d80efac3459a08640fffe783a9593d7be31f455cab0f37e48fb017c44cc8b93a

Analysis

max time kernel
112s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e103da0e1756560428447cbfee15eb20N.exe
Size

1024KB
MD5

e103da0e1756560428447cbfee15eb20
SHA1

32b976cf5fc80dc068d393b51c557fbdc987d9cb
SHA256

d80efac3459a08640fffe783a9593d7be31f455cab0f37e48fb017c44cc8b93a
SHA512

6eb854588fa0deb94d9deb4e2eafa8efac6c273c81ce21889d0a2b07d65e291aecefc2b4c44ed4799996d51b05cf4f2f45101f11d63cc461f471fd6dbab2ec7f
SSDEEP

12288:mIEqBhWkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:mIPBYgsaDZgQjGkwlks/6HnEO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e103da0e1756560428447cbfee15eb20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdikch32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnhblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjmgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imblii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jklbed32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdikch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdkhihdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imkfhj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijofbnlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jklbed32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcceqa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjmgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcidofcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijofbnlm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imblii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnhblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcidofcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e103da0e1756560428447cbfee15eb20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcceqa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdkhihdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkfhj32.exe

Executes dropped EXE 13 IoCs

pid	Process
2944	Gcceqa32.exe
2500	Hahbam32.exe
1424	Hdikch32.exe
2288	Hdkhihdn.exe
2704	Hjjmgo32.exe
2292	Imkfhj32.exe
2620	Ijofbnlm.exe
2616	Imblii32.exe
2096	Iglmjf32.exe
2212	Jnhblp32.exe
2440	Jklbed32.exe
1680	Jcidofcf.exe
2920	Jppedg32.exe

Loads dropped DLL 30 IoCs

pid	Process
2524	e103da0e1756560428447cbfee15eb20N.exe
2524	e103da0e1756560428447cbfee15eb20N.exe
2944	Gcceqa32.exe
2944	Gcceqa32.exe
2500	Hahbam32.exe
2500	Hahbam32.exe
1424	Hdikch32.exe
1424	Hdikch32.exe
2288	Hdkhihdn.exe
2288	Hdkhihdn.exe
2704	Hjjmgo32.exe
2704	Hjjmgo32.exe
2292	Imkfhj32.exe
2292	Imkfhj32.exe
2620	Ijofbnlm.exe
2620	Ijofbnlm.exe
2616	Imblii32.exe
2616	Imblii32.exe
2096	Iglmjf32.exe
2096	Iglmjf32.exe
2212	Jnhblp32.exe
2212	Jnhblp32.exe
2440	Jklbed32.exe
2440	Jklbed32.exe
1680	Jcidofcf.exe
1680	Jcidofcf.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hahbam32.exe	Gcceqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hahbam32.exe	Gcceqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hdikch32.exe	Hahbam32.exe
File created	C:\Windows\SysWOW64\Imkfhj32.exe	Hjjmgo32.exe
File created	C:\Windows\SysWOW64\Iglmjf32.exe	Imblii32.exe
File created	C:\Windows\SysWOW64\Qdnmpfdg.dll	Jnhblp32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjmgo32.exe	Hdkhihdn.exe
File created	C:\Windows\SysWOW64\Ibeombli.dll	Ijofbnlm.exe
File created	C:\Windows\SysWOW64\Jklbed32.exe	Jnhblp32.exe
File created	C:\Windows\SysWOW64\Meepac32.dll	Hdikch32.exe
File created	C:\Windows\SysWOW64\Hdnppf32.dll	Hjjmgo32.exe
File created	C:\Windows\SysWOW64\Jppedg32.exe	Jcidofcf.exe
File created	C:\Windows\SysWOW64\Mplcca32.dll	e103da0e1756560428447cbfee15eb20N.exe
File created	C:\Windows\SysWOW64\Piajea32.dll	Gcceqa32.exe
File created	C:\Windows\SysWOW64\Hdikch32.exe	Hahbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hdkhihdn.exe	Hdikch32.exe
File opened for modification	C:\Windows\SysWOW64\Imkfhj32.exe	Hjjmgo32.exe
File opened for modification	C:\Windows\SysWOW64\Jklbed32.exe	Jnhblp32.exe
File created	C:\Windows\SysWOW64\Hdkhihdn.exe	Hdikch32.exe
File created	C:\Windows\SysWOW64\Onelkh32.dll	Hdkhihdn.exe
File created	C:\Windows\SysWOW64\Ijofbnlm.exe	Imkfhj32.exe
File opened for modification	C:\Windows\SysWOW64\Iglmjf32.exe	Imblii32.exe
File created	C:\Windows\SysWOW64\Lmnennln.dll	Jcidofcf.exe
File opened for modification	C:\Windows\SysWOW64\Gcceqa32.exe	e103da0e1756560428447cbfee15eb20N.exe
File created	C:\Windows\SysWOW64\Cdbfahdg.dll	Imkfhj32.exe
File opened for modification	C:\Windows\SysWOW64\Imblii32.exe	Ijofbnlm.exe
File created	C:\Windows\SysWOW64\Nhmlcoqf.dll	Iglmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Jcidofcf.exe	Jklbed32.exe
File created	C:\Windows\SysWOW64\Alhgml32.dll	Jklbed32.exe
File created	C:\Windows\SysWOW64\Feqkhl32.dll	Hahbam32.exe
File created	C:\Windows\SysWOW64\Hjjmgo32.exe	Hdkhihdn.exe
File created	C:\Windows\SysWOW64\Imblii32.exe	Ijofbnlm.exe
File created	C:\Windows\SysWOW64\Fpkdloal.dll	Imblii32.exe
File created	C:\Windows\SysWOW64\Jnhblp32.exe	Iglmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Jppedg32.exe	Jcidofcf.exe
File created	C:\Windows\SysWOW64\Gcceqa32.exe	e103da0e1756560428447cbfee15eb20N.exe
File opened for modification	C:\Windows\SysWOW64\Ijofbnlm.exe	Imkfhj32.exe
File opened for modification	C:\Windows\SysWOW64\Jnhblp32.exe	Iglmjf32.exe
File created	C:\Windows\SysWOW64\Jcidofcf.exe	Jklbed32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
900	2920	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijofbnlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iglmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jklbed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdikch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdkhihdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjjmgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imblii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcidofcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jppedg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcceqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imkfhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnhblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e103da0e1756560428447cbfee15eb20N.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcceqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hahbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcidofcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imblii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmlcoqf.dll"	Iglmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnhblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnennln.dll"	Jcidofcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e103da0e1756560428447cbfee15eb20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcceqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meepac32.dll"	Hdikch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e103da0e1756560428447cbfee15eb20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdikch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imkfhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbfahdg.dll"	Imkfhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeombli.dll"	Ijofbnlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imblii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcidofcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e103da0e1756560428447cbfee15eb20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdkhihdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imkfhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jklbed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piajea32.dll"	Gcceqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feqkhl32.dll"	Hahbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onelkh32.dll"	Hdkhihdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjmgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkdloal.dll"	Imblii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplcca32.dll"	e103da0e1756560428447cbfee15eb20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdikch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdkhihdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijofbnlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdnmpfdg.dll"	Jnhblp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e103da0e1756560428447cbfee15eb20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hahbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjmgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnhblp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jklbed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhgml32.dll"	Jklbed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e103da0e1756560428447cbfee15eb20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnppf32.dll"	Hjjmgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijofbnlm.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2944	2524	e103da0e1756560428447cbfee15eb20N.exe	29
PID 2524 wrote to memory of 2944	2524	e103da0e1756560428447cbfee15eb20N.exe	29
PID 2524 wrote to memory of 2944	2524	e103da0e1756560428447cbfee15eb20N.exe	29
PID 2524 wrote to memory of 2944	2524	e103da0e1756560428447cbfee15eb20N.exe	29
PID 2944 wrote to memory of 2500	2944	Gcceqa32.exe	30
PID 2944 wrote to memory of 2500	2944	Gcceqa32.exe	30
PID 2944 wrote to memory of 2500	2944	Gcceqa32.exe	30
PID 2944 wrote to memory of 2500	2944	Gcceqa32.exe	30
PID 2500 wrote to memory of 1424	2500	Hahbam32.exe	31
PID 2500 wrote to memory of 1424	2500	Hahbam32.exe	31
PID 2500 wrote to memory of 1424	2500	Hahbam32.exe	31
PID 2500 wrote to memory of 1424	2500	Hahbam32.exe	31
PID 1424 wrote to memory of 2288	1424	Hdikch32.exe	32
PID 1424 wrote to memory of 2288	1424	Hdikch32.exe	32
PID 1424 wrote to memory of 2288	1424	Hdikch32.exe	32
PID 1424 wrote to memory of 2288	1424	Hdikch32.exe	32
PID 2288 wrote to memory of 2704	2288	Hdkhihdn.exe	33
PID 2288 wrote to memory of 2704	2288	Hdkhihdn.exe	33
PID 2288 wrote to memory of 2704	2288	Hdkhihdn.exe	33
PID 2288 wrote to memory of 2704	2288	Hdkhihdn.exe	33
PID 2704 wrote to memory of 2292	2704	Hjjmgo32.exe	34
PID 2704 wrote to memory of 2292	2704	Hjjmgo32.exe	34
PID 2704 wrote to memory of 2292	2704	Hjjmgo32.exe	34
PID 2704 wrote to memory of 2292	2704	Hjjmgo32.exe	34
PID 2292 wrote to memory of 2620	2292	Imkfhj32.exe	35
PID 2292 wrote to memory of 2620	2292	Imkfhj32.exe	35
PID 2292 wrote to memory of 2620	2292	Imkfhj32.exe	35
PID 2292 wrote to memory of 2620	2292	Imkfhj32.exe	35
PID 2620 wrote to memory of 2616	2620	Ijofbnlm.exe	36
PID 2620 wrote to memory of 2616	2620	Ijofbnlm.exe	36
PID 2620 wrote to memory of 2616	2620	Ijofbnlm.exe	36
PID 2620 wrote to memory of 2616	2620	Ijofbnlm.exe	36
PID 2616 wrote to memory of 2096	2616	Imblii32.exe	37
PID 2616 wrote to memory of 2096	2616	Imblii32.exe	37
PID 2616 wrote to memory of 2096	2616	Imblii32.exe	37
PID 2616 wrote to memory of 2096	2616	Imblii32.exe	37
PID 2096 wrote to memory of 2212	2096	Iglmjf32.exe	38
PID 2096 wrote to memory of 2212	2096	Iglmjf32.exe	38
PID 2096 wrote to memory of 2212	2096	Iglmjf32.exe	38
PID 2096 wrote to memory of 2212	2096	Iglmjf32.exe	38
PID 2212 wrote to memory of 2440	2212	Jnhblp32.exe	39
PID 2212 wrote to memory of 2440	2212	Jnhblp32.exe	39
PID 2212 wrote to memory of 2440	2212	Jnhblp32.exe	39
PID 2212 wrote to memory of 2440	2212	Jnhblp32.exe	39
PID 2440 wrote to memory of 1680	2440	Jklbed32.exe	40
PID 2440 wrote to memory of 1680	2440	Jklbed32.exe	40
PID 2440 wrote to memory of 1680	2440	Jklbed32.exe	40
PID 2440 wrote to memory of 1680	2440	Jklbed32.exe	40
PID 1680 wrote to memory of 2920	1680	Jcidofcf.exe	41
PID 1680 wrote to memory of 2920	1680	Jcidofcf.exe	41
PID 1680 wrote to memory of 2920	1680	Jcidofcf.exe	41
PID 1680 wrote to memory of 2920	1680	Jcidofcf.exe	41
PID 2920 wrote to memory of 900	2920	Jppedg32.exe	42
PID 2920 wrote to memory of 900	2920	Jppedg32.exe	42
PID 2920 wrote to memory of 900	2920	Jppedg32.exe	42
PID 2920 wrote to memory of 900	2920	Jppedg32.exe	42

C:\Users\Admin\AppData\Local\Temp\e103da0e1756560428447cbfee15eb20N.exe
"C:\Users\Admin\AppData\Local\Temp\e103da0e1756560428447cbfee15eb20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Gcceqa32.exe
  C:\Windows\system32\Gcceqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Hahbam32.exe
    C:\Windows\system32\Hahbam32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\Hdikch32.exe
      C:\Windows\system32\Hdikch32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\Hdkhihdn.exe
        
        C:\Windows\system32\Hdkhihdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\SysWOW64\Hjjmgo32.exe
        
        C:\Windows\system32\Hjjmgo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Imkfhj32.exe
        
        C:\Windows\system32\Imkfhj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ijofbnlm.exe
        
        C:\Windows\system32\Ijofbnlm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Imblii32.exe
        
        C:\Windows\system32\Imblii32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Iglmjf32.exe
        
        C:\Windows\system32\Iglmjf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Jnhblp32.exe
        
        C:\Windows\system32\Jnhblp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Jklbed32.exe
        
        C:\Windows\system32\Jklbed32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Jcidofcf.exe
        
        C:\Windows\system32\Jcidofcf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Jppedg32.exe
        
        C:\Windows\system32\Jppedg32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 140
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hdkhihdn.exe

Filesize
1024KB

MD5
dc64ddbec7ea8ebd1ccaaef8a4a99490

SHA1
ae8889900bbbffc2a91c05c588f9c525435c97a4

SHA256
eb67d8108dfd076524772e21b5f2b5fd3e442d1ae1ae149f2bb5e94149bd0765

SHA512
7f0b158147b6899802df6dd32b24f731e6abebb000946326706c6777740a678d32fec37483ea4ada3850aface3a5dc87095b97ed091f65d7bbbdc2bda5d4bf06

Download Submit
C:\Windows\SysWOW64\Onelkh32.dll

Filesize
7KB

MD5
173e45ada629da73246ee1b8cb989484

SHA1
99e6f5bf54a24adc566fd1b21b19409a65d1403f

SHA256
7d2eb632efbe6a2a185114ee316196bdaf7ba84f5f24b064d55c6b7c5699c264

SHA512
60b832669249fb784161cb7759f8c91cfac45c5e11491f24e8b074a1a88a3b76111217d54beff292dd9ef96f80e5f1267fc7b701d3b269493390054ed84b4e6f

Download Submit
\Windows\SysWOW64\Gcceqa32.exe

Filesize
1024KB

MD5
d74863d2665649a8fca5dee49ee6c0b0

SHA1
d1a177651bb472f3908faa9445ba4a19299b4329

SHA256
0582e3c000abf60c568c98c84060eef3d75b8f30fa89be8da2efe8bddd20263c

SHA512
e3963d2c8d7b4cf5344396ae1b3b5b67bbf1ec7404aa09f719067898a99b5b97295f3a2125d9a627b2481d09fe1a0dfb532ee634cf9669473550ecfce8987b7b

Download Submit
\Windows\SysWOW64\Hahbam32.exe

Filesize
1024KB

MD5
5591c2fe63da400b52bf82d2a7801466

SHA1
007798ad95dd6be219a1507a8af5d29fcf493bad

SHA256
707c03db7d5f3f45ee8748f862f2927a34fbaac9786cba8c7bc285943ce1018d

SHA512
add0c3a600946f4de43b048c5ade33cc79051e4a4d9599620c3176daae5efb3d8f15af22d257fdc973270246bc4f321d8c0815bf70dd50f7a2adb9543df80cd0

Download Submit
\Windows\SysWOW64\Hdikch32.exe

Filesize
1024KB

MD5
e5334b81260ae88808d617501563a767

SHA1
071402ded3c3dd2b1995b182ea37e12ce42eda16

SHA256
0ea05d586bc45c88bcdb2c206e66ad1168d8f046bd811ef102c7a2d2c6f341a4

SHA512
a1938fd552cc4b5bf3e91219c09bb69854f3d3debafb608c9ea0f7fdb9eee9031ba58f7ea0d2184e154347f21dba377b45d2f93028e492184962f4ed159e9e14

Download Submit
\Windows\SysWOW64\Hjjmgo32.exe

Filesize
1024KB

MD5
9ff1f2c952b773433c242405d6c97491

SHA1
38f35ee0dbdf7ad79eccea8cbeb4e2ff6a4f62ba

SHA256
564121e0d40eb840e8c4995cafeb77433744b64b220fd3c259cb3e74ed046208

SHA512
2c7ef1cf9f0907c7d109ff765ab3dd159d0ff6a8c963f88c6134bb9155742668b801ad00266d8bfe10dac9cb8cd8840188ce89ef3a238796509bd9343e514a77

Download Submit
\Windows\SysWOW64\Iglmjf32.exe

Filesize
1024KB

MD5
eca7bf6d1c60722a1af6b18cf00ff6cc

SHA1
65bbdf43260319b51513620fc6f003a3aa33fdf7

SHA256
f0499d575d4a313f75735a2480686e5bd205a00b74e9087450e60c2e46dd8028

SHA512
6f63cb39c00e1f584f40fd615dd60f2dcadd7252f6c9bc22c2842efff203d326cc62080cd0280b2739b5d99dcc60640829457522de49c15345082d74deb6981e

Download Submit
\Windows\SysWOW64\Ijofbnlm.exe

Filesize
1024KB

MD5
6acfbce04add7e445ffef093e9e342c9

SHA1
cfa5b119187ea0ad7deb6da7ba854c503c379314

SHA256
608f3f27d542277abaf244e52ab879826f10538612fecdbc970277668afea27a

SHA512
1c5d5380b7c6241b7beac7e003a1e2c3351df245acd9ecd9c26676f90991a899265e0daca250a9b1443c9a8eb5508a44c720016ac5ea8d4cb6d3e7ad18d8c7cd

Download Submit
\Windows\SysWOW64\Imblii32.exe

Filesize
1024KB

MD5
d170820556931df3249f568dd4d2fa55

SHA1
3bc2325d500b01b56ba2f17e3bc97a526b5403df

SHA256
a6649e72595e5b2429ad81b2eb50d54c904481e0599fcc60bbcb18e6545dc539

SHA512
dc6a344f8a73c485263a7346fc789330e15e62bcd207bdae63887c1a82dec15eac36585cc1d36885ce5efc337dc168f34ec4c362d12a2bc7814c76d04a9c7bb1

Download Submit
\Windows\SysWOW64\Imkfhj32.exe

Filesize
1024KB

MD5
b5947cff219fe53cd717c595022939ab

SHA1
8d0ddf41d4a1cbb971da1f9381d138596ad49001

SHA256
0a54c0d8c407b11e49e0421e3eb3656f3f9140702fc24910f8adaa44b8284304

SHA512
c04f1bbb49d1991172b5cf0c3eef91dea9042fd89a3359d4639650be0f3d5644d6f5b9a3aa09df3e7c574a0771406da8ed9ff7356b97cb40b8b4ea000594e6e3

Download Submit
\Windows\SysWOW64\Jcidofcf.exe

Filesize
1024KB

MD5
848e9cff39f6b1db4ac24880155c84d4

SHA1
086526c80c080c72f8bab830c4089c4a3ca1abe5

SHA256
e002057a90f0e73cf0f381d63879682ce5de8d8c71aa705fe10adcca4e20a5a7

SHA512
a17b27caff1bb1952c2cfd1a959752c58ec4f47193fbd7ea91ae73598fd130a63092839bc660242b341127d619cf943e2452ebf4a7e12b76dbe9ebb8e658b1d2

Download Submit
\Windows\SysWOW64\Jklbed32.exe

Filesize
1024KB

MD5
67f2fe88487fc4300edc7f3f1fb4bbb5

SHA1
9d6a2143825d47815fcd384d7ac75151d502f059

SHA256
135036f674875ccb4f44f19134d606ae014bc7d23a043da30d5c809eb9161186

SHA512
24e0ee85eb2461068ee0bbfae7b804de43263efe9fd69e8541f30307bb17f5676a22d74567364c92b20b3bdd5f4353331588357ce0d3b91031e003187f4c38e6

Download Submit
\Windows\SysWOW64\Jnhblp32.exe

Filesize
1024KB

MD5
fec7a83eb0d513ecf67602276bc60427

SHA1
ae5666e4943a0070238307eb788b6cc18f0a80bb

SHA256
bdb14dd2debef5039559cd4ee75be6bcdf9c1d969eabf087a60c3631530855c9

SHA512
610d009684f3ccf013049acf588f0b67e78c41db450fc6299462c03cc007388dc818c79667685f271821f720815ebfecf668edc29435e2b2a43d21dbac02373c

Download Submit
\Windows\SysWOW64\Jppedg32.exe

Filesize
1024KB

MD5
494b3235d6da76cde8e8dc8be3ffc86c

SHA1
7822a88b52f1bb479cb104d89a0a0398f93c2960

SHA256
bd6af015005cf275dd0ec920a3f728be3a91ecb267a483a4f032a6bdf6640d83

SHA512
a02ddfa3ff01ad93a43bd042c690027dd98cb7522730892dc98a1cbfc7f613045621129c8f4a5a87662fe719dbc0108abb25aed34fca1983684810420a8e951d

Download Submit
memory/1424-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1424-56-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1424-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-136-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2096-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-160-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2212-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-155-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2288-71-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2288-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-99-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2292-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-169-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2440-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-170-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2440-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-37-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2524-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-11-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2524-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2616-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-121-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2616-126-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2620-107-0x0000000001F90000-0x0000000001FC4000-memory.dmp

Filesize
208KB

Download
memory/2620-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-79-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2704-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-26-0x0000000000770000-0x00000000007A4000-memory.dmp

Filesize
208KB

Download
memory/2944-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-27-0x0000000000770000-0x00000000007A4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads