30d8caf6e3a2c96a37c4c5c745d0d0955f1

SHA256
a4cbbc65402ff5b95188ec39abe230fe84c41b01ea4b46bfeed3ee3636058eab

SHA512
7fcd1d37bc6b2c8bf96bb71891764b0474e0d8358cb36e640add9e2f628e7e897cb978f4402a9ab37c5b10e3a8598cfa12756efef0b73ea1468a0fc4003ff227

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
88KB

MD5
3e54001f200840c0a4e85bcd1bce66c5

SHA1
cc238a304f09f04ea36da55b684ad21b1cccf39f

SHA256
46096446d2cbbc02adfa0202344400079ca097cf0f844c68e315fd104f0a214c

SHA512
84036c1591810c4552d09945fe1044e8526d9fac7f4f912063e9faa175dab2acfa48ecd98d2ff9caf61b4ad503c9ced921ded65339623c4a1b98ff497e4c0776

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
88KB

MD5
1b21ac2d412914091150d0464f60feb4

SHA1
eda10a97c4c323c4baa342d4210f6f1ea298f51d

SHA256
7963e647298f9838a1fdd0ae62898aa0bf06f3aafd8f8644085246f916fbd167

SHA512
54bce04ae372845b3525d13a2d7fed783ff2357c54df8990fbe7b9a4aea15922b8b36bf9191232b8c6c886c089512823c2c234298c9b1dbc63ad1d919e2b7a13

Download Submit
memory/692-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads