aead0b587d7cedbf53c527490a1a13a81797e2aa2889479c26656d5ab3f79467

Analysis

max time kernel
34s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1587487fb0bc7ac85b995b6e49428c30N.exe
Size

76KB
MD5

1587487fb0bc7ac85b995b6e49428c30
SHA1

1c3148aecfc42f6602e9b4e35f032e53d409a502
SHA256

aead0b587d7cedbf53c527490a1a13a81797e2aa2889479c26656d5ab3f79467
SHA512

1dd3284c9a9f2228265a71c40aab40cf8ccc0f188989643ca5f1e8bf9b6cf40196a0c232edb80331c6956e76c9a51b10839c9580112c77ba0116b6d2173b796b
SSDEEP

1536:L5bC8qrfYYwBcDOvU79/qJlR3Iv8lHioQV+/eCeyvCQ:JEfYYwGO+9CRE8lHrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cahail32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enakbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbjffad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1587487fb0bc7ac85b995b6e49428c30N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknekeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckccgane.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enakbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknekeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cahail32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmpkjkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1587487fb0bc7ac85b995b6e49428c30N.exe

Executes dropped EXE 37 IoCs

pid	Process
2792	Cojema32.exe
1728	Cahail32.exe
2556	Cdgneh32.exe
2544	Chbjffad.exe
2060	Cghggc32.exe
776	Ckccgane.exe
2248	Dgjclbdi.exe
1712	Dlgldibq.exe
2620	Dcadac32.exe
1632	Djklnnaj.exe
2572	Djmicm32.exe
1008	Dknekeef.exe
2872	Dbhnhp32.exe
2204	Dlnbeh32.exe
1064	Dkqbaecc.exe
836	Dbkknojp.exe
1328	Enakbp32.exe
1680	Eqpgol32.exe
932	Ehgppi32.exe
2000	Egjpkffe.exe
376	Ejhlgaeh.exe
784	Ecqqpgli.exe
1652	Ekhhadmk.exe
888	Ejkima32.exe
2876	Enfenplo.exe
2676	Edpmjj32.exe
2512	Ejmebq32.exe
536	Eqgnokip.exe
1012	Ecejkf32.exe
2220	Efcfga32.exe
2256	Ejobhppq.exe
2768	Emnndlod.exe
2928	Echfaf32.exe
2860	Effcma32.exe
2900	Fjaonpnn.exe
2496	Fmpkjkma.exe
2136	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2316	1587487fb0bc7ac85b995b6e49428c30N.exe
2316	1587487fb0bc7ac85b995b6e49428c30N.exe
2792	Cojema32.exe
2792	Cojema32.exe
1728	Cahail32.exe
1728	Cahail32.exe
2556	Cdgneh32.exe
2556	Cdgneh32.exe
2544	Chbjffad.exe
2544	Chbjffad.exe
2060	Cghggc32.exe
2060	Cghggc32.exe
776	Ckccgane.exe
776	Ckccgane.exe
2248	Dgjclbdi.exe
2248	Dgjclbdi.exe
1712	Dlgldibq.exe
1712	Dlgldibq.exe
2620	Dcadac32.exe
2620	Dcadac32.exe
1632	Djklnnaj.exe
1632	Djklnnaj.exe
2572	Djmicm32.exe
2572	Djmicm32.exe
1008	Dknekeef.exe
1008	Dknekeef.exe
2872	Dbhnhp32.exe
2872	Dbhnhp32.exe
2204	Dlnbeh32.exe
2204	Dlnbeh32.exe
1064	Dkqbaecc.exe
1064	Dkqbaecc.exe
836	Dbkknojp.exe
836	Dbkknojp.exe
1328	Enakbp32.exe
1328	Enakbp32.exe
1680	Eqpgol32.exe
1680	Eqpgol32.exe
932	Ehgppi32.exe
932	Ehgppi32.exe
2000	Egjpkffe.exe
2000	Egjpkffe.exe
376	Ejhlgaeh.exe
376	Ejhlgaeh.exe
784	Ecqqpgli.exe
784	Ecqqpgli.exe
1652	Ekhhadmk.exe
1652	Ekhhadmk.exe
888	Ejkima32.exe
888	Ejkima32.exe
2876	Enfenplo.exe
2876	Enfenplo.exe
2676	Edpmjj32.exe
2676	Edpmjj32.exe
2512	Ejmebq32.exe
2512	Ejmebq32.exe
536	Eqgnokip.exe
536	Eqgnokip.exe
1012	Ecejkf32.exe
1012	Ecejkf32.exe
2220	Efcfga32.exe
2220	Efcfga32.exe
2256	Ejobhppq.exe
2256	Ejobhppq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Dcadac32.exe
File created	C:\Windows\SysWOW64\Dbhnhp32.exe	Dknekeef.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Ckccgane.exe
File created	C:\Windows\SysWOW64\Eofjhkoj.dll	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Egqdeaqb.dll	Djmicm32.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Ekhhadmk.exe
File opened for modification	C:\Windows\SysWOW64\Ecejkf32.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Dglpkenb.dll	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqbaecc.exe	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkknojp.exe	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Ejmebq32.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dlgldibq.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Lednakhd.dll	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Amfidj32.dll	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Illjbiak.dll	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Chbjffad.exe	Cdgneh32.exe
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Chbjffad.exe	Cdgneh32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhnhp32.exe	Dknekeef.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Lfmnmlid.dll	1587487fb0bc7ac85b995b6e49428c30N.exe
File created	C:\Windows\SysWOW64\Mfacfkje.dll	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Eqpgol32.exe	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Egjpkffe.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fmpkjkma.exe
File created	C:\Windows\SysWOW64\Cojema32.exe	1587487fb0bc7ac85b995b6e49428c30N.exe
File opened for modification	C:\Windows\SysWOW64\Cahail32.exe	Cojema32.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Ckccgane.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Chbjffad.exe
File created	C:\Windows\SysWOW64\Djmicm32.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Dknekeef.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Ckccgane.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Dcadac32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Dgjclbdi.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dbhnhp32.exe
File created	C:\Windows\SysWOW64\Ejmebq32.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Abofbl32.dll	Fjaonpnn.exe

Program crash 1 IoCs

pid	pid_target	Process
2160	2136	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckccgane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknekeef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqbaecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egjpkffe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecqqpgli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecejkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmpkjkma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enakbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhhadmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpmjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcadac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbjffad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djklnnaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1587487fb0bc7ac85b995b6e49428c30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhlgaeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhnhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll"	Cojema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enakbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1587487fb0bc7ac85b995b6e49428c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpkenb.dll"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcadac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chbjffad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknekeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1587487fb0bc7ac85b995b6e49428c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1587487fb0bc7ac85b995b6e49428c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll"	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll"	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1587487fb0bc7ac85b995b6e49428c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1587487fb0bc7ac85b995b6e49428c30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2792	2316	1587487fb0bc7ac85b995b6e49428c30N.exe	30
PID 2316 wrote to memory of 2792	2316	1587487fb0bc7ac85b995b6e49428c30N.exe	30
PID 2316 wrote to memory of 2792	2316	1587487fb0bc7ac85b995b6e49428c30N.exe	30
PID 2316 wrote to memory of 2792	2316	1587487fb0bc7ac85b995b6e49428c30N.exe	30
PID 2792 wrote to memory of 1728	2792	Cojema32.exe	31
PID 2792 wrote to memory of 1728	2792	Cojema32.exe	31
PID 2792 wrote to memory of 1728	2792	Cojema32.exe	31
PID 2792 wrote to memory of 1728	2792	Cojema32.exe	31
PID 1728 wrote to memory of 2556	1728	Cahail32.exe	32
PID 1728 wrote to memory of 2556	1728	Cahail32.exe	32
PID 1728 wrote to memory of 2556	1728	Cahail32.exe	32
PID 1728 wrote to memory of 2556	1728	Cahail32.exe	32
PID 2556 wrote to memory of 2544	2556	Cdgneh32.exe	33
PID 2556 wrote to memory of 2544	2556	Cdgneh32.exe	33
PID 2556 wrote to memory of 2544	2556	Cdgneh32.exe	33
PID 2556 wrote to memory of 2544	2556	Cdgneh32.exe	33
PID 2544 wrote to memory of 2060	2544	Chbjffad.exe	34
PID 2544 wrote to memory of 2060	2544	Chbjffad.exe	34
PID 2544 wrote to memory of 2060	2544	Chbjffad.exe	34
PID 2544 wrote to memory of 2060	2544	Chbjffad.exe	34
PID 2060 wrote to memory of 776	2060	Cghggc32.exe	35
PID 2060 wrote to memory of 776	2060	Cghggc32.exe	35
PID 2060 wrote to memory of 776	2060	Cghggc32.exe	35
PID 2060 wrote to memory of 776	2060	Cghggc32.exe	35
PID 776 wrote to memory of 2248	776	Ckccgane.exe	36
PID 776 wrote to memory of 2248	776	Ckccgane.exe	36
PID 776 wrote to memory of 2248	776	Ckccgane.exe	36
PID 776 wrote to memory of 2248	776	Ckccgane.exe	36
PID 2248 wrote to memory of 1712	2248	Dgjclbdi.exe	37
PID 2248 wrote to memory of 1712	2248	Dgjclbdi.exe	37
PID 2248 wrote to memory of 1712	2248	Dgjclbdi.exe	37
PID 2248 wrote to memory of 1712	2248	Dgjclbdi.exe	37
PID 1712 wrote to memory of 2620	1712	Dlgldibq.exe	38
PID 1712 wrote to memory of 2620	1712	Dlgldibq.exe	38
PID 1712 wrote to memory of 2620	1712	Dlgldibq.exe	38
PID 1712 wrote to memory of 2620	1712	Dlgldibq.exe	38
PID 2620 wrote to memory of 1632	2620	Dcadac32.exe	39
PID 2620 wrote to memory of 1632	2620	Dcadac32.exe	39
PID 2620 wrote to memory of 1632	2620	Dcadac32.exe	39
PID 2620 wrote to memory of 1632	2620	Dcadac32.exe	39
PID 1632 wrote to memory of 2572	1632	Djklnnaj.exe	40
PID 1632 wrote to memory of 2572	1632	Djklnnaj.exe	40
PID 1632 wrote to memory of 2572	1632	Djklnnaj.exe	40
PID 1632 wrote to memory of 2572	1632	Djklnnaj.exe	40
PID 2572 wrote to memory of 1008	2572	Djmicm32.exe	41
PID 2572 wrote to memory of 1008	2572	Djmicm32.exe	41
PID 2572 wrote to memory of 1008	2572	Djmicm32.exe	41
PID 2572 wrote to memory of 1008	2572	Djmicm32.exe	41
PID 1008 wrote to memory of 2872	1008	Dknekeef.exe	42
PID 1008 wrote to memory of 2872	1008	Dknekeef.exe	42
PID 1008 wrote to memory of 2872	1008	Dknekeef.exe	42
PID 1008 wrote to memory of 2872	1008	Dknekeef.exe	42
PID 2872 wrote to memory of 2204	2872	Dbhnhp32.exe	43
PID 2872 wrote to memory of 2204	2872	Dbhnhp32.exe	43
PID 2872 wrote to memory of 2204	2872	Dbhnhp32.exe	43
PID 2872 wrote to memory of 2204	2872	Dbhnhp32.exe	43
PID 2204 wrote to memory of 1064	2204	Dlnbeh32.exe	44
PID 2204 wrote to memory of 1064	2204	Dlnbeh32.exe	44
PID 2204 wrote to memory of 1064	2204	Dlnbeh32.exe	44
PID 2204 wrote to memory of 1064	2204	Dlnbeh32.exe	44
PID 1064 wrote to memory of 836	1064	Dkqbaecc.exe	45
PID 1064 wrote to memory of 836	1064	Dkqbaecc.exe	45
PID 1064 wrote to memory of 836	1064	Dkqbaecc.exe	45
PID 1064 wrote to memory of 836	1064	Dkqbaecc.exe	45

C:\Users\Admin\AppData\Local\Temp\1587487fb0bc7ac85b995b6e49428c30N.exe
"C:\Users\Admin\AppData\Local\Temp\1587487fb0bc7ac85b995b6e49428c30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Cojema32.exe
  C:\Windows\system32\Cojema32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Cahail32.exe
    C:\Windows\system32\Cahail32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\Cdgneh32.exe
      C:\Windows\system32\Cdgneh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\Chbjffad.exe
        
        C:\Windows\system32\Chbjffad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Ckccgane.exe
        
        C:\Windows\system32\Ckccgane.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Dcadac32.exe
        
        C:\Windows\system32\Dcadac32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Dknekeef.exe
        
        C:\Windows\system32\Dknekeef.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Dbhnhp32.exe
        
        C:\Windows\system32\Dbhnhp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Enakbp32.exe
        
        C:\Windows\system32\Enakbp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Fmpkjkma.exe
        
        C:\Windows\system32\Fmpkjkma.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 140
        39⤵
        Program crash
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cojema32.exe

Filesize
76KB

MD5
a7d8d1ea48d74299a1aead678dc5d769

SHA1
a28190e924d96f2942c80790a64822a28d43beb9

SHA256
30cec1bc4c780f315d4c3c69efb44ac79511563c8a9e236a058be2767806dc2b

SHA512
b3cc43396b06917e2bc5cd28cf5248bbb463a697faa898e55dd5c9c617b94ce9fe77c893c4850cfde5230be35dfeb62af4aa7faeb29c17141884d7b9b783ed69

Download Submit
C:\Windows\SysWOW64\Dbkknojp.exe

Filesize
76KB

MD5
7d7b9c4e7853f4342df05ab57fe4e829

SHA1
a63959c21f25b45ad20ee672c77265b26edd0244

SHA256
4bce7c81abc3a1e10c933a0dd35051ca5b01f69467b76f8851d712ff84864410

SHA512
eaeba6294a5d0a6679cce33c78708333a8ce54ba57975ee9e0e2d08a5ad7b1a51b54b84c4a9eeabe05a42ba1ee7303d0ca0cd288159c3e2dad7a6a36fe1dc70b

Download Submit
C:\Windows\SysWOW64\Dknekeef.exe

Filesize
76KB

MD5
6b9b084e38bddfb228e6d0f008af4268

SHA1
bff1747c52ac5f409595f8fbbc9f147975a0dbd6

SHA256
cdaa4e122ac273b956e7bde17e35d874b294f073b8f367e1fc96866167d1bb75

SHA512
2dbf8ef43f4f3c59c9c5c078894e92c3adfd8cbc4e48a5de03201a9907f2b7dfb183e8f34968f878a0879e1f20c9b522f0829d0aee9e178cc9c90ee717779f96

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
76KB

MD5
5aa9d83d6af300e9ad0e36ade3444e9f

SHA1
f2fc6c6c1a4dc15aa3ebe962e6300651e0e3a355

SHA256
82ed401e8063e9b522c8ac393eebe99aa6d98b4198834cade201cc6b74d8b66e

SHA512
8c91c16b5a8079fd9e1b149edfdbb481e0b335abad795e2291548142e3556d82e3afe9b19d7d17b9635cb320f92b6462850000bf42c3f7017d0da05e5b14fe51

Download Submit
C:\Windows\SysWOW64\Dlnbeh32.exe

Filesize
76KB

MD5
07354ae618806c16fc97526b3db4579a

SHA1
b90157157f77999ab7e1ec9c52c0003c75a287c0

SHA256
2e579f3e31521e3e1e40527fb05524be7ede895cb65785e3fb4c2273ad80121d

SHA512
e0ca3456e0568f5f1ca97e0ad7d500f8e785297c6d56613723175f0c80f65aef81356220431add40e55e3096b87d64bdff3c0b38f61b85a1ae1a4711d361cb8e

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
76KB

MD5
6591f67d4bc87746eeab2727022ff361

SHA1
2a976c2409ccc8c35f05f4b3ffe0a8c4fbedf32b

SHA256
25689ea486ddc29ebf2777cc712f5f1f8ca8324192729b6cd6b00b9e2ef35e09

SHA512
369fefd8829a40f0a46b745641487c61d1df22867e75ce2a0abdef112ada4cb3a46665d0911ec28b7893d950435fb520ef85ec33b6c75f028f0ba64f5e0ecff9

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
76KB

MD5
1ce6052ba87fd50155aab133713d05f7

SHA1
8112441e304cbfb6060585b34092cce546a68c44

SHA256
3fca20495fcb8f0a04e0fcd598e0d129f43d19f3eda280bc6b63fadf863e0907

SHA512
e5d08dbe3c0e08fbcc7b476ddac4f48ef7caacf6f8184665341dcd2240caa72a49ef3b0dc921fb29e73a76756bb5f52524dc59434bc45d249273937725fe4e92

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
76KB

MD5
2c1500ef3ebcf2c8dc7b69ae67c4ad40

SHA1
96cbe23aceda2a4d6e37c52d1bb19f5a498b8d05

SHA256
5fd24ad86e0b4aaff02886d60d3213db549ef634893f9e9d10df4c7f58d0082d

SHA512
f604775fdefa5c7ca106956408a5c346bd3e3c6b2ad567d41a775bfc26c08d498fa30ed61db5a3f9949bbdff8a25a71736604b27fe5f2031baf1e1b1c9e3c24a

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
76KB

MD5
8b720248c8c655c10bcbb587b6f90407

SHA1
dc6bc36606aef686f94037895c31609ff9f2c948

SHA256
20bddfff7ce1909cbfd15252b7b7b64a845a0158f82f78cdd93765de2e8e8bc6

SHA512
a1dba196bf2e1ce4d889fa1287cfc81134e02747b7e32afb638e502236ca772b18e8960bb67fdbc5aea68d67dd5baacc92b1e0bdeb84c72f126f2d7560a7a528

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
76KB

MD5
83a055988a5805c4687fa51d0fc9abbe

SHA1
d1b4962452aa9f1a7056dd519f6077dfe12f71d3

SHA256
649c7ecf49cb4e64858907728eb9f83a4f607b335e5808a19619b5ad73d9f04a

SHA512
6fc3c0fee6fd09f3e35939552a65cdcf02b41132c914a3130869ced7e8c79ac9a6d7824b578ffb27ca433c58d04b343a1f78048178fa4d3bd2684f68c812ba96

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
76KB

MD5
7b039700bb1e52b3c9719b2529c0b14e

SHA1
203154a0e03c0469d293720418432fa1eb001ca4

SHA256
cd0865c5d6718808d2274cbce735a3113c4435016301754c7aa5dcf391984bfa

SHA512
33627ffcd6bbf87c7a215d8e95bfc8830f0305481fcb56cd9b92d7001a69f664c32ce89295543ba2feea6f3cca596b646abe31545b29f83a19f69550990be7cf

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
76KB

MD5
ee49ce6335ee28299d0e4afd7f1773bb

SHA1
65153e1aa5ac1ac2bd9603df78c14b54321d8b21

SHA256
51b710fc39ec01c21b85b99342849e89f377a67e7d9719c474d8bca5b0c6c096

SHA512
960ccc2b237fbfacd0b4137913740280cdc19665fd0d723279a17d682c70206f3df2a62ec9b2dd7ada913b816846a51880302aca426ea6a20e200aa9646462cb

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
76KB

MD5
a782ea14fa4ea5695a998a0ed7fa4a1e

SHA1
97a84e368d759f20c9f9fcc6a4589c8f5575d501

SHA256
81166a9489460d9c31a6804d16fd436723a87402291bda960ae2f1f930ba43c7

SHA512
5b72a281b52cec6519ca17abbf1d82f7ee88ccb13662ab63f8c4958054c8d25b6292ce57669eb2733296b53d463677088e9cef1a3ae5f8e95dca06d9734536f6

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
76KB

MD5
a821429755b2110be6b6777be153c2a6

SHA1
d44d88205dc6cf06afb46853720b40315345eeda

SHA256
ae94f0e5c9e89e6155ad9ce8f411a92821328cdabefca4514beb0170732d839e

SHA512
b4029a6ba6759c13dc36d815e65dab7af4e79c001f2b6e1768d952ae6fc1aa07b626756485a3fe0fc519878ee6f9e200cc5964b5d861d64d261decece04a284b

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
76KB

MD5
c6c43cbafb9693aefa6865d2d66124d6

SHA1
e94df30fd42d563a8010cb5506982efd8174c235

SHA256
7888edf2dd7bd7bcaad5480036259ad40134638805fff9271836196749de7d37

SHA512
16153c0d4107e0ba845c27a845f868062d92f684415b9477ba4c68ae5bdaab1b56634f46ba8c9e99c89782158c63573e196aa7e0d5d8e76f1ab919e8ab305525

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
76KB

MD5
e9469e91c1dd118d9109160fbb90b759

SHA1
b4ce33b3a5e75fc8e09b40729278d1c2bacb4901

SHA256
6821998e2ac346aef7602a80f1128f6c57bef48b717c2626922bcd80430f1638

SHA512
f498d8d81596824d5d307a5186d9ada8b36e18cc582cae51a85c9e04ad3da90546eeb965b9b2cf78b003c3eb01d3f2c9c94a057515d07904c5633053ade02ffb

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
76KB

MD5
d1ac5c33c538558f239d2cc683b5b309

SHA1
acb13cd0382766b048e9d3df8ffdf7c62ba1234a

SHA256
f7529075112802c7ae4cae5cb440479bee3c8b8dd74f801c226d2997e5bb27c2

SHA512
b2d2ad8d6748f6ed81c64b08d24471cdd1ffa0cb41995d4bee390f42a6b449067fa761cad63fda24c450c14fbc2330e14edf078dd8aa5c16d0fcef69e14189b4

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
76KB

MD5
a73f9a24a62798819b03adaac8b7ae7a

SHA1
137625a18ab610b518e26b4603bbfccf4e4ca22f

SHA256
d17878addcb5d43dda346789e15ccdba329cf4bcfc0dcd25935658b6a2a41dde

SHA512
5d6480f3c17cc55ae19b20fad5bf5032661bc20113f7ea1b04664e5bb9199b0fd3d943ee55d964a435d31d6512390e6dc152c832c73af552b88dfaf78f3255db

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
76KB

MD5
14ff9b5a39276ac2248aa788006df3dc

SHA1
edeae265b6abee43fdc5fd81ca2548b421cafdb8

SHA256
0408de4640edc3cac60a223ac2092a85a7d5405048cbcc5e6b3e12f6856eeb6c

SHA512
aaf3e242eb21635e3fe2f0707b835e0a738648cd3d2287c2df2f9b95b2a5f98387eee3fe894310aafa624241e00d18098463403af7c6334e7a5a541c583cae83

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
76KB

MD5
ef4cfe4f4257f913106107c0a7491651

SHA1
9fb22ad8742df3d0f573a0bb171a218f28dc8b5a

SHA256
8ac56b50c2da79db2d2521ed865c084ab6b74f40f32d60b3a0b73ddc49cfd787

SHA512
edc53f296e6cb5dc09bc321a9b09f92635854f7d0fdd614160ac11561fe6bc837e526caac1aa7675c1fde04a1b54dff7df2e7f256463b49528e1d076b2594bbb

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
76KB

MD5
03e0689e56f513e65940936c62bb3f30

SHA1
2f202c01c662de6f3db515b956cdfed2220f6168

SHA256
aad810afe8477cc05a9861840eb01466ba6b4682a8377500fb3041d135f5ceec

SHA512
1f715d0f3b0d1f3b6768da2a9ecc39678671bcd5002e66bf225d3b4614274c050ee57e7dd579162774559cdc25fb49c738249f8e33be00e514133ca6761ef097

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
76KB

MD5
e2aef5d95711b674de1b2c79511a1848

SHA1
eb450c3fc83c9f8398dfad450928a4c3005afa02

SHA256
423e8f44918cc181f651d524d16ae7590fd9f7adb91f9230e707acb829ead944

SHA512
7378d125cfc7d1f5bf3d0407d8fae7ca6c073be98543ce249820f3a6fb293c8d05f0900205f9c978e8593679d463d39c47b7e36979eacfee8678f22748f0ae54

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
76KB

MD5
f219f21a6039c45034a9f27d6d6be582

SHA1
c7c778aa242acf9d60c3a069e34a6a45b6d2ae1c

SHA256
3de6faa9f96894b75ab7cfea5dfbedec188a0ad522657e6f61ee5ea1e30dacda

SHA512
02a03bf48398fc52dc5acd37f6c60ecd6fe2e412e6c4f2858d809eb86d8f7a7dd0aaa24a1e1afde57ddee75ba6dfc700123392b642d49c0e42d5edc14b4383bc

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
76KB

MD5
7d0f2e4ab8c8a00279bafc7be2d62fbe

SHA1
4f32bc84f4d308c7389df090b3e5348bd4965553

SHA256
b18186c553c8138177e9cd3d229328cec2ef37016fde5ec23a8dc896e8a15dbd

SHA512
afc9298e0ee724265ba96dbc409ccb513b1140d0129da0e74da380113f93543399efb378cf626f878c10a613686714c5bf4677d6eb8fedd7d1b8b3b81584b12a

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
76KB

MD5
18a123ca652a8f4619e38858eb199e74

SHA1
20d82b9e38302ab5239cf9c22db6e928e460f589

SHA256
97153b7772731fe405510a44746caa6c6773dc08ba5f6c0292f8cc39898163f1

SHA512
5979eccac33e6e61db14409bea88842f686815276ebb8d26e69ad8b9e5db9ef2709df20dd8ce16ade38d0b50dc7ef3575c2bc6105e5179244d67bf86e78b7903

Download Submit
C:\Windows\SysWOW64\Fmpkjkma.exe

Filesize
76KB

MD5
d3f021d3628e9d5fbc485642317a720a

SHA1
b9747d0e882927ed894d9729112be599d3175c83

SHA256
b9f5c8790b69a12a578d704886beec257fa40b111f62aacadd2ea413329729fd

SHA512
b8fb629771611a2d1b9f7d24434a21439f91335fd810142929e80053ed06202cc04c540f2be19e4cb04344560b7f12b5e8dd8bb044869a7566834714423c3d30

Download Submit
\Windows\SysWOW64\Cahail32.exe

Filesize
76KB

MD5
278cdd91cefb1b13bf56d3c0679b0c48

SHA1
0ced857195f80b98793d80cf48fa791fb6ca39dd

SHA256
6c752e815634e4b014cb7a7b48aed7737ab1f751c9d4660e1ba1effc107c773e

SHA512
2c2e369abf6fd7f17241c663874ccf7b7d44e8ea9833f42f89438e3c05f0c7f708c48cfa1511ca22ee3d8e4b72b6b90d4eff558784fb61b011b53519bf414566

Download Submit
\Windows\SysWOW64\Cdgneh32.exe

Filesize
76KB

MD5
55e5118540bf1da19c61cbbae9f7152d

SHA1
b18ae0e036178c911ee3e29ebecf68f61c6b8b9e

SHA256
b08e372ee0cd3911b00dac52654c3cc6b30b2640a537f6548aa5d38020137214

SHA512
d4ffed95cf1de5ad9b38d158c1d56d78aab3bfac61e80a5036d565d96e8cf1aff82cc70b62b0589d31bcae8354815e4bbe24a00af2076d13ffef78f1a5f06f0a

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
76KB

MD5
82ac9794ab17be864c332484393d272a

SHA1
29b6f8279e9ea93f96e75903e2f3b5410ae07c17

SHA256
4f075a344d4ef5684c4425d28896d2ab6214b7d9ded2a8af090480779f05e877

SHA512
15de163cbfb4bdf1b22fd2daf3f580c75ac8ef8179373b5fbbe3a910c2b4994fb0d9ec89b00a11b40ad00d54c900e52b478cabd4899031631edb02a39d2faa02

Download Submit
\Windows\SysWOW64\Chbjffad.exe

Filesize
76KB

MD5
e120f2f3f8a8eef4c490dee9588ed8a7

SHA1
0a73c4bcfdc4897981e87324d207406f95e830a3

SHA256
e621899100ce8d9c6d851c6d478043f04e28a3bbf6a98b109b34cf41cc57ce2c

SHA512
153ba130d6fc4ad73e6ef07119335a742fd25ceaab6131daafc961ad1400466709e018d2a907702e661e29b280bac1be57291deb04155b26f6f8790ccc183894

Download Submit
\Windows\SysWOW64\Ckccgane.exe

Filesize
76KB

MD5
624f44e4d674482d998db776559478c1

SHA1
18a4310aac52761da93cec17d2d1973377b4d301

SHA256
cb37d128e7b8caf7d7a4e34fffcf67b670c1b08ed408f96d5aa14a9c52633a78

SHA512
679d73707171df6142674b916d715a50a4937b3ed95df846d6977e3ee20f383d57a32b04d7ff2991650198040e53b10efe2bdd324b9677d7762c5cc31052bb39

Download Submit
\Windows\SysWOW64\Dbhnhp32.exe

Filesize
76KB

MD5
a5c3c9728a29a49d5162172525f00e11

SHA1
7290e4b4b6f7cae9685b04310d9aa120eab99f93

SHA256
795eedca2589355df50811f5a8fc4ab185b9b28aa2a1c1b614306dc360215271

SHA512
c86cdd4080d80c6cd967511b16a450fe65806adb45b5e035009761323e0b0075b5e5ba8fb0a870bda73584daf6a6efe0cecf9a63f0c7130820ad173b99e016ae

Download Submit
\Windows\SysWOW64\Dcadac32.exe

Filesize
76KB

MD5
d99e33a706aecf478601efbc49bfb251

SHA1
65770ab03f05e99c7ce6adbf9b021bd73a20fd64

SHA256
038597ab64e5ac2867b799152ffe515d5a000f6abac28ff9015bebaafc9420a0

SHA512
1dcaf9539f0f479ed151b49fdcec082091f8738547fb7d88cbf080424b663be1a121bc5e136af7b6f9c0e34098b62f339f7570b6c582a51b7b5c1506b34328ca

Download Submit
\Windows\SysWOW64\Dgjclbdi.exe

Filesize
76KB

MD5
347b52b23588bd95dd596918d5fddeb6

SHA1
347d39c96de92b8fc348d50cbdaad4b105887e02

SHA256
693ff8836cda06a5a5b8a47f134c950562ec948a6a90d768f6c465713695b243

SHA512
f1ae847799923fbe8f744672d27755ed2b865519b5dd909e547d40b97570d16c6bcc06674536e6cb5928941c05a3f496d075db45995e4797600e5ec3fc93ff8a

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
76KB

MD5
5140693b1e627231eb317e8b2145b928

SHA1
14ab058cdcff80e3c2c85fd292a0dacccfd3bed7

SHA256
b83035a61ddecb596295123a6a9d9123e15036e9a7ed805809cc0658a2f7ef52

SHA512
d9780fdc0ed44aebef5798563e47116e7cb1cbfbe4355737674d3a9aeb3e8f5d589e67606a88866c1752cf637d05dcca2628d4f08dff8dd3206a7cde572757e3

Download Submit
\Windows\SysWOW64\Djmicm32.exe

Filesize
76KB

MD5
61ca354805e43b83b0d968b368aa5da9

SHA1
12865a6c4d4f1789be3787b25f04957ebf6df6d9

SHA256
82ac90303ca525a6b4998faa141f310774119728903126db929ee2d1fd0240c4

SHA512
518708b914bba488a282ea68ece04c7ddef624913b8055d4edc8d2e23ce16d6f808287229d12e1356802bfbbfaa76095efc34b46042d841015a6214b7d8ee595

Download Submit
\Windows\SysWOW64\Dlgldibq.exe

Filesize
76KB

MD5
8d350c51071dbcf77ea0b4c9b4bf6d3a

SHA1
4858c5456009c6cedf5e614dd8b0555d51a2d433

SHA256
3d18248b2745c4de87f38e5638d72d4525b5dbbf6735e3e83e08dafd23857306

SHA512
d19783314800446df4b8e1a6ab10cc9b119862d0b6bb3958e417fa5dca2cc96dc836ff98f6bea18b237994adf22e300b48fa84aea732c87fe9e027516c9af872

Download Submit
memory/376-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-301-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/536-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-377-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/776-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-155-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/776-97-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/776-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-154-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/784-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/784-353-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/784-314-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/784-316-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/836-247-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/836-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-279-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1008-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-387-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1012-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-239-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1064-232-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1328-258-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1328-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-162-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1632-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-323-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1652-327-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1680-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-270-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/1680-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-305-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/1712-194-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1712-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-130-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1728-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-44-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2000-294-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2000-290-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2000-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-142-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2060-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-262-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2204-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-111-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2248-106-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2248-176-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2248-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-407-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2256-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-12-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2316-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-70-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2316-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-365-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2512-370-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2512-405-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2544-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-68-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2544-126-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2556-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-52-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2572-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-171-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2572-177-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2572-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-208-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-143-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-201-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-141-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2676-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-355-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2768-422-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2768-417-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2792-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-251-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2872-203-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2872-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-344-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2876-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-428-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads