4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5

General

Target

4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
Size

3.0MB
MD5

3eabe0c8fdb9c9504a49a4b254a4ab4a
SHA1

2f31e7fe85a1da78252244d35ef88e9ebd6b8044
SHA256

4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5
SHA512

1a76873ab9ad57e8c9c2fe62508e0c00c177c4fea83d950d86f598159915deb0aba28bbc14cc1c356345fc26bc80c6853aab5fdbb7d1179133ef363c564ebf58
SSDEEP

49152:JbcQfgNtugfBlutOkVGGPcDEwi9T/udEizEE5Yji088O2axeUC2KdMX:Jb/EtuellkVGGkDEwi97nizei08v6

Score

8^/10

discovery persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 3 IoCs

Processes:

4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exerundll32.exerundll32.exe

pid process

1640 4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
2800 rundll32.exe
4100 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe

description	ioc	process
File created	C:\Program Files (x86)\AppendEngine\AppendEngine.dll	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\51d2f2ea = "PPAl/Y//GPAj/XP/QPAj/Xb/HPAj/XJ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\6185d035 = "Vx/2/Cx/V//l////"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\65114b36 = "VP/l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\e46c271e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\1c311243 = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\c24899a6 = "VP/g/CV/Vl/2/Cx////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f00300036004f0030006d0055003100670030003200490030006f0078003100530030003600710030006e0055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f00300036004f0030006d0055003100670030003200490030006f007800310053003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100590030003600450030006d006c003100680030003600340030006d006c0031004f0030003700380030007000780031004e0030003600450030006900780031004d0030003600620030007000780031004e0030003200490030006f0078003100530030003600710030006e0055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100590030003600450030006d006c003100680030003600340030006d006c0031004f0030003700380030007000780031004e0030003600450030006900780031004d0030003600620030007000780031004e0030003200490030006f007800310053003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100680030003600680030006d006c0031002b003000360062003000690030003100550030003600340030006d006c0031004e0030003600740030006d006c003000530030003600680030006e006c003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100680030003600680030006d006c0031002b003000360062003000690030003100550030003600340030006d006c0031004e0030003600740030006d006c003000530030003600680030006e006c00310041003000360045003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100410030003600680030006e006c0031002b00300036007800300071006c003100440030003700780030006d0030003100540030003700620030006f00780031004f0030003600680030006e0055003100530030003200490030006f007800310053003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100440030003600490030006d00550031004f0030003600340030006e006c003100670030003600740030006900550031004d0030003600340030006d0030003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f0030003600550030006f00780031004e00300037007800300061006c0031004400300036004900300070006c00310054003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f0030003600550030006f00780031004e00300037007800300061006c00310053003000360074003000690030003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\72758a5d = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\00000000\493c7345 = 6d0030003100650030003700380030006d00550031002b0030003700380030006d00550031002b00300036003400300061006c0031004400300036004900300070006c00310054003000300025002500000070006c00310044003000360049003000710078003100590030003600450030007100550031002b0030003600340030006e006c003000530030003600620030006e00550031005a00300030002500250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\c99a5f5c = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\iiid = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\7367429f = "///%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\00000000\370856c7 = 00000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\00000000\3efeb33e = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\060df2cd = "GlAu/YP/c/Au/YZ/GxAp/YZ/GP/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\d94388d2 = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\f6ad6fa6 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\48bd1aff = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_6e922691\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe

pid	process
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exerundll32.exe

description	pid	process	target process
PID 1640 wrote to memory of 2800	1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe	rundll32.exe
PID 1640 wrote to memory of 2800	1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe	rundll32.exe
PID 1640 wrote to memory of 2800	1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe	rundll32.exe
PID 2812 wrote to memory of 4100	2812	rundll32.exe	rundll32.exe
PID 2812 wrote to memory of 4100	2812	rundll32.exe	rundll32.exe
PID 2812 wrote to memory of 4100	2812	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
"C:\Users\Admin\AppData\Local\Temp\4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\AppendEngine\AppendEngine.dll",serv -install
2⤵
- Loads dropped DLL
PID:2800

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\AppendEngine\AppendEngine.dll",serv
1⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\AppendEngine\AppendEngine.dll",serv
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AppendEngine\AppendEngine.dll
Filesize
2.2MB

MD5
b70d3272da0081dede963b302e5387e2

SHA1
3a6dbc438b5075290872dfdd92fedb3e0bf071f7

SHA256
d488373d7e54b10280f3796fc07ba156b2275d985e8a5f674045ca1d2289d875

SHA512
9b6b9be0e3923cfde1484b9ffae0a164030206dd1cfadd5cdd19e463f856564fefb97fdbf6b2613f37782250768183880d3c0b8460c5657fa463e1bd4d497dd8

Download Submit
C:\Program Files (x86)\AppendEngine\AppendEngine.dll
Filesize
2.2MB

MD5
b70d3272da0081dede963b302e5387e2

SHA1
3a6dbc438b5075290872dfdd92fedb3e0bf071f7

SHA256
d488373d7e54b10280f3796fc07ba156b2275d985e8a5f674045ca1d2289d875

SHA512
9b6b9be0e3923cfde1484b9ffae0a164030206dd1cfadd5cdd19e463f856564fefb97fdbf6b2613f37782250768183880d3c0b8460c5657fa463e1bd4d497dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf7bc45eee.dll
Filesize
2.2MB

MD5
b70d3272da0081dede963b302e5387e2

SHA1
3a6dbc438b5075290872dfdd92fedb3e0bf071f7

SHA256
d488373d7e54b10280f3796fc07ba156b2275d985e8a5f674045ca1d2289d875

SHA512
9b6b9be0e3923cfde1484b9ffae0a164030206dd1cfadd5cdd19e463f856564fefb97fdbf6b2613f37782250768183880d3c0b8460c5657fa463e1bd4d497dd8

Download Submit
\??\c:\Program Files (x86)\AppendEngine\AppendEngine.dll
Filesize
2.2MB

MD5
b70d3272da0081dede963b302e5387e2

SHA1
3a6dbc438b5075290872dfdd92fedb3e0bf071f7

SHA256
d488373d7e54b10280f3796fc07ba156b2275d985e8a5f674045ca1d2289d875

SHA512
9b6b9be0e3923cfde1484b9ffae0a164030206dd1cfadd5cdd19e463f856564fefb97fdbf6b2613f37782250768183880d3c0b8460c5657fa463e1bd4d497dd8

Download Submit
memory/1640-133-0x000000007F900000-0x000000007FC50000-memory.dmp

Filesize
3.3MB

Download
memory/1640-139-0x000000007F450000-0x000000007F7A8000-memory.dmp

Filesize
3.3MB

Download
memory/2800-144-0x0000000000000000-mapping.dmp

Download
memory/2800-147-0x000000007F870000-0x000000007FBC8000-memory.dmp

Filesize
3.3MB

Download
memory/4100-152-0x0000000000000000-mapping.dmp

Download
memory/4100-154-0x000000007F830000-0x000000007FB88000-memory.dmp

Filesize
3.3MB

Download

pid	process
1640	4d236c59fdc9f216627fc36d778bb91c57a30e5c8b353596d33c3a207cf7a0b5.exe
2800	rundll32.exe
4100	rundll32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads