7b5ee47a6ea482e8142bb9aa4bff7e63dedbe045ee234da722a557d332b37b34

Analysis

max time kernel
112s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef51e1cfbb1d4768f9071a5311670df0N.exe
Size

60KB
MD5

ef51e1cfbb1d4768f9071a5311670df0
SHA1

29c1acd8b0e80972a79941f17248cace9cecb454
SHA256

7b5ee47a6ea482e8142bb9aa4bff7e63dedbe045ee234da722a557d332b37b34
SHA512

d9bf1a10c82ef2ba6e897690b918062f0974d64468c1351e855c54705ccd4d5a5bfcb8b3ef696d2a53549af3220fee63838034c73c8935e51c9c7ccfd8c8f84d
SSDEEP

1536:DeaNzAVaov3o1JmT+1jzoRdJlgbVdqKvOMFVCP0NFGr3A3pL6B86l1rs:vWaAM/7Li3A5L6B86l1rs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ef51e1cfbb1d4768f9071a5311670df0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpiaipmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ef51e1cfbb1d4768f9071a5311670df0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlboca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdhhdqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlboca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmiejji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe

Executes dropped EXE 13 IoCs

pid	Process
2888	Cjmmffgn.exe
2796	Cpiaipmh.exe
2720	Dlpbna32.exe
2616	Dlboca32.exe
3044	Ddmchcnd.exe
1720	Djmiejji.exe
2976	Ddbmcb32.exe
2160	Eddjhb32.exe
2928	Enmnahnm.exe
1772	Emdhhdqb.exe
2092	Ebappk32.exe
2232	Ebcmfj32.exe
2960	Flnndp32.exe

Loads dropped DLL 30 IoCs

pid	Process
2712	ef51e1cfbb1d4768f9071a5311670df0N.exe
2712	ef51e1cfbb1d4768f9071a5311670df0N.exe
2888	Cjmmffgn.exe
2888	Cjmmffgn.exe
2796	Cpiaipmh.exe
2796	Cpiaipmh.exe
2720	Dlpbna32.exe
2720	Dlpbna32.exe
2616	Dlboca32.exe
2616	Dlboca32.exe
3044	Ddmchcnd.exe
3044	Ddmchcnd.exe
1720	Djmiejji.exe
1720	Djmiejji.exe
2976	Ddbmcb32.exe
2976	Ddbmcb32.exe
2160	Eddjhb32.exe
2160	Eddjhb32.exe
2928	Enmnahnm.exe
2928	Enmnahnm.exe
1772	Emdhhdqb.exe
1772	Emdhhdqb.exe
2092	Ebappk32.exe
2092	Ebappk32.exe
2232	Ebcmfj32.exe
2232	Ebcmfj32.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cpiaipmh.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Nceqcnpi.dll	Dlboca32.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Emdhhdqb.exe
File opened for modification	C:\Windows\SysWOW64\Djmiejji.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Ddbmcb32.exe
File opened for modification	C:\Windows\SysWOW64\Emdhhdqb.exe	Enmnahnm.exe
File opened for modification	C:\Windows\SysWOW64\Cjmmffgn.exe	ef51e1cfbb1d4768f9071a5311670df0N.exe
File opened for modification	C:\Windows\SysWOW64\Dlpbna32.exe	Cpiaipmh.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Cpiaipmh.exe
File created	C:\Windows\SysWOW64\Ddmchcnd.exe	Dlboca32.exe
File created	C:\Windows\SysWOW64\Enmnahnm.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Emdhhdqb.exe	Enmnahnm.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Ebcmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Cjmmffgn.exe	ef51e1cfbb1d4768f9071a5311670df0N.exe
File created	C:\Windows\SysWOW64\Hclmphpn.dll	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Peqiahfi.dll	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Cpiaipmh.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Pdkooael.dll	Dlpbna32.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Ddbdimmi.dll	ef51e1cfbb1d4768f9071a5311670df0N.exe
File created	C:\Windows\SysWOW64\Dlboca32.exe	Dlpbna32.exe
File opened for modification	C:\Windows\SysWOW64\Enmnahnm.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Bgjond32.dll	Djmiejji.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	Ddbmcb32.exe
File opened for modification	C:\Windows\SysWOW64\Ebappk32.exe	Emdhhdqb.exe
File created	C:\Windows\SysWOW64\Gbmiha32.dll	Emdhhdqb.exe
File created	C:\Windows\SysWOW64\Dlpbna32.exe	Cpiaipmh.exe
File created	C:\Windows\SysWOW64\Djmiejji.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Ddbmcb32.exe	Djmiejji.exe
File opened for modification	C:\Windows\SysWOW64\Ddbmcb32.exe	Djmiejji.exe
File created	C:\Windows\SysWOW64\Ebcmfj32.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Jhpgpkho.dll	Ebappk32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Ebcmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Dlboca32.exe	Dlpbna32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmchcnd.exe	Dlboca32.exe
File created	C:\Windows\SysWOW64\Glgkjp32.dll	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Almpdj32.dll	Enmnahnm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	2960	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef51e1cfbb1d4768f9071a5311670df0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmmffgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlboca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmiejji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpiaipmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmchcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdhhdqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmnahnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almpdj32.dll"	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclmphpn.dll"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll"	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpiaipmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll"	Dlboca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ef51e1cfbb1d4768f9071a5311670df0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ef51e1cfbb1d4768f9071a5311670df0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkooael.dll"	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ef51e1cfbb1d4768f9071a5311670df0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emdhhdqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll"	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ef51e1cfbb1d4768f9071a5311670df0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll"	ef51e1cfbb1d4768f9071a5311670df0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ef51e1cfbb1d4768f9071a5311670df0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll"	Emdhhdqb.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2888	2712	ef51e1cfbb1d4768f9071a5311670df0N.exe	30
PID 2712 wrote to memory of 2888	2712	ef51e1cfbb1d4768f9071a5311670df0N.exe	30
PID 2712 wrote to memory of 2888	2712	ef51e1cfbb1d4768f9071a5311670df0N.exe	30
PID 2712 wrote to memory of 2888	2712	ef51e1cfbb1d4768f9071a5311670df0N.exe	30
PID 2888 wrote to memory of 2796	2888	Cjmmffgn.exe	31
PID 2888 wrote to memory of 2796	2888	Cjmmffgn.exe	31
PID 2888 wrote to memory of 2796	2888	Cjmmffgn.exe	31
PID 2888 wrote to memory of 2796	2888	Cjmmffgn.exe	31
PID 2796 wrote to memory of 2720	2796	Cpiaipmh.exe	32
PID 2796 wrote to memory of 2720	2796	Cpiaipmh.exe	32
PID 2796 wrote to memory of 2720	2796	Cpiaipmh.exe	32
PID 2796 wrote to memory of 2720	2796	Cpiaipmh.exe	32
PID 2720 wrote to memory of 2616	2720	Dlpbna32.exe	33
PID 2720 wrote to memory of 2616	2720	Dlpbna32.exe	33
PID 2720 wrote to memory of 2616	2720	Dlpbna32.exe	33
PID 2720 wrote to memory of 2616	2720	Dlpbna32.exe	33
PID 2616 wrote to memory of 3044	2616	Dlboca32.exe	34
PID 2616 wrote to memory of 3044	2616	Dlboca32.exe	34
PID 2616 wrote to memory of 3044	2616	Dlboca32.exe	34
PID 2616 wrote to memory of 3044	2616	Dlboca32.exe	34
PID 3044 wrote to memory of 1720	3044	Ddmchcnd.exe	35
PID 3044 wrote to memory of 1720	3044	Ddmchcnd.exe	35
PID 3044 wrote to memory of 1720	3044	Ddmchcnd.exe	35
PID 3044 wrote to memory of 1720	3044	Ddmchcnd.exe	35
PID 1720 wrote to memory of 2976	1720	Djmiejji.exe	36
PID 1720 wrote to memory of 2976	1720	Djmiejji.exe	36
PID 1720 wrote to memory of 2976	1720	Djmiejji.exe	36
PID 1720 wrote to memory of 2976	1720	Djmiejji.exe	36
PID 2976 wrote to memory of 2160	2976	Ddbmcb32.exe	37
PID 2976 wrote to memory of 2160	2976	Ddbmcb32.exe	37
PID 2976 wrote to memory of 2160	2976	Ddbmcb32.exe	37
PID 2976 wrote to memory of 2160	2976	Ddbmcb32.exe	37
PID 2160 wrote to memory of 2928	2160	Eddjhb32.exe	38
PID 2160 wrote to memory of 2928	2160	Eddjhb32.exe	38
PID 2160 wrote to memory of 2928	2160	Eddjhb32.exe	38
PID 2160 wrote to memory of 2928	2160	Eddjhb32.exe	38
PID 2928 wrote to memory of 1772	2928	Enmnahnm.exe	39
PID 2928 wrote to memory of 1772	2928	Enmnahnm.exe	39
PID 2928 wrote to memory of 1772	2928	Enmnahnm.exe	39
PID 2928 wrote to memory of 1772	2928	Enmnahnm.exe	39
PID 1772 wrote to memory of 2092	1772	Emdhhdqb.exe	40
PID 1772 wrote to memory of 2092	1772	Emdhhdqb.exe	40
PID 1772 wrote to memory of 2092	1772	Emdhhdqb.exe	40
PID 1772 wrote to memory of 2092	1772	Emdhhdqb.exe	40
PID 2092 wrote to memory of 2232	2092	Ebappk32.exe	41
PID 2092 wrote to memory of 2232	2092	Ebappk32.exe	41
PID 2092 wrote to memory of 2232	2092	Ebappk32.exe	41
PID 2092 wrote to memory of 2232	2092	Ebappk32.exe	41
PID 2232 wrote to memory of 2960	2232	Ebcmfj32.exe	42
PID 2232 wrote to memory of 2960	2232	Ebcmfj32.exe	42
PID 2232 wrote to memory of 2960	2232	Ebcmfj32.exe	42
PID 2232 wrote to memory of 2960	2232	Ebcmfj32.exe	42
PID 2960 wrote to memory of 2288	2960	Flnndp32.exe	43
PID 2960 wrote to memory of 2288	2960	Flnndp32.exe	43
PID 2960 wrote to memory of 2288	2960	Flnndp32.exe	43
PID 2960 wrote to memory of 2288	2960	Flnndp32.exe	43

C:\Users\Admin\AppData\Local\Temp\ef51e1cfbb1d4768f9071a5311670df0N.exe
"C:\Users\Admin\AppData\Local\Temp\ef51e1cfbb1d4768f9071a5311670df0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\Cjmmffgn.exe
  C:\Windows\system32\Cjmmffgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Cpiaipmh.exe
    C:\Windows\system32\Cpiaipmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Dlpbna32.exe
      C:\Windows\system32\Dlpbna32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Dlboca32.exe
        
        C:\Windows\system32\Dlboca32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Ddmchcnd.exe
        
        C:\Windows\system32\Ddmchcnd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Djmiejji.exe
        
        C:\Windows\system32\Djmiejji.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Emdhhdqb.exe
        
        C:\Windows\system32\Emdhhdqb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 140
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cjmmffgn.exe

Filesize
60KB

MD5
2d082a3026b823d4b5e8216532e195ba

SHA1
db80046fdbf3c4ab214bd606a859b06a0d3e9c77

SHA256
2571ccb2287016cd1818e5bcf948a15e3fe7062ac8ce1eff3ae64275c07833dd

SHA512
6725ea1e8799dd79cf61bd10254b461cfabdc5fc2c355f1ab5c01b71266cdf4aa3de20bad21ced5e7a93ec31fcfdb1f84e2efa9e1f1bb78dbbd4e6324181905c

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
60KB

MD5
a54b2e3e2d1105c6eec1929d24f5ecf6

SHA1
89459189e6c19c06a982a0372cfd453a5cce5776

SHA256
f408c81852ed4445108833b1a9da07693fcecf592e88ba325ad2050436f52282

SHA512
dcef1595bee8329c08ddb216fb57c4f4850e8214bafebb4f982547a274b2cebb4d68da71d35a1ce9b7c5cc03919f56913118cf3de04fcc2de00a8679b7139881

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
60KB

MD5
9e8d1b103f94140679d4ba0e42052875

SHA1
c544d3b9688ac7c932181861ba1b8894454d6c09

SHA256
60ee6e6248fefbecef36844d3b913e08dfc77d93bb0f7102512b857e2cc081ce

SHA512
8bd564d501930afcfb8989305cc72e7e1e3bdb5087d98d464b1b32abdf32a56e45f4e302f793bae25b4e1a68ea2bb24f1c93f6c8638b41996854d0422e1663b8

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
60KB

MD5
4cf4de79b5a7e85325874b0a8f17e0dd

SHA1
b177c1ffee13ff14c0531b85776d41da022ce095

SHA256
cc7004ce38f05b94dd3a5b1ff1dadb319a5874d66c2f433eaa2bf8995ed3267e

SHA512
631ddf219be214c04f248d77d160e0f00fc131d76a312b87786cf0e5cacc6877fccb88747f9ab0bcac2937127bcc067d445d58c60555a675071a2be89d19cf1e

Download Submit
\Windows\SysWOW64\Cpiaipmh.exe

Filesize
60KB

MD5
043c5a8edc433a6570376a62385f65d9

SHA1
af877256c71e7210b80fc815b7e9b9de099c3812

SHA256
a15e3aae9b36a26348d768af04b909cccc8ece5fe3b43e85eb7939bf068ff6ef

SHA512
5f56dc6143179458b7b26d49542aca8ea6be7d0265740042debc731bac15ad6b894285b07e2c61842f441ef0aa65176963ce3ebfa9044efbb625add6d12365ee

Download Submit
\Windows\SysWOW64\Ddbmcb32.exe

Filesize
60KB

MD5
15d5576e9ae036a1bdcea4f884da229f

SHA1
0644f0d3f5201384c74804d2734625e216f1d97c

SHA256
29593e5d0dc3ede8a321e41e646e67dbc8500c05eb877c1a3854e351d13a94c8

SHA512
47daa23b2e4c65afe0d8ca7645b5bfb269d308bff425c0db7e88ea29d17379c0ecb931ce7816f17d7cb40026c731f0e470e4e4b8fc98d3ec451508dca6844d1a

Download Submit
\Windows\SysWOW64\Ddmchcnd.exe

Filesize
60KB

MD5
877ea7bbadb1d114dda86a96e620acf5

SHA1
f82e3fd8bb5d877b757c9e84c5dfc1e667b9b8b2

SHA256
630857f36643fc1f01e26302476121147c8e424a558796b8a216b9d0691a8706

SHA512
f5a8ccf6835e7d2305d4e112a4fe344cb4be3a75acc8b5f25ad1717318c96452ecb888b154946c450e33a7fe6631e6ac1d7c14d3b9dd00e325da9d902f633b16

Download Submit
\Windows\SysWOW64\Djmiejji.exe

Filesize
60KB

MD5
27859cb9cbfe2422a6716ce36b0f7de2

SHA1
a1200009ec9d9028dbbd24f8828fac8573bd8b96

SHA256
8ab7fa6b77b2876be546f95baf4977d998e65520b35f6b5c476d19971031c518

SHA512
76816f5192cafd5fc3b6c64ed0c8ed732aca0caeca9efeb6c4847010fd42ad1659296a4e210878a8b2cd1a05a3f4dedab54ab24259382e9dd0fac7ec09118a9a

Download Submit
\Windows\SysWOW64\Dlboca32.exe

Filesize
60KB

MD5
9b3e3c8a9ec70398a0c95d895c2ec5b0

SHA1
a729dec8ed703bae10f6a36a10572d205a751c50

SHA256
dc4aa11abe46d567cf191c3c199911fddce1a8bb263d21f339c19d0a2aaae7e6

SHA512
4491244a9bb6d9e8c0283c4ec72e6423d908e73d2fda607154858e0170d48a3cd30a1f2bfe2a4f1cc587729a61db48bd2bf3bd87bf6efb18d0a5eeccf9dfa285

Download Submit
\Windows\SysWOW64\Dlpbna32.exe

Filesize
60KB

MD5
378208d852762c8b0bdf0dc5f3b94ad6

SHA1
de8f9d3e6f26bc65db136cb17ec777e8e3b42a8f

SHA256
65b6930c7e91ba504d8dd1eacf293be1522db43d6e411b8f4bebccdb5b929932

SHA512
a31e5b13e69ecad90d872330ef0fcc2d68737a61d8f68ba1f8f5aa1b643c80e9ecf17f808611b9111d08b588f68a12da38b2e5729a79a8a8282913a74bfc25cd

Download Submit
\Windows\SysWOW64\Eddjhb32.exe

Filesize
60KB

MD5
d6ac3596404bf1744a1c0bca3bc5bdbc

SHA1
63d33db9c0d2702df88c8162d6b5fd9bca3b1fda

SHA256
f2e799e88d458127fbac39d753e7202a36bf918a1241c5ab8086c645e4ea93d1

SHA512
52361e7f7f5ab9a081161ecdc06d07ef0a91fa3ccd7495552e23b215759d6a27836856053a9fa6d05e960a99328b48e31abcca93334224fdc9ab10925d1ee0e6

Download Submit
\Windows\SysWOW64\Emdhhdqb.exe

Filesize
60KB

MD5
66b72af644952a346be8a6da4dfe7772

SHA1
7ace53b6b67ae9e43dee8c696b4f1c0b2eb83e6b

SHA256
aaeb0b5cc1b2e3483620df4bf907eb638db281f541a1132656a92fa7b08a4167

SHA512
bec6c1f20ecfecc4fb62cd6f826a6e8690a9057c76236230a1e18107a1250f94125c2f4d02def8f50e65a78778face89fbc62ef4cc8dd0fd3ee288bd22c2de2a

Download Submit
\Windows\SysWOW64\Flnndp32.exe

Filesize
60KB

MD5
d852e19e261ed5fd62deae518c1da8c5

SHA1
a9b9dd4ab37b91d4081b382c697b906c4bb027ea

SHA256
55ef06a0e23ced7b313ac292c1d29293bbc218c7c6e5145bd6331f0f92f4e350

SHA512
d8b8b84ea019556222b95f4d33eba8b94e60489e2660f27b9240678fd6de18dc02349302eabadebadcde37fd6b2c9418db0b02b91cfd862887d3620ce678bc0e

Download Submit
memory/1720-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-147-0x00000000003B0000-0x00000000003E6000-memory.dmp

Filesize
216KB

Download
memory/1720-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-100-0x00000000003B0000-0x00000000003E6000-memory.dmp

Filesize
216KB

Download
memory/1772-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1772-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1772-156-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2092-172-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2092-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-197-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2092-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-178-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2160-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-125-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2160-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-66-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2616-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-131-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2712-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-13-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2712-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-12-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2712-62-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2720-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-101-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2720-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-50-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2796-40-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2796-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-22-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2888-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-72-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2888-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-144-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2928-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-190-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2960-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-171-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2976-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-110-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2976-121-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2976-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-85-0x00000000003B0000-0x00000000003E6000-memory.dmp

Filesize
216KB

Download
memory/3044-145-0x00000000003B0000-0x00000000003E6000-memory.dmp

Filesize
216KB

Download
memory/3044-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads