c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce

Analysis

max time kernel
126s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Size

80KB
MD5

5f2e452c07e6113fa7cc931094d235f7
SHA1

79fd4847e02c74b5c01e6656f9b1a3c02ea28032
SHA256

c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce
SHA512

fd7fa262e59e8057cce3c55b3a52e86cbe65176fe952e84cc68296b5c9e6dd741d8271df1d9638b886bc3cf84c6ac9f4a76363998d5e404f00b0f2c06a304dcb
SSDEEP

1536:s6YXM/8y6JWUT+jhKKhFVCGR6YB2CTVORQAFRJJ5R2xOSC4BG:s7MCAVf6YAwOeCrJ5wxO344

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe

Executes dropped EXE 14 IoCs

pid	Process
3700	Cbmlmmjd.exe
2360	Cifdjg32.exe
4840	Cpqlfa32.exe
4624	Cfjeckpj.exe
3996	Cmdmpe32.exe
1816	Cbaehl32.exe
3632	Clijablo.exe
4008	Dbcbnlcl.exe
4912	Dmifkecb.exe
1776	Ddcogo32.exe
4140	Dipgpf32.exe
3212	Dbhlikpf.exe
3540	Dmnpfd32.exe
4376	Dbkhnk32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Clijablo.exe
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
File created	C:\Windows\SysWOW64\Kcgmiidl.dll	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Dmnpfd32.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Mondkfmh.dll	Cfjeckpj.exe
File opened for modification	C:\Windows\SysWOW64\Cbaehl32.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dmifkecb.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Mkfbmfbn.dll	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Cmdmpe32.exe	Cfjeckpj.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Cmdmpe32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Dmifkecb.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Cpqlfa32.exe	Cifdjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cpqlfa32.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Dipgpf32.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Imdnon32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Qecnjaee.dll	Cpqlfa32.exe
File opened for modification	C:\Windows\SysWOW64\Dbcbnlcl.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Dmifkecb.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Abbbel32.dll	Dbcbnlcl.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
File opened for modification	C:\Windows\SysWOW64\Cbmlmmjd.exe	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dbhlikpf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	4376	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgac32.dll"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll"	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbbel32.dll"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mondkfmh.dll"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbhlikpf.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3700	4820	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe	90
PID 4820 wrote to memory of 3700	4820	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe	90
PID 4820 wrote to memory of 3700	4820	c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe	90
PID 3700 wrote to memory of 2360	3700	Cbmlmmjd.exe	91
PID 3700 wrote to memory of 2360	3700	Cbmlmmjd.exe	91
PID 3700 wrote to memory of 2360	3700	Cbmlmmjd.exe	91
PID 2360 wrote to memory of 4840	2360	Cifdjg32.exe	92
PID 2360 wrote to memory of 4840	2360	Cifdjg32.exe	92
PID 2360 wrote to memory of 4840	2360	Cifdjg32.exe	92
PID 4840 wrote to memory of 4624	4840	Cpqlfa32.exe	93
PID 4840 wrote to memory of 4624	4840	Cpqlfa32.exe	93
PID 4840 wrote to memory of 4624	4840	Cpqlfa32.exe	93
PID 4624 wrote to memory of 3996	4624	Cfjeckpj.exe	94
PID 4624 wrote to memory of 3996	4624	Cfjeckpj.exe	94
PID 4624 wrote to memory of 3996	4624	Cfjeckpj.exe	94
PID 3996 wrote to memory of 1816	3996	Cmdmpe32.exe	95
PID 3996 wrote to memory of 1816	3996	Cmdmpe32.exe	95
PID 3996 wrote to memory of 1816	3996	Cmdmpe32.exe	95
PID 1816 wrote to memory of 3632	1816	Cbaehl32.exe	96
PID 1816 wrote to memory of 3632	1816	Cbaehl32.exe	96
PID 1816 wrote to memory of 3632	1816	Cbaehl32.exe	96
PID 3632 wrote to memory of 4008	3632	Clijablo.exe	98
PID 3632 wrote to memory of 4008	3632	Clijablo.exe	98
PID 3632 wrote to memory of 4008	3632	Clijablo.exe	98
PID 4008 wrote to memory of 4912	4008	Dbcbnlcl.exe	99
PID 4008 wrote to memory of 4912	4008	Dbcbnlcl.exe	99
PID 4008 wrote to memory of 4912	4008	Dbcbnlcl.exe	99
PID 4912 wrote to memory of 1776	4912	Dmifkecb.exe	100
PID 4912 wrote to memory of 1776	4912	Dmifkecb.exe	100
PID 4912 wrote to memory of 1776	4912	Dmifkecb.exe	100
PID 1776 wrote to memory of 4140	1776	Ddcogo32.exe	101
PID 1776 wrote to memory of 4140	1776	Ddcogo32.exe	101
PID 1776 wrote to memory of 4140	1776	Ddcogo32.exe	101
PID 4140 wrote to memory of 3212	4140	Dipgpf32.exe	102
PID 4140 wrote to memory of 3212	4140	Dipgpf32.exe	102
PID 4140 wrote to memory of 3212	4140	Dipgpf32.exe	102
PID 3212 wrote to memory of 3540	3212	Dbhlikpf.exe	104
PID 3212 wrote to memory of 3540	3212	Dbhlikpf.exe	104
PID 3212 wrote to memory of 3540	3212	Dbhlikpf.exe	104
PID 3540 wrote to memory of 4376	3540	Dmnpfd32.exe	105
PID 3540 wrote to memory of 4376	3540	Dmnpfd32.exe	105
PID 3540 wrote to memory of 4376	3540	Dmnpfd32.exe	105

C:\Users\Admin\AppData\Local\Temp\c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe
"C:\Users\Admin\AppData\Local\Temp\c248c7f3a379d258218cfbfa7e0bb3c47ca91b5d81fe397796c9ec3f9ed8dfce.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\Cbmlmmjd.exe
  C:\Windows\system32\Cbmlmmjd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\Cifdjg32.exe
    C:\Windows\system32\Cifdjg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\Cpqlfa32.exe
      C:\Windows\system32\Cpqlfa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 412
        16⤵
        Program crash
        
        PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4376 -ip 4376
1⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbaehl32.exe

Filesize
80KB

MD5
cc91c787433ebda87ae2e71508a7a1c5

SHA1
52b074b3ddc9bfcc29fa2dd0c61996e869e3dba1

SHA256
9f5a5746ddccdbe233f0e0b56c3e3d3e1176613291a535e3519bcee49de5643c

SHA512
91355782b6f12a253fbddbc1867df00edfb2e669adb0be93a7ca3f5a218a9c2154748147739e3f85df3b7b8fe0a1482ea8423faf193de8fc2f1b0e46a9c491f1

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
80KB

MD5
64523f59c80b41e271b1e161224d82b2

SHA1
c28d14f0d720cd64097534208b43e55516425881

SHA256
140f54bbefe540b270964a53a4ca117e3844d1dd78ca0855d7dd7ab90085b6c6

SHA512
a21a2ef6aa03b604d7f4eff66d6e38fcc6f54d03e53eefe51de3c645c5252e8fedef14ccf34d68808d44d9802a1dc4dc4df4a923c1398ff9a8465b49c2e31788

Download Submit
C:\Windows\SysWOW64\Cfjeckpj.exe

Filesize
80KB

MD5
79b35703963dce8d77349212de3f3358

SHA1
1526d147467ba80d2264f8396b19d4b2c22546ce

SHA256
d4ab38357fd867efeb34d56e0ef573480e5f3154e56332ba603dba3bc459c35a

SHA512
0ccd4a10a5ad0d5c8e2aa5e89aa92be8e453beedf20b7960daf23bc19b5c0d171b339fffe0fa2a9ddd1e4c1ab03572efc4f009ee4d94f1991441c29c63b46797

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
80KB

MD5
91edaafd50e98c2bfa265bf4a1f8f4b4

SHA1
72df5e893480291816d5ca708f349b5ba0714067

SHA256
3ef526c0dc8961648e57b8651a930ce224171d87ba99070dd326a53896878cb0

SHA512
1581934c5cd48e51846fa958796aa7162a952dd135a114e9c5d1994b88479b9143b51ca942f4edc928761131e224d8eb29c7237728e63f3939f4607fed180dac

Download Submit
C:\Windows\SysWOW64\Clijablo.exe

Filesize
80KB

MD5
550a8863921d6a4bd8c37cb0fdfec8e6

SHA1
ab3fe321d143318a64c5c00bd3491a8da10fb474

SHA256
93c7a53e42cab932999b7ac509e728a8de87fd1353190845490d0d36fd1a4d0e

SHA512
70590002fe7a5155c026d41ef91dd55cab290ff6935b778656506984486180905da10d526c74214287904765e5c3c27134b1d0fb720ab6551577066895bed5c6

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
64KB

MD5
68511d875fecdff218e31ea42a13aa23

SHA1
4d52bf70d036e972b88269f102dcbeff6dcc578c

SHA256
78672d921fac465d536fa57ee218786e24011d725bf9b86b92d1f373ee87528f

SHA512
c791b6a8e05560de1b2911ea27dff3cad3421c5e39aebf6614dec044494bb62646036911c3adb1899277bbafd7110966743d169a818b43b5856f35108d64b7ca

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
80KB

MD5
a2ddf11f332db989ba23898d3b355277

SHA1
af244f7f01aa16534be21be17557d810d3c31e19

SHA256
7b647d5fe8e02315ed82bc9b0b73e32b647fc71ac13ad2158b26812489b86dc2

SHA512
896ad1c2bca976c62b3f4ca41424de6e4543d2825cefd3bbb3fb01825579cfd02401d8169bbad2c8441beb1fe6e58ab017b001440c26b662e344672c4b8d6c65

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
80KB

MD5
aa5bc765f776e04ac6ef832e9eb2b428

SHA1
660021fcae18e2efc4f6092a02b638926b476ae1

SHA256
5a226b955443785ace0e88d9e0e9aee09c0419c9688e2f9d2e044161f6e4fca9

SHA512
875b8a0a81562527c3ff5b129524046c492f939cf78a8cc0dcb967ed5701eb4b69ba9f8676fd14332fb0797857bded37925617b54213564c0aa3756996e77633

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
80KB

MD5
98f085f19016a2cb5ae86427a847f87e

SHA1
2c893ebc5c615aa83416e68319dc04fe9800da05

SHA256
75f967332fd34fa1af123a7677955978e2e941f188de6deec9fc82cb2c3befe8

SHA512
39e3625419a1034f454c96e7ee724b0f10c36c0945bf8482d38ccf8d50ad725971f183ceb6fa86cc53932b94c245f00d687a597ba0530802df31c3ba1bdbb3e5

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
80KB

MD5
5f0fcd16f1fa9db3a8e1aa908207c51d

SHA1
26bf9e7ca653b6e33a4f56a172a8b1e3d12147ea

SHA256
c7ac0248b4b6275933bb7190943c51756a1ea5ad1744fcaab2335b971775c040

SHA512
497f3aa618aad2328bdf5c2102e044f95dbe590a64db56bea1b6047cd2d0def33f19c181100339396766e0eac10b29b3135b0b0c33cbe96ff4683c6e9ebfa214

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
80KB

MD5
c97aeef5256a7278a3703194be3ca42a

SHA1
69389cddeefb9edc602f3f733b5facc84a6420c2

SHA256
b3dd1d83684f1734553f804076015b09d74c8669de54009fad2d7e5cd284ae49

SHA512
9dc716a2bf6ec64f87b84ac95fc06bec41d05ddac9e3dec0082f1000c6e630ff4459696e8b08c22e3db973eb88a4014412c7c42e84456401e22ec8b53258f294

Download Submit
C:\Windows\SysWOW64\Ddcogo32.exe

Filesize
80KB

MD5
73a48262e0e88baf43bd2378c3071db3

SHA1
2a178cdabe478248857f21dfe344992fda4b08d9

SHA256
d58bf48f0208e02c05c4a96aaa55c3d2ad69c67a170535bd53d5d222928b71b8

SHA512
b12c7989dac4f3a1894dbec103910651967d7083c82eda2484a5edd73d86f42120e00fa5e47e089de087d061d5aa790dbc68e5129a2a2d11f52622a4bb4b8ccf

Download Submit
C:\Windows\SysWOW64\Dipgpf32.exe

Filesize
80KB

MD5
a31f7beebc920709e0ef1718484783f4

SHA1
dd1d0333f92096a60f873b600a738ad07628772c

SHA256
3d69e9a1395b00d90a03eb0a770ee5b7263d68bce7f818cb7fdaf94d43408444

SHA512
f12bd320a8dbf8bf05fde18e49deaca6744a01bf29044c8a1c6d12a31ca376a6809aa09d3cda5d88ceb41beab8c0d1389da2c6a3fbaf257cc10462f40e965dab

Download Submit
C:\Windows\SysWOW64\Dmifkecb.exe

Filesize
80KB

MD5
c503c57ae685494cc0a113e34c9625c8

SHA1
193bc5fc3b4502fe6b8c535f2a4d74f4f88b68f5

SHA256
ee8c5a35b6c8fa52d1c027a563ff2d348235040e4c63c0442548feae9b28cc95

SHA512
5d0f74eb521e81269999323e554937b93ac04bdbee132f188f6a21c37c3eaf53166bf270d33ea6de522cf61775ba0a33d3461e0fea9270f200ba4cdd7f3053c3

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
80KB

MD5
cae0139d3cb302134f7d5efd5f3688b6

SHA1
1e3c23b14c14548ab0ca64e28c1d1a99490bc19e

SHA256
fd0dcd47316921bfe45313d613f77eb377fd5bfe19fd1ace7d8a7fd6758ea031

SHA512
7684b5ad7981fe889604313714eaf77a9600df00de976fc1d62a96a4f02bf2eb277253485f3a804a04e0a03cc50bf236b6d90b50e897bc542c7b608961fcac37

Download Submit
C:\Windows\SysWOW64\Mondkfmh.dll

Filesize
7KB

MD5
f0172f94f784c57d12eac2c6e76b868e

SHA1
aaf4a195180bd83cd40af8fc72a20d80b0dab951

SHA256
79dd8e72cbb0f85c32d9f25de23aaae009d1ba7be4adbda70ba3aa7137a1e8e8

SHA512
9aaa166880ee74f935e4a9872af4037fa2414cd730182ad6c6de9d6503f910a4ef0ba71d9e7b24c33c8f4c3bf043518534521e922be757b44b66dce90ffd7826

Download Submit
memory/1776-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3540-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3540-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3632-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3632-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3700-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3700-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4140-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4140-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4820-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4820-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4912-123-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4912-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads