da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Size

96KB
MD5

1902dd0b78478a2dbfcf5f6e0408a5cd
SHA1

349ebfc2d95ad48d7235bb731200929f5cebf0ee
SHA256

da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17
SHA512

5a50b4858ce022c13c501b18632efdce0ed16ee06db408dc0ab998198730ad7eebbb91d9b6d8d569afd4a8940d235fa940eaa9f4691ce8fc19f286365c6d2a37
SSDEEP

1536:trCMeRj1rJcIoljAv3KbinjC4u9rw8zBMXe9MbinV39+ChnSdFFn7Elz45zFV3z8:pCHRj1rSIo1zim4uhw2KAMbqV39ThSd4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllffa32.exe

Executes dropped EXE 14 IoCs

pid	Process
4876	Cboibm32.exe
2760	Cemeoh32.exe
4828	Cpcila32.exe
3140	Cfmahknh.exe
2956	Cmgjee32.exe
4368	Ddqbbo32.exe
4404	Dinjjf32.exe
1036	Dllffa32.exe
1100	Dfakcj32.exe
3108	Dipgpf32.exe
4084	Dpjompqc.exe
5008	Dgdgijhp.exe
2936	Dibdeegc.exe
1820	Dbkhnk32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdgijhp.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Dibdeegc.exe	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dibdeegc.exe
File opened for modification	C:\Windows\SysWOW64\Cboibm32.exe	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dllffa32.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Dgdgijhp.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dibdeegc.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Fgpoahbe.dll	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Dibdeegc.exe	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Cfmahknh.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Hodcma32.dll	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Aoedfmpf.dll	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
File created	C:\Windows\SysWOW64\Cemeoh32.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Cmgjee32.exe	Cfmahknh.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjee32.exe	Cfmahknh.exe
File opened for modification	C:\Windows\SysWOW64\Dllffa32.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Dllffa32.exe
File created	C:\Windows\SysWOW64\Imdnon32.dll	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Cemeoh32.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Pkjhlh32.dll	Cpcila32.exe
File created	C:\Windows\SysWOW64\Dpaohckm.dll	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Dipgpf32.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Cmiikpek.dll	Cboibm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmahknh.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Qfeckiie.dll	Cfmahknh.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Cmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dipgpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	1820	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjhlh32.dll"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoedfmpf.dll"	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpoahbe.dll"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiikpek.dll"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dipgpf32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4876	2904	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe	90
PID 2904 wrote to memory of 4876	2904	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe	90
PID 2904 wrote to memory of 4876	2904	da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe	90
PID 4876 wrote to memory of 2760	4876	Cboibm32.exe	91
PID 4876 wrote to memory of 2760	4876	Cboibm32.exe	91
PID 4876 wrote to memory of 2760	4876	Cboibm32.exe	91
PID 2760 wrote to memory of 4828	2760	Cemeoh32.exe	92
PID 2760 wrote to memory of 4828	2760	Cemeoh32.exe	92
PID 2760 wrote to memory of 4828	2760	Cemeoh32.exe	92
PID 4828 wrote to memory of 3140	4828	Cpcila32.exe	93
PID 4828 wrote to memory of 3140	4828	Cpcila32.exe	93
PID 4828 wrote to memory of 3140	4828	Cpcila32.exe	93
PID 3140 wrote to memory of 2956	3140	Cfmahknh.exe	94
PID 3140 wrote to memory of 2956	3140	Cfmahknh.exe	94
PID 3140 wrote to memory of 2956	3140	Cfmahknh.exe	94
PID 2956 wrote to memory of 4368	2956	Cmgjee32.exe	95
PID 2956 wrote to memory of 4368	2956	Cmgjee32.exe	95
PID 2956 wrote to memory of 4368	2956	Cmgjee32.exe	95
PID 4368 wrote to memory of 4404	4368	Ddqbbo32.exe	96
PID 4368 wrote to memory of 4404	4368	Ddqbbo32.exe	96
PID 4368 wrote to memory of 4404	4368	Ddqbbo32.exe	96
PID 4404 wrote to memory of 1036	4404	Dinjjf32.exe	98
PID 4404 wrote to memory of 1036	4404	Dinjjf32.exe	98
PID 4404 wrote to memory of 1036	4404	Dinjjf32.exe	98
PID 1036 wrote to memory of 1100	1036	Dllffa32.exe	99
PID 1036 wrote to memory of 1100	1036	Dllffa32.exe	99
PID 1036 wrote to memory of 1100	1036	Dllffa32.exe	99
PID 1100 wrote to memory of 3108	1100	Dfakcj32.exe	100
PID 1100 wrote to memory of 3108	1100	Dfakcj32.exe	100
PID 1100 wrote to memory of 3108	1100	Dfakcj32.exe	100
PID 3108 wrote to memory of 4084	3108	Dipgpf32.exe	101
PID 3108 wrote to memory of 4084	3108	Dipgpf32.exe	101
PID 3108 wrote to memory of 4084	3108	Dipgpf32.exe	101
PID 4084 wrote to memory of 5008	4084	Dpjompqc.exe	103
PID 4084 wrote to memory of 5008	4084	Dpjompqc.exe	103
PID 4084 wrote to memory of 5008	4084	Dpjompqc.exe	103
PID 5008 wrote to memory of 2936	5008	Dgdgijhp.exe	104
PID 5008 wrote to memory of 2936	5008	Dgdgijhp.exe	104
PID 5008 wrote to memory of 2936	5008	Dgdgijhp.exe	104
PID 2936 wrote to memory of 1820	2936	Dibdeegc.exe	105
PID 2936 wrote to memory of 1820	2936	Dibdeegc.exe	105
PID 2936 wrote to memory of 1820	2936	Dibdeegc.exe	105

C:\Users\Admin\AppData\Local\Temp\da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe
"C:\Users\Admin\AppData\Local\Temp\da96a1decf9b5c2f9e8a395ff97b5bc6414d1f0033994693526d5c03baa1eb17.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Cboibm32.exe
  C:\Windows\system32\Cboibm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\Cemeoh32.exe
    C:\Windows\system32\Cemeoh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Cpcila32.exe
      C:\Windows\system32\Cpcila32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 400
        16⤵
        Program crash
        
        PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1820 -ip 1820
1⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cboibm32.exe

Filesize
96KB

MD5
ace186e648e89f0bbe86619261dc8a38

SHA1
eb1f94344bd7bbc91f594fd65d77ccc7b58de8e3

SHA256
e97e46379ea72f6c956d30aebb7ff9c7026aaab55a6b16fd6d648fc65d5cd16e

SHA512
b367be04be419dc83e0d3ea212eb7d440a06fe5688f7d427b09eae38ddb9d08a9d6ae7bad74e3515374c48105277206f1ae6094d97061f4cf04f5e9af66ef3c7

Download Submit
C:\Windows\SysWOW64\Cemeoh32.exe

Filesize
96KB

MD5
f95cae4158082ca8a2b2ebc05abf8fa2

SHA1
942ec445c663d01312854569a197265ea0c5c5c2

SHA256
003709d4c714e435104e431cae16503d84f865ab1990d4a58bb9e63a72510a6d

SHA512
4f4cc92c3ccc6c06b49d08d3f3f18997c5d3294cbcfa8f35536f805e91956fffd25b95f61801fee43d8729e66f7b0c893207f948e559ecf26801344e47a9f9a8

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
96KB

MD5
4e317c6d1b5da5b4379edf314dcecb6a

SHA1
42d437775d3e537164bf00e15838d7c3bb17a362

SHA256
49ecaadf2dfa581459861677f59a816934939f97666972073f5a630021995f06

SHA512
9e596bf5202fedb1ddeb92d8991468466e59a4a49773c3e88c04b79139c6fd58ef5f56b6a640357e45a2762c1abcae78ddd1c672c7ff43dbf4475594b0ada20a

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
96KB

MD5
406afaca73fde8792d678cc237b77264

SHA1
aa8a2dc6c1553801d3867fcb68bedffabfe77260

SHA256
947c91d955ff678a92c997ced6315834bea28cc9a09d020d371de95efe98c795

SHA512
6501ee8dc25684adb84dc936625aaed7c018242c6de1b5791d3b82cbfcd3b2e0f87349dcc1abaee86009a157d0b11c574a706e31ac43425482461b3849f93a5e

Download Submit
C:\Windows\SysWOW64\Cpcila32.exe

Filesize
96KB

MD5
fdf002ba70a6dec10632bf748ec496fc

SHA1
3261ed64ed1977068302c085e8a5299feb601ff1

SHA256
f785fe6224fd91473bdb0f39fb7eacc83a5497d29b75b63ccbee527b77c240c5

SHA512
5d2b329d0295b370cc999b2c9e00d205f9f3f55af3a0f1c163d5ba7fce6cad0f72d873ad9362660a1d60442300ba69867730423bd0fda79c011c78bb16bb0e1d

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
96KB

MD5
09be56305fef6297fe84d1f4d58aa376

SHA1
4b56db71959f2a49e26f40e7d5f887c197b4edf0

SHA256
e29e21465863f49a451fb15484b4fbd0a142bf87a8f3a3c9f2a0714b1508eac2

SHA512
0e849d7176a30b85527b43133249423dc57846277c8026c9b261079c27a15c20258ba9ae33e202e55395668e4cce0ead0fd848225c4c46e0bb5e2b2185ce7774

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
96KB

MD5
53644b2c6a2b3c5728988f81decc1e1c

SHA1
b25e112eca69b12ba53c385ea5335faa18c51110

SHA256
70dc1b4b125ed3d4b9d4e2aba1a109fbbf6b6ffc977ff48a4d0f967bafa90d2a

SHA512
9544302a6931eb2bca9ec0a670b16537bad619aa89ad8997e76ce3beacc3bb3844e1fb17bdf301e2139fbbc7e25255950c33211c90707eaf62d320714f03f70d

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
96KB

MD5
bcf842cc458b1553420c7703814afd37

SHA1
4cf9de0202ced3c6f2e5528b50b94d4d5c2af35f

SHA256
27ff76504f37d24bec43335bf2469b5c8d877c60de372efb2b0447ed44751c19

SHA512
0aa04ff50189f8e20e98f9a84db12f01fb4611966b34ac69af2abd7eeef494d5e306e3233c803be86295cc6312d6f353fb1c04a9357121a1215ce68c741c9ed9

Download Submit
C:\Windows\SysWOW64\Dgdgijhp.exe

Filesize
96KB

MD5
8ae271d5546c92e04d964cd719ce0353

SHA1
f0798d145d94eb3dcc85b99679d20d5b6c578e1b

SHA256
03f3c093ef37a617fbd3cec7bfaad3db0a2fa0ed5611549440a037f0ea263fb0

SHA512
96d50459590c5ed53259b1e263a5ba40ba8aa7b1166bedd77d0e65b002c088fd69010f10f80a6aec2ac85742774f301d3f400457d8faaec4f5340108d391494c

Download Submit
C:\Windows\SysWOW64\Dibdeegc.exe

Filesize
96KB

MD5
b9eee8f91c04fc35a76a047f728deaab

SHA1
cb12a66c0d209b3c9739c684e1ec31f79407bd9a

SHA256
c456a7961e4106b02079ed760342ecc2b28299b964b315251f9d648edf7c9468

SHA512
37adf5217666256606711eb9ab4ebaa0d14cb3b94c88d5bac060bcc881712b3ec546232c95ad7852b2bdb4c34c035f547e03d1217f05a7545a364fc3e3e8b32c

Download Submit
C:\Windows\SysWOW64\Dinjjf32.exe

Filesize
96KB

MD5
d9cd1b941be1bdb859a604416e0de60f

SHA1
e20f5afcf1cd964283e9f95722cb43c3d9d72344

SHA256
3737feba0af00e511f1f538bc285a8a646ecf3b2c6e51da27d731e692beb072f

SHA512
43a54f98049e1f020a313968a7520c12354529355eb2fc3b58e05bf69f3b8610382590267702db71b46b2090e04a3f7bd5e3a5e771d9f5f663f3f1de0521a941

Download Submit
C:\Windows\SysWOW64\Dipgpf32.exe

Filesize
96KB

MD5
849d9e8fc16a128a58eefcdda1b8a15f

SHA1
0e4855f08ae6ce1f6dfcecd77ef12e7b2b519320

SHA256
5fcb183f9935ae4529e917097e2140e4713028ec085944ce5176e7ddd0fe63b0

SHA512
836c1667c0ee0d174d1774e75b2979017e9ea1bd10fdbf761fcaf4b9cf8a2327f24777b041a827f0b0774959bde9a1b8d57713b6575f126c61beeadaf437ee2f

Download Submit
C:\Windows\SysWOW64\Dllffa32.exe

Filesize
96KB

MD5
59c3ece24fa028c9612e412650f3bf22

SHA1
ad9f9d5c4de0e6cdf93ed5da2750882cd194a2e0

SHA256
9177df2b06eba35b382a40ba0ff319df64b23752d8b12678b02c3032d83b9026

SHA512
91d77fe008fdb75e8eced532b51f755fd025075cb12bf854f34fb2a91505515d2303c46eb3461d1e2326b5b9e8f171fb9b6f24c470f116693e2d2d1bcab4a4d5

Download Submit
C:\Windows\SysWOW64\Dpjompqc.exe

Filesize
96KB

MD5
9f151c584ac4a9c21348492c5d8ddb75

SHA1
30769d87ac22e135fd1bf61ab335f2ed6548fcda

SHA256
f44a9962545d11aa639c4664bf11abf2548c207419ccf10cfd417e85cfc07e72

SHA512
3d5d340a6accb8d8ee9005aecac1eb78548caf79ca13c363728277433b0420a96dfa3db07f0f75b5c84f08402824cb04cf1f745ca6096ed0750943ab1bc9afff

Download Submit
memory/1036-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads