f4d1da2766bbb2743bf47de6e3ce62ae8e9d9b54de1a17201bddcb453abc25b4

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86edf6b5274d9e9361ff55c9fc4a7080N.exe
Size

664KB
MD5

86edf6b5274d9e9361ff55c9fc4a7080
SHA1

f266adeda929899020a43f17c52c1eb751992ae8
SHA256

f4d1da2766bbb2743bf47de6e3ce62ae8e9d9b54de1a17201bddcb453abc25b4
SHA512

1c65237b8bbf8f4245fa4e0fb311a29976cc759521c4bc7aaa96ad3762118b80e45dc0bd24949d9ddcce69bd5efe5b4217671e3ca4fd92803ff295e2942da62c
SSDEEP

12288:0qmjpV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmRS:0fjW4XWleKWNUir2MhNl6zX3w9As/xOX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe

Executes dropped EXE 15 IoCs

pid	Process
2312	Dcibca32.exe
4544	Dpmcmf32.exe
4072	Dnqcfjae.exe
2020	Dpopbepi.exe
2796	Ddklbd32.exe
3824	Enhifi32.exe
1180	Edaaccbj.exe
4944	Ekngemhd.exe
1500	Eajlhg32.exe
4520	Fjeplijj.exe
1048	Fdkdibjp.exe
1760	Fbaahf32.exe
4060	Fqfojblo.exe
4624	Fjocbhbo.exe
1844	Gddgpqbe.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Enhifi32.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dcibca32.exe	86edf6b5274d9e9361ff55c9fc4a7080N.exe
File opened for modification	C:\Windows\SysWOW64\Enhifi32.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Dcibca32.exe	86edf6b5274d9e9361ff55c9fc4a7080N.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Obhmcdfq.dll	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Icembg32.dll	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ddklbd32.exe	Dpopbepi.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Fdkdibjp.exe	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Dpopbepi.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Enhifi32.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Fqfojblo.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Caajoahp.dll	86edf6b5274d9e9361ff55c9fc4a7080N.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dcibca32.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ekngemhd.exe
File opened for modification	C:\Windows\SysWOW64\Fdkdibjp.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Ldicpljn.dll	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
516	1844	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmcmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll"	86edf6b5274d9e9361ff55c9fc4a7080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekngemhd.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2312	3496	86edf6b5274d9e9361ff55c9fc4a7080N.exe	89
PID 3496 wrote to memory of 2312	3496	86edf6b5274d9e9361ff55c9fc4a7080N.exe	89
PID 3496 wrote to memory of 2312	3496	86edf6b5274d9e9361ff55c9fc4a7080N.exe	89
PID 2312 wrote to memory of 4544	2312	Dcibca32.exe	90
PID 2312 wrote to memory of 4544	2312	Dcibca32.exe	90
PID 2312 wrote to memory of 4544	2312	Dcibca32.exe	90
PID 4544 wrote to memory of 4072	4544	Dpmcmf32.exe	91
PID 4544 wrote to memory of 4072	4544	Dpmcmf32.exe	91
PID 4544 wrote to memory of 4072	4544	Dpmcmf32.exe	91
PID 4072 wrote to memory of 2020	4072	Dnqcfjae.exe	92
PID 4072 wrote to memory of 2020	4072	Dnqcfjae.exe	92
PID 4072 wrote to memory of 2020	4072	Dnqcfjae.exe	92
PID 2020 wrote to memory of 2796	2020	Dpopbepi.exe	94
PID 2020 wrote to memory of 2796	2020	Dpopbepi.exe	94
PID 2020 wrote to memory of 2796	2020	Dpopbepi.exe	94
PID 2796 wrote to memory of 3824	2796	Ddklbd32.exe	97
PID 2796 wrote to memory of 3824	2796	Ddklbd32.exe	97
PID 2796 wrote to memory of 3824	2796	Ddklbd32.exe	97
PID 3824 wrote to memory of 1180	3824	Enhifi32.exe	98
PID 3824 wrote to memory of 1180	3824	Enhifi32.exe	98
PID 3824 wrote to memory of 1180	3824	Enhifi32.exe	98
PID 1180 wrote to memory of 4944	1180	Edaaccbj.exe	99
PID 1180 wrote to memory of 4944	1180	Edaaccbj.exe	99
PID 1180 wrote to memory of 4944	1180	Edaaccbj.exe	99
PID 4944 wrote to memory of 1500	4944	Ekngemhd.exe	100
PID 4944 wrote to memory of 1500	4944	Ekngemhd.exe	100
PID 4944 wrote to memory of 1500	4944	Ekngemhd.exe	100
PID 1500 wrote to memory of 4520	1500	Eajlhg32.exe	101
PID 1500 wrote to memory of 4520	1500	Eajlhg32.exe	101
PID 1500 wrote to memory of 4520	1500	Eajlhg32.exe	101
PID 4520 wrote to memory of 1048	4520	Fjeplijj.exe	102
PID 4520 wrote to memory of 1048	4520	Fjeplijj.exe	102
PID 4520 wrote to memory of 1048	4520	Fjeplijj.exe	102
PID 1048 wrote to memory of 1760	1048	Fdkdibjp.exe	103
PID 1048 wrote to memory of 1760	1048	Fdkdibjp.exe	103
PID 1048 wrote to memory of 1760	1048	Fdkdibjp.exe	103
PID 1760 wrote to memory of 4060	1760	Fbaahf32.exe	104
PID 1760 wrote to memory of 4060	1760	Fbaahf32.exe	104
PID 1760 wrote to memory of 4060	1760	Fbaahf32.exe	104
PID 4060 wrote to memory of 4624	4060	Fqfojblo.exe	105
PID 4060 wrote to memory of 4624	4060	Fqfojblo.exe	105
PID 4060 wrote to memory of 4624	4060	Fqfojblo.exe	105
PID 4624 wrote to memory of 1844	4624	Fjocbhbo.exe	106
PID 4624 wrote to memory of 1844	4624	Fjocbhbo.exe	106
PID 4624 wrote to memory of 1844	4624	Fjocbhbo.exe	106

C:\Users\Admin\AppData\Local\Temp\86edf6b5274d9e9361ff55c9fc4a7080N.exe
"C:\Users\Admin\AppData\Local\Temp\86edf6b5274d9e9361ff55c9fc4a7080N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Dcibca32.exe
  C:\Windows\system32\Dcibca32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Dpmcmf32.exe
    C:\Windows\system32\Dpmcmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\Dnqcfjae.exe
      C:\Windows\system32\Dnqcfjae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 412
        17⤵
        Program crash
        
        PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844
1⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1020,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcibca32.exe

Filesize
664KB

MD5
0b68b8897b8280e45793fbaacefd77bb

SHA1
0e674af25f55e4da33843ea411bda8abcf52fe73

SHA256
de45544a5a15a816f29d82aea5aef15f9ce3057dc844c831d42004b25a00423c

SHA512
61eda18f80f69455167de402499d2eaea24587ee253170a496e437e905a7b645c0ec1966a5bfc2ddeeb5a5b1ff3bf4db36b327faf243d56cd4e3a65f84065c1f

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
664KB

MD5
3a8c9d29da76937b15f6f06ec84015be

SHA1
8dd7ce003a7e3f8511708533b225f5651bc4b48c

SHA256
d6f4fc1694129ee789087d009eb74b3f8da829e13cf1a9cbbb89d98fa981597a

SHA512
035c49738fecde7d3c134cd0c5b6cf514d018c47482400c50a619daee2071aece2a836eac19754eda3ad51918d9ceb44214b07ffe5a36ff7882b0184453fd7ba

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
664KB

MD5
e7963f01ceab8cd515fa6dc7fd16ebc0

SHA1
2d40cd2493bd99b5311812b3beeac280e445596a

SHA256
1cd2e966d3ccfe64c9d2c3550364822ed03ff607e41489810b10356f22039555

SHA512
2b86c33e427ae7cf5baa3530731716d8c3c2a3f151421c143a83206581db350a1d8cc22822390640924cb08a2ed9f308cf2ed0174259bdf34977bfd40f921976

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
664KB

MD5
a5b30aea2aefd6e299663a3b2dcf1576

SHA1
b59be527dc6e845aa5e2c13de90efb1075b24692

SHA256
0e48222fcf2c7aa4401cdaa6486e5dc8288f95278eb111fac2c926a42dbcba05

SHA512
5fb0d7e396169d108a7202e8d29571b8429b475238966e0c6a3c65fe08c73765b16ff3c063878ef8c45ea2a32de1044655fcffa9297ce238c5295d9dec4d0a89

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
664KB

MD5
27c7afb19d44972a38fc64768ac518ac

SHA1
dc8f6cf48b1cecf9bea60088b0b37b62ac2838d1

SHA256
454b862e1580857b34a0a6db4e4f6adc2a5698c1509f44fc670dc702f3bd0d52

SHA512
4f38e7ab596458f9f6cec8869b2fde5f422d84ca36846c4155d4775056b302878992964e3162372b4ce86528f2f82607eb081699e661e15954a5ec1083a97c95

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
664KB

MD5
bd04bf482a8ea170d810d6b261f26072

SHA1
1db98abc6985778457187117bcff7a1c1001a18a

SHA256
b567ce87d0522b62adb16d0013a17497c398dcc2a04d74ecf413bbc0584ccb1a

SHA512
9e885e0117f99e10eee6ff4a111905764c38b4b5f2891e336853597742e7b434bd3b5806dc2331f8c4942b687e69668d5f46909c3a7fbc2142061061dbc1484e

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
664KB

MD5
98bfeff978172e206547ae8a52fa782a

SHA1
33faace0a9cac2e732379d87c0d72bac07dd6296

SHA256
253f3abe2b4bab480b0bfb3edc6e7caa95b6490f742af81e167be94a48220f32

SHA512
4f30c6dd574aba9e175ca88e0448cfb46a4df99d6625e98861dbb08af49fa96e0b43d99f6c272be42a9d77f0d15bce8fc19c155e5a56a736394a6f71923b22cf

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
664KB

MD5
485b763812a96fd2252bf60a49f4a4e9

SHA1
de6a834f1728996537c0fd6ed84c3e0d99d37a39

SHA256
305e69abe673d9bbad6790d194f80543d43ba2a6f52a7081b694aaa1abdc2fbb

SHA512
398d71d1eaf2924591b3f6f6f3722e932ad949d5179c22b4eff6bf7443ec258b38916179a4f4852d13a5dcd3785ab1d30ad1e91c2f368fbd2d8b7c548847954c

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
664KB

MD5
b5cacd8be9f6cfbeb4b90f7b6847bfd3

SHA1
2fd09a62b3c1812b022f55f5aad385d82a7db3fe

SHA256
d04887c624ac3d6db799dd68bf0a41249f45d7dfe5aa65ab133afb781a30665d

SHA512
81afd5912c4be58386b1656056c3d4dc05aaf7cfc045c8e1fc7ed13f644e02c93fc0a392b06ad322388cec5ebf402e02a368af80d6881f64a1f546b8d04e0358

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
664KB

MD5
c4aceb2603c2317c294eceb6aa2bffa2

SHA1
b28d63a88d98a00cd5439eb1ecdecf657be8c7f7

SHA256
76bed45e7076fb5a08335ef3a42143a375d829dbc17030a6b5228598d20a4e03

SHA512
a18c4e5553be6e940f1df2b1c93a079aab3b35fa586af6e9eb7acdef62e4f649073d947c7b8330a1bf3ad9384ff4ae70c50b383b84402c811c750a127bffea6b

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
664KB

MD5
95200bab3bebaf9b7d36ece7dc4f91a0

SHA1
e7e9cbb333c2fd6f5bcb8a3fc1fc811737f22506

SHA256
717a38d7ced3d651548e532b5f6d6bc22fe83fd2dc6191ec61275b575e90db85

SHA512
62a53bbd5ffbb5c86bc09712328e5a7cd3127d5548d569d9090478b622909325da398fed6d59c1744957e2f23dd6fbaa56fc4563e5941211766196de08c6ba9c

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
664KB

MD5
f40b38871e7163c2ccbf4793df451a6d

SHA1
fb2e49aafcb0cf7c13382f9a6cd4d0ace28143b1

SHA256
6ab485f571d32ef4051617b3293e2112a5e263875ca2468f2af639bba34ff039

SHA512
8360b024fce1fb3ba9717f7cbdb9453dc85a1c6b0fa405486130226c4ba94eaebfb158d8c83bd5b80cf1a1a701027a343ae2fe6e361fb3fefda6a72201c4996e

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
664KB

MD5
34e221e7998795d77dac7e9e0ecb9ab1

SHA1
08af67484775ac5a9cf56d4f52fb4d870300d467

SHA256
d999d3ce4dfe89af20a0b7d06c848045ef426ab1e900e797af6ee704428288da

SHA512
1602f718a1e4707d2e2b72a60392879ae4df28633948757f6b1bde43d1ea9e7998c5ac5c805993e77d9008bf27cdb238303fcaff686a20d4b3ef5c257c5f5624

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
664KB

MD5
88a0bd57515278424e132bad2c2fbd0e

SHA1
51822840d0549f7c7a511360f0b3b7935e5576d6

SHA256
a60982898f55af9017e7fc8504412a9631f1dcf288277807310d0b01d611ced6

SHA512
c9bb7b4d49cffd1ff1f96bf02bacf4e564cd074a848a8b7d830c778e1dc3616a86a90a3506332881789a6490119a6fd3ca757764b69760b628893e327109aa09

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
664KB

MD5
4936ae8d0d302abbab0e0c577a9c3e70

SHA1
d55be6fc58de745f0b4d67694ddf83f397d11b8b

SHA256
3c32a6deaeeb590b7e829c3ed626f0cb6eea48593fd6e00a54f82e3d14fcd0a1

SHA512
ac360fcb4d3c60033954c55b6971d08da1d357495ac937dbc71e75e70c4216f1abb267a8498b53fbee58254e9d85943c5527cbbe83238fd818cebae5b4c77198

Download Submit
C:\Windows\SysWOW64\Obhmcdfq.dll

Filesize
7KB

MD5
5ecbe1b3fbd23ce4760525f7045a66c2

SHA1
a00d18d0e2bea4c5712436f34d2ca81a4e33c500

SHA256
7729f2e7e7a9e8bceab55148bef70b690520f2274427a0f363fc2061314f726a

SHA512
473691039b69b070d945161a0fc4e90976d089590a86299f097154708d210ad61a654b90ba9dbbddeb4af7fe1dfbb0167a5ac7bec7ca6e699e2ac8443ba06860

Download Submit
memory/1048-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads