ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Size

844KB
MD5

4121d8e033787ba2cf14b55a3530a139
SHA1

eb6164faca979146df086e93d457784938f1ecc0
SHA256

ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30
SHA512

600b95f834093f7d4869a893f0381392159ae121d3c794573bf1a874502cac62c3001dd0b03ea224437491f79e5069c8c040a87fdfbb6016b01edd7dbffb5aaf
SSDEEP

24576:UH5W3Tnbc53cp6p5vihMpQnqrdX72LbY6x46uR/qYglMS:UH5W3TbGBihw+cdX2x46uhqllMS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbpgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaldcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe

Executes dropped EXE 21 IoCs

pid	Process
2820	Jchhkjhn.exe
2864	Jjbpgd32.exe
2860	Kjfjbdle.exe
1920	Kilfcpqm.exe
2260	Kebgia32.exe
800	Kgcpjmcb.exe
832	Kaldcb32.exe
2844	Ljffag32.exe
1324	Lapnnafn.exe
2900	Lccdel32.exe
768	Lfdmggnm.exe
1436	Meijhc32.exe
2264	Moanaiie.exe
2056	Mdacop32.exe
2344	Mmihhelk.exe
1668	Nplmop32.exe
2436	Niebhf32.exe
1864	Nlekia32.exe
1568	Nodgel32.exe
1536	Niikceid.exe
2388	Nlhgoqhh.exe

Loads dropped DLL 46 IoCs

pid	Process
2180	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
2180	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
2820	Jchhkjhn.exe
2820	Jchhkjhn.exe
2864	Jjbpgd32.exe
2864	Jjbpgd32.exe
2860	Kjfjbdle.exe
2860	Kjfjbdle.exe
1920	Kilfcpqm.exe
1920	Kilfcpqm.exe
2260	Kebgia32.exe
2260	Kebgia32.exe
800	Kgcpjmcb.exe
800	Kgcpjmcb.exe
832	Kaldcb32.exe
832	Kaldcb32.exe
2844	Ljffag32.exe
2844	Ljffag32.exe
1324	Lapnnafn.exe
1324	Lapnnafn.exe
2900	Lccdel32.exe
2900	Lccdel32.exe
768	Lfdmggnm.exe
768	Lfdmggnm.exe
1436	Meijhc32.exe
1436	Meijhc32.exe
2264	Moanaiie.exe
2264	Moanaiie.exe
2056	Mdacop32.exe
2056	Mdacop32.exe
2344	Mmihhelk.exe
2344	Mmihhelk.exe
1668	Nplmop32.exe
1668	Nplmop32.exe
2436	Niebhf32.exe
2436	Niebhf32.exe
1864	Nlekia32.exe
1864	Nlekia32.exe
1568	Nodgel32.exe
1568	Nodgel32.exe
1536	Niikceid.exe
1536	Niikceid.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Meijhc32.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Jchhkjhn.exe	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
File created	C:\Windows\SysWOW64\Kebgia32.exe	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Kmcipd32.dll	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Pikhak32.dll	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Ljffag32.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Nodgel32.exe
File created	C:\Windows\SysWOW64\Jjbpgd32.exe	Jchhkjhn.exe
File created	C:\Windows\SysWOW64\Kjfjbdle.exe	Jjbpgd32.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	Jjbpgd32.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Gpbgnedh.dll	Meijhc32.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Kjfjbdle.exe	Jjbpgd32.exe
File created	C:\Windows\SysWOW64\Kilfcpqm.exe	Kjfjbdle.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Lapnnafn.exe	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Lfdmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Kgcpjmcb.exe	Kebgia32.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Hloopaak.dll	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Lfdmggnm.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Jchhkjhn.exe	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
File opened for modification	C:\Windows\SysWOW64\Kilfcpqm.exe	Kjfjbdle.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Kebgia32.exe	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Kgcpjmcb.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Lapnnafn.exe	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Lfdmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Nqdgapkm.dll	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
File created	C:\Windows\SysWOW64\Alfadj32.dll	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Moanaiie.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbpgd32.exe	Jchhkjhn.exe
File created	C:\Windows\SysWOW64\Qkhgoi32.dll	Jchhkjhn.exe
File created	C:\Windows\SysWOW64\Ljffag32.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Lccdel32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	2388	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjbpgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaldcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jchhkjhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kilfcpqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpjmcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfjbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll"	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmikde32.dll"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hloopaak.dll"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nodgel32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2820	2180	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe	30
PID 2180 wrote to memory of 2820	2180	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe	30
PID 2180 wrote to memory of 2820	2180	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe	30
PID 2180 wrote to memory of 2820	2180	ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe	30
PID 2820 wrote to memory of 2864	2820	Jchhkjhn.exe	31
PID 2820 wrote to memory of 2864	2820	Jchhkjhn.exe	31
PID 2820 wrote to memory of 2864	2820	Jchhkjhn.exe	31
PID 2820 wrote to memory of 2864	2820	Jchhkjhn.exe	31
PID 2864 wrote to memory of 2860	2864	Jjbpgd32.exe	32
PID 2864 wrote to memory of 2860	2864	Jjbpgd32.exe	32
PID 2864 wrote to memory of 2860	2864	Jjbpgd32.exe	32
PID 2864 wrote to memory of 2860	2864	Jjbpgd32.exe	32
PID 2860 wrote to memory of 1920	2860	Kjfjbdle.exe	33
PID 2860 wrote to memory of 1920	2860	Kjfjbdle.exe	33
PID 2860 wrote to memory of 1920	2860	Kjfjbdle.exe	33
PID 2860 wrote to memory of 1920	2860	Kjfjbdle.exe	33
PID 1920 wrote to memory of 2260	1920	Kilfcpqm.exe	34
PID 1920 wrote to memory of 2260	1920	Kilfcpqm.exe	34
PID 1920 wrote to memory of 2260	1920	Kilfcpqm.exe	34
PID 1920 wrote to memory of 2260	1920	Kilfcpqm.exe	34
PID 2260 wrote to memory of 800	2260	Kebgia32.exe	35
PID 2260 wrote to memory of 800	2260	Kebgia32.exe	35
PID 2260 wrote to memory of 800	2260	Kebgia32.exe	35
PID 2260 wrote to memory of 800	2260	Kebgia32.exe	35
PID 800 wrote to memory of 832	800	Kgcpjmcb.exe	36
PID 800 wrote to memory of 832	800	Kgcpjmcb.exe	36
PID 800 wrote to memory of 832	800	Kgcpjmcb.exe	36
PID 800 wrote to memory of 832	800	Kgcpjmcb.exe	36
PID 832 wrote to memory of 2844	832	Kaldcb32.exe	37
PID 832 wrote to memory of 2844	832	Kaldcb32.exe	37
PID 832 wrote to memory of 2844	832	Kaldcb32.exe	37
PID 832 wrote to memory of 2844	832	Kaldcb32.exe	37
PID 2844 wrote to memory of 1324	2844	Ljffag32.exe	38
PID 2844 wrote to memory of 1324	2844	Ljffag32.exe	38
PID 2844 wrote to memory of 1324	2844	Ljffag32.exe	38
PID 2844 wrote to memory of 1324	2844	Ljffag32.exe	38
PID 1324 wrote to memory of 2900	1324	Lapnnafn.exe	39
PID 1324 wrote to memory of 2900	1324	Lapnnafn.exe	39
PID 1324 wrote to memory of 2900	1324	Lapnnafn.exe	39
PID 1324 wrote to memory of 2900	1324	Lapnnafn.exe	39
PID 2900 wrote to memory of 768	2900	Lccdel32.exe	40
PID 2900 wrote to memory of 768	2900	Lccdel32.exe	40
PID 2900 wrote to memory of 768	2900	Lccdel32.exe	40
PID 2900 wrote to memory of 768	2900	Lccdel32.exe	40
PID 768 wrote to memory of 1436	768	Lfdmggnm.exe	41
PID 768 wrote to memory of 1436	768	Lfdmggnm.exe	41
PID 768 wrote to memory of 1436	768	Lfdmggnm.exe	41
PID 768 wrote to memory of 1436	768	Lfdmggnm.exe	41
PID 1436 wrote to memory of 2264	1436	Meijhc32.exe	42
PID 1436 wrote to memory of 2264	1436	Meijhc32.exe	42
PID 1436 wrote to memory of 2264	1436	Meijhc32.exe	42
PID 1436 wrote to memory of 2264	1436	Meijhc32.exe	42
PID 2264 wrote to memory of 2056	2264	Moanaiie.exe	43
PID 2264 wrote to memory of 2056	2264	Moanaiie.exe	43
PID 2264 wrote to memory of 2056	2264	Moanaiie.exe	43
PID 2264 wrote to memory of 2056	2264	Moanaiie.exe	43
PID 2056 wrote to memory of 2344	2056	Mdacop32.exe	44
PID 2056 wrote to memory of 2344	2056	Mdacop32.exe	44
PID 2056 wrote to memory of 2344	2056	Mdacop32.exe	44
PID 2056 wrote to memory of 2344	2056	Mdacop32.exe	44
PID 2344 wrote to memory of 1668	2344	Mmihhelk.exe	45
PID 2344 wrote to memory of 1668	2344	Mmihhelk.exe	45
PID 2344 wrote to memory of 1668	2344	Mmihhelk.exe	45
PID 2344 wrote to memory of 1668	2344	Mmihhelk.exe	45

C:\Users\Admin\AppData\Local\Temp\ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe
"C:\Users\Admin\AppData\Local\Temp\ce8e06f9c38a172289dc42c4785895cd97c161ddeb756bcb568748d1ce02ac30.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\Jchhkjhn.exe
  C:\Windows\system32\Jchhkjhn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Jjbpgd32.exe
    C:\Windows\system32\Jjbpgd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Kjfjbdle.exe
      C:\Windows\system32\Kjfjbdle.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\Kilfcpqm.exe
        
        C:\Windows\system32\Kilfcpqm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kebgia32.exe

Filesize
844KB

MD5
3f314ee687e198eeab998207f492c600

SHA1
7d993edf4568a9e408c91d1057d43658314c53d9

SHA256
121fb14cae2b81d103e915fdd0942eefd4eafe127be9e3d51a06747e065f0f26

SHA512
76de93e76d7940ceffe5458e376e06c49b8383d8af0ac5a608953abf09c08ea90fb62051b9723c30403b393c8cecbb02711f43690efc5d6c14e9b68845352de5

Download Submit
C:\Windows\SysWOW64\Kjfjbdle.exe

Filesize
844KB

MD5
f37b2706f046462e19b27a30c42b6a42

SHA1
9b9cb35fbd272f7200ec73fd7dcfd82b194b13a9

SHA256
9352e3c2c59d96b9cb233e6bbcdbf7385785b4053dbfb1887147aecd883273ba

SHA512
2127197cf1583974146da2f970bb2c9f874817e1e8571217643c3ace39bae39e25a960eabe82f67ba2c1e3f6acf3dce8d49ea855cf868a9f41f0c5ca09d1001d

Download Submit
C:\Windows\SysWOW64\Kmikde32.dll

Filesize
7KB

MD5
4a5b4f75fe571c160cd08f62d2ba3d45

SHA1
f2309b4be25c32d03ffd7fab63f111a617567dd0

SHA256
4f7c6ed8af67aa0a8a7f0cd6d6784730a0abf908686eaaa34cae70c284fa1e91

SHA512
005bce9a9b9c3c5f5af85fd5603e9dbd4a20d997c3f779c34703e91bf3783a4946f5a6412644c76c463d226aed3a79600427dec27af5008a9f7e93f9056506bc

Download Submit
C:\Windows\SysWOW64\Lapnnafn.exe

Filesize
844KB

MD5
b334f7ff7afd52ca9332f4f69482dd48

SHA1
ec3dfb088c881c7dd54cb6ff1a09fcce652fb0e1

SHA256
766c1ec74979394ebe2a8798a8e8affea3414722e74d059d0bd1ed61019c2938

SHA512
03509da2384e80b55483011a8d5674bf28bd39ef3390f443b0d7f1f80f5b012a5b2717a51a5824576901244d26cea14176f6be8d6e81dd3e57c2e9f211f71ac9

Download Submit
C:\Windows\SysWOW64\Ljffag32.exe

Filesize
844KB

MD5
d9b75fc89a5765e8fbe2c1625b1c44de

SHA1
d21228b71c05c4298ca2e253253ac36e8b1968d1

SHA256
c062b027c35c1ef47e983021eab11955296c64f4a8bcca0e970c14d9d30ba2b7

SHA512
dfd1e47523424f77f911ace0b3967da2da147f06071e9cb42140daec61830bc091912e22e591eaf6dd509d59de255269e384b629d29c38f1e28cf9d41b43c6f0

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
844KB

MD5
2bfec2204ec3cac37e3c2a3ea999f14f

SHA1
c55ead28c3fcaf718a3187783d47b0387307fbf4

SHA256
3b08d8707f0788df99dfae58144faff9107c34a53080bf0edb4017dd1fab82fd

SHA512
61e31fecc5edd9474da0628961611d9978d5378e414947f4df8d865dfeb20427fc39da3e7eb007766dabb5bb111baee0f4d081a9e564ab5032098cf0cfee0282

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
844KB

MD5
a40931c26c7b9234ee2dbd41835a0ab0

SHA1
f18d3c2c0e58eceb49e4caaca5a882394651da07

SHA256
79bc0a24adf81593045594324da2bbcd2841926909c55930b29c2326969c1bed

SHA512
3ff410728337792273e6a16cb75203816320f178f4afddcc91ad97f33f3676143e26472b2b805d37fe52534523abd5cba844692af2af4a21d77a91a3442feab0

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
844KB

MD5
1d7351f54e91350a2c06335fcd5b3e7f

SHA1
5eec25fe72c2a1e44866ba1dc0b21d352bc0e09c

SHA256
31024ad1423d8e3fedc28e23ad715387a219456ea2940553110cf8c5a384ff79

SHA512
fdae3b3ef3d6aca3034b4f8ba165609ed77ae323b70c36c40574159bf452407c213d9d998d8085a09503cd4f4ed0ca845e9cefc62d957c3c4c417c0b73655aa6

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
844KB

MD5
b2b25be2ad04af0c61bf5d66a547f7f5

SHA1
55c9598abfde6cee0b0e943f0e3495474101836f

SHA256
6c703ca7ddb8bb608e6519c3552ca8705f2ba6cc329e746bd0c5cfec4493a621

SHA512
dc5cfff495b85dd7dbfb2c89f46594d64bb20604e10d77ece22b2788ec8ddd5af8b8c1b2d681e5721b0444038447d02765bfcbef67890adb9e07c89a61396e6f

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
844KB

MD5
0d0478f3c12e229e02487e3a65606671

SHA1
996dc3b47b71e4175ffb11ea87b9faa26c0d1f8e

SHA256
3c4eb6955879d2fcd32aec23fcd3c7477c789003cfb2838e972ed227711e2e15

SHA512
f1cbdf7c2e0528c47bd5d49f1224ec344eb6ec44560b055765ccb15e50139b66dde7b0620bd4e7e095accd11cd1ee03523efda38f167ed66eef87e9b96983502

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
844KB

MD5
cfbcf191df1caddf43f1b53683ab1145

SHA1
1540b3150333e2699600761a2d2e14792457ca78

SHA256
c8b42061eca2e06f9805860aa53d2eca9cb2e2b4551cd1ccbe8a9c7b3d9b337b

SHA512
52fd6af65e76ed81c59277eea9070a6645fb4ddcb3509f5da07b2ac3dff4e86811b0abe9587d5f8433af26c6c5cc77a0d68f4d8e46489221dec05355ba2ca329

Download Submit
\Windows\SysWOW64\Jchhkjhn.exe

Filesize
844KB

MD5
5ae15464950419b0fdb17bbac38db26c

SHA1
be1fcc10b8dfbaa4bcb86b003e88b0020075a15e

SHA256
c0556e882651f7c3872b544504118fb7fb9dead7ed945133e8643b82aec6c355

SHA512
5182da37d14150448c97511d7b83b4bc3b76452a290b06a11fd8cd10061a14eb4d3bd354b543abbb807982154e6fa85f3e539ecbb6862d7e0658edb1ec3e0549

Download Submit
\Windows\SysWOW64\Jjbpgd32.exe

Filesize
844KB

MD5
5ce17075f52ad9cd22e081ef00b3bd6a

SHA1
18584313d96fd43dc0da2e563e722b24e8a3b1de

SHA256
f90ae932b8501f03771dd8c59ee8f94eed9385e6227fb0256ea271e5c815337f

SHA512
2f1f1dc2ccdd38b96e738da05c3ae7bd74da40fee5af362387ccdce37e727c90fd97c525f01374df66cbf0f06fa584ebb1f10eaf327a825236569d0c53c29683

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
844KB

MD5
cfa8b91dd547424290550aed7504bfab

SHA1
ef85f733cdccb324037a9cb54824a40d273e1916

SHA256
945c6faba1902fa33bfe86f6807f9c5a99a878b07a6ac1fe58842021fb9d30be

SHA512
a1f9c8fcecd545d240a53a4b4e0572076597c0ff7cc685676f040373932d41a11af76c42cf875066090a51c3cb6e54c357403a21cae26eacfc20ca25415f559d

Download Submit
\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
844KB

MD5
a6d52bfb20caf2dcffde5cfaa3fd994c

SHA1
adc1fcc7c56b7f482d441036f5df3b90b1f44ee3

SHA256
9da1aa2f06ee5d7f9d94096cf8373c46d5c8a79b25a3a19404a1b0d47be8b1a8

SHA512
217dfa92158cae995eec0bcc57cb7fbd9f5fb1cc1bbb9392d267e97cc9a825e88c37fb410bec6e926573a0b8e43212d7d039e22121c2729e02bf167eed9dac15

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
844KB

MD5
9dfe10ad86734adc34a7c0ba56d13bbb

SHA1
e5a68880fd70fc40eff4f9e072f6dee5545e2444

SHA256
6822b58832ab636c514fdfa6ec754c31239d06286f5832e33f163103df5046c5

SHA512
5edee43637ac20d13e59997d23bb868b6ea547f2e312269329dab3e2230bb326aab889128edd124ea8cfcc885af9d4d58554d0f51c54ee3fe74374c34b390687

Download Submit
\Windows\SysWOW64\Lccdel32.exe

Filesize
844KB

MD5
81b2162178d5f0ba16757fb80e39e842

SHA1
3d0d27065048a226fd08a8d872d56cc5885079b4

SHA256
e2ae776cb80563eb736c6c40ff590e8b81c806467118d813563397d2c6519f47

SHA512
480fe840ecc7a0c9ca8ae00c42441131b54ee699da9eaf6a9edd0ac8b1af1ff7eda0fcfc0096c941d9d7b24946244edb38b322f516274c7593a6e746734fe7b0

Download Submit
\Windows\SysWOW64\Lfdmggnm.exe

Filesize
844KB

MD5
13b4a1ec38af66c3f5a007e72104f1ee

SHA1
7a3bae7351b93999bf39e8ce0c0faf303b54f48c

SHA256
49535f54367e94155df9b79f276ff65507115a6b4f065b08558d7002dd1723b0

SHA512
22a10599738b8902523215b1de5c648d57aeb172d5876cec7f44bc7a5c69062d00356568d6fdbe1aa9764c23e6be705fc40fb339250886e183252376e3b2fbd9

Download Submit
\Windows\SysWOW64\Mdacop32.exe

Filesize
844KB

MD5
f972eec110bc6382080d433d81c60493

SHA1
32a30ea4dac5c2865b51b81e4f7f04bf35aab53e

SHA256
0909251597d9379c4db871f0ea8a71d64123eda74b0fcda90ae23494bf52f7cb

SHA512
fdbd8118e327298077daead67cb0a721ce8756856310b282358dc6dedf60f7913b685a65516db3385f87c88a53fb0805ce411456b3007376a94af9a444faee8f

Download Submit
\Windows\SysWOW64\Meijhc32.exe

Filesize
844KB

MD5
b12898a00eedff5a0fd62f666b66d1f7

SHA1
4852280326a61fff6a19f2f9b9dcc0bf31141a3c

SHA256
7b86b3370c50e9d109cc348eefc5fb08eeab299b6b90dcce7e6a349822deca49

SHA512
016a7a35c1221165deb6f2576ccf2f3ce5ddd4805133a8bef7c44476a23f202b21713a4d8728839a04274613f436f7446ff28deb52ddc30bf3cccadc31771939

Download Submit
\Windows\SysWOW64\Moanaiie.exe

Filesize
844KB

MD5
edf36508edb845dbb4c4d8100ca33211

SHA1
fd60d0e9235dca466393dbd91bedf3cfb8fd7ad3

SHA256
19e2e46f94ff7c42cfe17ef9613b638e04cb5b92a3d00582aee2b6f834dbc70d

SHA512
b0f931f46d9a63e652a6ac8b2b99ec9738461658b493a2dafaab096854647cb5cf453811a0b266108e1e7c6fcf8786e63e5c3609b789a20f9e021d83e78b731c

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
844KB

MD5
156a9d5eb085d6d513c4ea2170640a50

SHA1
b4c1bd9a8b4ee83fca0d77465a935921e8a80a37

SHA256
3825c942f3dc4c108d42bfed19c886f07748bbe5aacf2fa8390fb2bd723565ea

SHA512
f9b46618aa7965f8cf3ae161a40ed06beab812e19e24ca1a17e4c12618fa99e35cdfbe532d0518f979481aa90d241567c339cf49b2153191830e27fa5b7237ce

Download Submit
memory/768-161-0x0000000002010000-0x0000000002053000-memory.dmp

Filesize
268KB

Download
memory/768-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/800-95-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/800-90-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/800-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/800-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/832-105-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/832-110-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/832-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/832-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-134-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1324-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-273-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1536-274-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1536-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-267-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1568-266-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1668-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-231-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1668-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-252-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1864-251-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1920-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-67-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2056-206-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2056-198-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-18-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2180-17-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2260-75-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2260-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-187-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2264-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-214-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2344-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-241-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2436-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-242-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2820-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-125-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2860-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-49-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2860-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-40-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2900-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads