0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe
Size

90KB
MD5

2f8436c712244a6536c88de6b42e8868
SHA1

6ee881321a7bf8241fd07b419005018d257d4c3f
SHA256

0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3
SHA512

2ba7719c4bbbfcfe0510dedf42788a89b04e718add3e73a494e22c4e768db63393e2dd3514853d770c2968e6f5be14fecd221a0edcd9c0596e74676a59f5658a
SSDEEP

1536:ijMqDFY5BHUHZz4T5jMorEPF4OSjokXsHVQDLOrVdYGzu/Ub0VkVNK:iRFY3HI4T57rEPcTX2rVdYGzu/Ub0+NK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcjmhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moefdljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabglnco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkohchko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaekg32.exe

Executes dropped EXE 64 IoCs

pid	Process
4080	Hchqbkkm.exe
4316	Hkohchko.exe
2912	Hbiapb32.exe
1196	Hcjmhk32.exe
1324	Hjdedepg.exe
3752	Hannao32.exe
3060	Hcljmj32.exe
884	Hkcbnh32.exe
5076	Hnbnjc32.exe
1672	Icogcjde.exe
4368	Ilfodgeg.exe
4752	Iabglnco.exe
2972	Ijkled32.exe
1956	Iaedanal.exe
2184	Iholohii.exe
1896	Ijmhkchl.exe
2544	Iagqgn32.exe
4612	Ilmedf32.exe
4780	Iajmmm32.exe
2004	Idhiii32.exe
4332	Jbijgp32.exe
3344	Jdjfohjg.exe
4012	Jnpjlajn.exe
3736	Janghmia.exe
836	Jdmcdhhe.exe
4560	Jldkeeig.exe
1128	Jaqcnl32.exe
1764	Jhkljfok.exe
1400	Jnedgq32.exe
3232	Jdalog32.exe
2340	Jjkdlall.exe
3192	Jbbmmo32.exe
2036	Jhoeef32.exe
4440	Koimbpbc.exe
1752	Kahinkaf.exe
1036	Kdffjgpj.exe
2964	Kkpnga32.exe
3408	Khdoqefq.exe
2504	Kongmo32.exe
1616	Kehojiej.exe
1432	Khfkfedn.exe
3652	Kopcbo32.exe
2056	Kejloi32.exe
4064	Khihld32.exe
2256	Kocphojh.exe
4528	Kaaldjil.exe
3476	Kdpiqehp.exe
4112	Lkiamp32.exe
544	Lacijjgi.exe
3508	Ldbefe32.exe
3240	Logicn32.exe
4204	Laffpi32.exe
1408	Llkjmb32.exe
1376	Lahbei32.exe
2400	Lkqgno32.exe
2560	Lefkkg32.exe
2528	Llpchaqg.exe
5088	Lcjldk32.exe
3924	Ldkhlcnb.exe
3764	Mlbpma32.exe
1852	Moalil32.exe
5148	Mekdffee.exe
5188	Mlemcq32.exe
5228	Maaekg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjip32.exe	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mohbjkgp.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Hannao32.exe	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Ohcmpn32.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Fhkkfnao.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhfknjf.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nhjjip32.exe
File opened for modification	C:\Windows\SysWOW64\Ocknbglo.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Ofgmib32.exe	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Jlbngnmk.dll	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Madbagif.exe	Moefdljc.exe
File created	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Nofoki32.exe	Nhlfoodc.exe
File opened for modification	C:\Windows\SysWOW64\Ollljmhg.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Eopbppjf.dll	Iholohii.exe
File created	C:\Windows\SysWOW64\Coffcf32.dll	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Jbbmmo32.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Iholohii.exe	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Kahinkaf.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Kopcbo32.exe	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Ochamg32.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Ijkled32.exe	Iabglnco.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Odbgdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Piolkm32.exe
File created	C:\Windows\SysWOW64\Hlcfmhdo.dll	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Jnpjlajn.exe	Jdjfohjg.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lcjldk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjdki32.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Eloeba32.dll	Jbbmmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lefkkg32.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mddkbbfg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlemcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icogcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijmhkchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcljmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkcbnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iholohii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcfidmn.dll"	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompbfo32.dll"	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccebdmn.dll"	Icogcjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll"	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilmedf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Memalfcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopbppjf.dll"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iholohii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblnengb.dll"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Jdmcdhhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4080	4512	0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe	91
PID 4512 wrote to memory of 4080	4512	0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe	91
PID 4512 wrote to memory of 4080	4512	0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe	91
PID 4080 wrote to memory of 4316	4080	Hchqbkkm.exe	92
PID 4080 wrote to memory of 4316	4080	Hchqbkkm.exe	92
PID 4080 wrote to memory of 4316	4080	Hchqbkkm.exe	92
PID 4316 wrote to memory of 2912	4316	Hkohchko.exe	93
PID 4316 wrote to memory of 2912	4316	Hkohchko.exe	93
PID 4316 wrote to memory of 2912	4316	Hkohchko.exe	93
PID 2912 wrote to memory of 1196	2912	Hbiapb32.exe	94
PID 2912 wrote to memory of 1196	2912	Hbiapb32.exe	94
PID 2912 wrote to memory of 1196	2912	Hbiapb32.exe	94
PID 1196 wrote to memory of 1324	1196	Hcjmhk32.exe	95
PID 1196 wrote to memory of 1324	1196	Hcjmhk32.exe	95
PID 1196 wrote to memory of 1324	1196	Hcjmhk32.exe	95
PID 1324 wrote to memory of 3752	1324	Hjdedepg.exe	96
PID 1324 wrote to memory of 3752	1324	Hjdedepg.exe	96
PID 1324 wrote to memory of 3752	1324	Hjdedepg.exe	96
PID 3752 wrote to memory of 3060	3752	Hannao32.exe	97
PID 3752 wrote to memory of 3060	3752	Hannao32.exe	97
PID 3752 wrote to memory of 3060	3752	Hannao32.exe	97
PID 3060 wrote to memory of 884	3060	Hcljmj32.exe	99
PID 3060 wrote to memory of 884	3060	Hcljmj32.exe	99
PID 3060 wrote to memory of 884	3060	Hcljmj32.exe	99
PID 884 wrote to memory of 5076	884	Hkcbnh32.exe	100
PID 884 wrote to memory of 5076	884	Hkcbnh32.exe	100
PID 884 wrote to memory of 5076	884	Hkcbnh32.exe	100
PID 5076 wrote to memory of 1672	5076	Hnbnjc32.exe	101
PID 5076 wrote to memory of 1672	5076	Hnbnjc32.exe	101
PID 5076 wrote to memory of 1672	5076	Hnbnjc32.exe	101
PID 1672 wrote to memory of 4368	1672	Icogcjde.exe	102
PID 1672 wrote to memory of 4368	1672	Icogcjde.exe	102
PID 1672 wrote to memory of 4368	1672	Icogcjde.exe	102
PID 4368 wrote to memory of 4752	4368	Ilfodgeg.exe	103
PID 4368 wrote to memory of 4752	4368	Ilfodgeg.exe	103
PID 4368 wrote to memory of 4752	4368	Ilfodgeg.exe	103
PID 4752 wrote to memory of 2972	4752	Iabglnco.exe	105
PID 4752 wrote to memory of 2972	4752	Iabglnco.exe	105
PID 4752 wrote to memory of 2972	4752	Iabglnco.exe	105
PID 2972 wrote to memory of 1956	2972	Ijkled32.exe	106
PID 2972 wrote to memory of 1956	2972	Ijkled32.exe	106
PID 2972 wrote to memory of 1956	2972	Ijkled32.exe	106
PID 1956 wrote to memory of 2184	1956	Iaedanal.exe	107
PID 1956 wrote to memory of 2184	1956	Iaedanal.exe	107
PID 1956 wrote to memory of 2184	1956	Iaedanal.exe	107
PID 2184 wrote to memory of 1896	2184	Iholohii.exe	108
PID 2184 wrote to memory of 1896	2184	Iholohii.exe	108
PID 2184 wrote to memory of 1896	2184	Iholohii.exe	108
PID 1896 wrote to memory of 2544	1896	Ijmhkchl.exe	109
PID 1896 wrote to memory of 2544	1896	Ijmhkchl.exe	109
PID 1896 wrote to memory of 2544	1896	Ijmhkchl.exe	109
PID 2544 wrote to memory of 4612	2544	Iagqgn32.exe	110
PID 2544 wrote to memory of 4612	2544	Iagqgn32.exe	110
PID 2544 wrote to memory of 4612	2544	Iagqgn32.exe	110
PID 4612 wrote to memory of 4780	4612	Ilmedf32.exe	112
PID 4612 wrote to memory of 4780	4612	Ilmedf32.exe	112
PID 4612 wrote to memory of 4780	4612	Ilmedf32.exe	112
PID 4780 wrote to memory of 2004	4780	Iajmmm32.exe	113
PID 4780 wrote to memory of 2004	4780	Iajmmm32.exe	113
PID 4780 wrote to memory of 2004	4780	Iajmmm32.exe	113
PID 2004 wrote to memory of 4332	2004	Idhiii32.exe	114
PID 2004 wrote to memory of 4332	2004	Idhiii32.exe	114
PID 2004 wrote to memory of 4332	2004	Idhiii32.exe	114
PID 4332 wrote to memory of 3344	4332	Jbijgp32.exe	115

C:\Users\Admin\AppData\Local\Temp\0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe
"C:\Users\Admin\AppData\Local\Temp\0dc56c45213f74bf8f63e750f987b79039b845c33567fc504bf4f193ac1b2ad3.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\Hchqbkkm.exe
  C:\Windows\system32\Hchqbkkm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\Hkohchko.exe
    C:\Windows\system32\Hkohchko.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\Hbiapb32.exe
      C:\Windows\system32\Hbiapb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1712
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        42⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        49⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        62⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        64⤵
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        67⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        71⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        73⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        77⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        79⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        90⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        92⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        93⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        94⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        107⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        108⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        110⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        113⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        123⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        125⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        126⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        127⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        130⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        131⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        132⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        139⤵
        
        PID:6492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:6848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dgmfnkfn.dll

Filesize
7KB

MD5
9689234449508f6e5608742e06be9c80

SHA1
bcd6ad94a9d58fede95f93c809a01654cabb6fe2

SHA256
9d864827b98a82c5d677ff660d93bc18645161f9a4c325f26cf79bc64033c7bd

SHA512
659372cd95bd3ce4863b74e324e11fb2e3010f60995437147cca9037a4f4d47ebddc1a82cdc386fea511461d74f40519e14464c08d6ed39243c805fdac50e00b

Download Submit
C:\Windows\SysWOW64\Hannao32.exe

Filesize
90KB

MD5
fa35928b6c7bc6821b4e92d39b17f73f

SHA1
b50395340def558e568828027838b9ab5873c93b

SHA256
ee5b5bae6c7eade35ef9d0fbd17ac4041c6df67e4afc547bc90acf5c3ac01e47

SHA512
53de8e49f1d7a4818fb0b1d1193a90e0e6fca25aec3622b0ffc0a0d0d91b4a904c68d7b985903990535129b444d6c4f6bf92dd426772d6a24e25d887c09b1b17

Download Submit
C:\Windows\SysWOW64\Hbiapb32.exe

Filesize
90KB

MD5
f929e2ff497e55d5bb9259249e44c501

SHA1
9d160a31f9c9ab42acda1e404927c6e7f92d8d3f

SHA256
cce3573efb62bb88df9236dd86695c2a9dcd2a3c9f51d06a47f9e57947cc5a83

SHA512
bde80f5d7292b60e36de5d02f5bac67040ef604903f1ed965cb6da38ce214c156b62993f7bd0b3d2768e71666e59afdf94010b13df363ea7765dc9accc175bfa

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
90KB

MD5
7bdfe8e6bf70f755c6b6fae2733742bb

SHA1
86ea00e7262d3868d7f558d774bfa6fad7dcdde9

SHA256
685043a887ee48da4fa945ea8ebe38734f0a66473687b42e102a8501e2a96e46

SHA512
0601f6816cfc7311ee13374df82f8aa3b12aa8fd690fb655706c0611c08a5aa6506f78b0e169dc27dff22b2bfb63c81b64d1df191cd94f419bfd2aeb82863e7a

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
90KB

MD5
73ad37e0a3c2b603dd10f9f475aa6dfc

SHA1
a3145a0683cbe68768881dc84c0790802de91c26

SHA256
9c36fa5e19d4cdcc26f7006407b1eb5ebb285e6a65a832f9993090f645a600c3

SHA512
a9e272c97bb25986d9e472ff251a6aae4064f68b268aa6e2eb6eed57935656cdcc1e9f5f76bf1506b7df28f135a1a07007bdfa437105cbcbc4b3f8384a0bd1e0

Download Submit
C:\Windows\SysWOW64\Hcljmj32.exe

Filesize
90KB

MD5
31b56646b10d6172504432d385522ff2

SHA1
03cce533c66272e4d63653514ea134084839fa59

SHA256
2090cc82fe842ba62ad70a4dfbfafa2417cab87c4b7264b26b52074cd50bddb1

SHA512
b7b01ea4ccf2ddde82c267a84eed36918cc65534f926876d6a84ffb1d93e948fa86ddacbdb01640732dfcd2486b7f93d0b233e3dd8f10678d355d50fc43f6fc1

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
90KB

MD5
ef1b92ed702530e07ae4f08f3dd22005

SHA1
c0c44cee80f0c9d4204da3201ee6a66da19b7fb0

SHA256
3bf731afebe2cab3d3725d1e284646c36d45ed8c901e2c6018ea04ab64b765a9

SHA512
c364c0f63f474bba9dc93928916f3d10add723bd78f0c1f0ac923a914e677bbc5986f0e23b8b3718c41337e4692d2aa14ce04c1d5cb0b5f01306f443c9d968c4

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
90KB

MD5
56fca7890d4fa2edda8fd25504b18654

SHA1
a836ab4b89e87968155f589bcd335588a956777a

SHA256
cb66ae489d3046693ca55e159eab666bf79b025c57a726119f9ea6d101094390

SHA512
fd281c46be548ba715663e54920706de7b6fea3f17ab688579e573ffd326bb76ab06566be36a820e01734a68ea70ac19be3a4bea5398925263fa0c03e52eee99

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
90KB

MD5
7d1cc3b91e8b3ff465341a260a0e335e

SHA1
f00af1d92a2eec6fdfbe686bddefc31aa2149b23

SHA256
1b3370a12be6da62c0b3ca0daf4c5ef39e6887233e7d5507769bc8434905a5f8

SHA512
9ea1aa0fde49110070af55322c433b6e76c38461a4b9f7367be7f71a5ab877a6e79718b37408d5803796875eb9a04062a9cac93d518502990a7ccf05799d77c6

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
90KB

MD5
35faf2c5483f84d339b055f072f5f13a

SHA1
bcca3ec298667df4403705609fa6b24d7177e4a7

SHA256
757f455e86d9a1ed2be5138af1d15889fb4d26c4a2355a6c826395485a21b529

SHA512
63bfe70bc05ea96e643163033aadabb3189d696ac1667767c3bc211d3f39924d9329a73a5066c2722333e7ba93987ecc9a4ef4e0e35e02a9c1c54333d659e92f

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
90KB

MD5
7dc8a58ced7b27ba158303251fa448e6

SHA1
c7fb02f2ba1a697c4b94c6a758439c5fbcd599f7

SHA256
426123d53a0f7d3f3d7d04b736d368f1e9c6ac43cc6b449ebf6c4bb2eb8c7cb1

SHA512
4f56365e074264cee5cbfff226596f5bc312cf2192a29c87e39f9650816d40b39fcb26c34e718d4b039e710e543a99f2e3da13fb49af2edb2f75b49a02a82e90

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
90KB

MD5
706eff9fffc0cf60c801e16682a6ee5a

SHA1
84518d8b7bc51326fcef37d99fbd42d27ad34097

SHA256
164787b595c1e2dafc0471bf64faa2f1799889836466d502320c0c20f98e067d

SHA512
9e73b8ea931b8b39162b7d8b6de5420c53c90ba2d799070c4a581f5b17d11fc98d2ca3119135557fddc127304e622d649a776f5fedfda774e3764c571dc7bc64

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
90KB

MD5
67e8ca05ff6c6448da62b1a6f89996f5

SHA1
369fe3032b51e6357c8fcfa88e4b185d24b8765b

SHA256
424c1a5d2580b1c8d2b92c34adb12b07f3147646e1b0b40437bfd4984342f1ba

SHA512
30f8f8ee302759a334e38bb6c213361b8f291d21c375f70090a2368e72597a85a34a0f53c52871ceafb596f94673a7b4b275b08163aa7066a263d497d20d9f61

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
90KB

MD5
3820de90d98ca59f33f8807fcfebd2e3

SHA1
bb6ab44b8b48b3dbb88f132361d0c2fab0edc5c4

SHA256
9ba1dc4379047cfe4bbe2f9a803d857c8f80903e702b5a959c218c0c79c44085

SHA512
887b822f8f4584fc71b15f61a3da51fb190b332963059accd1ab77eea9c4df8429de42ec3ba9e21ec3d4b0167e449432723c4742b86b9a5667231f7356ceb4ff

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
90KB

MD5
1a608a21cea4c811bfa3204fe0675847

SHA1
6636820447f0bf2339d15260368cd498674fa643

SHA256
f71b7b3f6055745c4634226488c5870bcb4c331e7d9bc4c23691f0fcbc13a033

SHA512
8d18f64e5cc1058831d6f010d11e7268ea934aba0612f1f7678f4ebdefe6b5ab26490fc857a4ff85a4ac11684aed3b71539b186e507d7fe7fbd7a6713fbe77bb

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
90KB

MD5
ab367b3e285a049b03d49d03799d8720

SHA1
14c4702b8c4784fa4bf866731c70db3ef5c2bb66

SHA256
319964040edb046e0a37785101fb4497d108cc6f1ff76c59a61fb5dfc678c85b

SHA512
c0f4a42b19f96ae711d37b95f85e2749c3fa05e7a195f55e10aa04c3523b690f4e8ecd92e9847798a84037343ca1933c2371d682a96c8e3b7b7e1dd497047671

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
90KB

MD5
078f27e419306f58c94d395d0baacd97

SHA1
77028a29d85359b4b85ddd3c40e5d5c7a135b905

SHA256
6440b3f253f79472a7f3a57aa70b89f39bfe4054a88cf7df4fd3c9debb63759e

SHA512
d2881f72ea1a84b49a2f2703c5796116e0d75e55aa14d43d4d7124f9df5212ef77fc4d7e26602dffd3e82f3f7460909ddb09f65ab663febdad3481a26b6b16f7

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
90KB

MD5
2a3d855fa231e1db48d65d477326aa74

SHA1
02137584b01abd8eec374987c2982da46c998199

SHA256
5a3b6b7c5f88476a88f4e8011b46ab90c699e8bc4b4bb6da651c550067cc6877

SHA512
63938e6ca7d2e599ea186fed6cca84bd6eeee1213a0f3c96071c31758185c30c176982dceb43ba8b9872268a8df2dcc918e294f0951909abb0a15419f7a07355

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
90KB

MD5
766e11228369b1e1425e2900dd635d10

SHA1
73365779849b08c7e1f7e8dc59cf562f084abce6

SHA256
5849a86cbbcbd71dfe5eceb25b07d9f560822a693925ac07b77454855a1d6c13

SHA512
ec3af4e90136e34ea7326b311b7122f8fed10fa7c196e1c2efb377f73cd8e300b21dae468afd54f3173640c3a35313d7ae30cd48a654f2d09d05eb12ac297761

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
90KB

MD5
49b905d8fbcf42097afdcdde17ae0356

SHA1
52b778dc1ca94815b28fea60c0f35ec820585a7e

SHA256
81b074b63babf23962c17a6a9c8c9fde9a4c77a32347b97e808ef677cf4eecdd

SHA512
ea7ad9a9531148463015d429cc73722b1065e45612023f0f6dfeadcd32ba754cb9c9d94b21ea9021bad97427ebf0d1b388156dd1829b19d85a29761e43f7cb8b

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
90KB

MD5
29430353adff86605f1cf90ae22cb4d7

SHA1
d1c9042a104ef75c0be7b5188377985c14045534

SHA256
bf34bd4254e82f6d68deb52e7a37efae68a4992429e8587cc457368f2b19ac92

SHA512
6b330d311c45be0a852a00acbd55653a0b5a7034ccfe92b371ab318cc6cc9e4db83678768560c02b53e74ade2d7eb56efa8cac1915dd59dcbc63103ee3b048c5

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
90KB

MD5
af5e0db855a7de79ae4705a7d4ffcc23

SHA1
a8b57490b6de42ee38462eee4c6d98795fb041d4

SHA256
a0f2c0a7312ed8fc3e6ed2c04e1d0b6dde39622316f8d530319eea1ac164f864

SHA512
caf6f1fc03d42a80650e93ad3be4430a822f3c5fa7d2f71d99c2385d24af882df6493825e40ba87d7040672f11c1fdbd5f9edced15a6ebfc54bc35a64e9cddbc

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
90KB

MD5
86d34a342260f2122d06f32a0bf817eb

SHA1
df34161ba67e87229df306bb57e1470caae263f2

SHA256
3fc4701cce7b58b0ee966fa469eb794b837a452df6e585617e8e5f09337a9b05

SHA512
bc779f6b100cd202f8711d5bbc435a38d9ef46ddca19bc773270971df0229ecbb8673cc20931770202ead08cec7b3845b7554a4f178ba8f7443797ac5aec4e7b

Download Submit
C:\Windows\SysWOW64\Jbbmmo32.exe

Filesize
90KB

MD5
8e121fb09360dbb1a6b432620937940b

SHA1
192240edf47ad7be268fad0409f48dd4b34011fa

SHA256
762c5d3e8f0fc511e06e8c29fead555688fd2803b0b666e3212223a34e59efce

SHA512
7711b758c5c407c2dd11c0955cdbd27c1eee340495c056d4104661ad378c48f6cc9b66d2bf54566f954ad54fdad99f60285a1dfeb36304a292432f97d65dbf6d

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
90KB

MD5
c049febb2d6f6bedc847dc00298998cf

SHA1
ea58a0ec82e706bfa4efc4aae7d1ea8a4b37dd49

SHA256
5147964ffd02f6400f6a8ece3f377e107e9263d0f9b4cf979dadf0764c75e122

SHA512
abe4bb97e9a46a2224aaacdc81a660c531fd8998c1ed883dc7b06302c8125116b4f7bc1c4897fd51bd35bb24ade38f19043c2a0fab7ba5de0fcefc6a5b0d69a3

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
90KB

MD5
abd9996486375ac2487f2b03b79818ae

SHA1
ad7d1a3bcad75a699e03daaa9d5adf261a8eab28

SHA256
baa6215c8860d604be59add6ce121bc72292b6fa9c38ab156e33ad677395faca

SHA512
7c2fc6ba08bef5102be9bde198411732710aa2c546438a5e7a1e3f6775df4b68df66ff97863176c0dc583ffd7357ca7ba7e01bb9d13f804e4a4d7a0e4736d12f

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
90KB

MD5
ae952a963b8f1b9e8b00cf43c95b3935

SHA1
d392b9f49a60f25a43832fb2f5276eb8af69e852

SHA256
7c0cfa665d4d7e1a29c384955819620c2ed611b82c90ab134b96441a47bb6851

SHA512
b66a8a9554e031d5c95220127ffe1ca5ae8c4b52347a9fa1067c2239613c217a441e6ac44bc6fdae7394fc3ce7e4a2602f5ea2c5aca80ddfb3ba7d7a265a3b88

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
90KB

MD5
a687036c72febf599277d9af7ece70ca

SHA1
9ba3b0c22eca47fdc8bd16daa9a4a515a4d3102f

SHA256
ee307fd74357acc89b3edd91384780c9ef142908cd41598b1c2db82c58442043

SHA512
f666ebc79cd1bd395f533e9c39f2441330fca4d54d89b6fda779719df972602905b281f172a0f04a68695b1b7a28691a2340ce61976e37dd7265d3d2835aaadd

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
90KB

MD5
17b9a9a50a89cc21d356d062be21ec4c

SHA1
e8268836f9e3e09fed0451301698a08cbeaefd42

SHA256
5cb7db7ab1b3a8aaba1ac4fad5e0aa4c642d0f74d8ce223e41206f366f7d39f0

SHA512
868776fb069ffd927b17e507b00dd90cd4dd4abf40abc8da8d6e3171b9fe8627731533ff1eba0e073d1c5b0939da426f3a326fb7bfedd214f089cbc4b7ce58a8

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
90KB

MD5
f12a9aa376aed5d7485662cf0178deb7

SHA1
37ac8fb8adc1e24e002b50e49936f43dd0a81af5

SHA256
8b404d2c12ef29f560a82410ae2aacda2a950a96bf697ed392e788896528e295

SHA512
3cc62946457615f0a7e8173fbf17c72e41dd3e0e7fba3f02cb67e45df9e7092d401b02ae1fc061fd7436c596737f2a1d512d9d2190977b5ab18eadde0401b50a

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
90KB

MD5
7bd595d9583f62a1594e34051b10386f

SHA1
8b125064836a18ccc80b557cc3e7b8ace6b07ff7

SHA256
8205c46bce7a70cb820033ed861c44f5f741671a0b9e689ca406899803e5bef4

SHA512
3aaa27ee4eb4c5224c72361501cc7632dee105d0888529aaf6bfca17bab67ddac6536b8ce7a1521838bec1f193d007ab092f9db28258897c25c3a1840edabaf7

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
90KB

MD5
cbaea1a03c13e17fce9259f1535f189c

SHA1
1376238d66f0fd8c9e8cfc405a8f3bf21b54d77d

SHA256
bc72ba973a7dd65e11e34e85eb5b01e7201a392278653397904f5d3d8f1c8684

SHA512
6e9c2fd0e6f09ec6b69df819fd1f518b7025af3807bae64c2272265fd69d3e4fcb1c02c27cd433185de8f98f06c9cf0003830e5d86f6c6be18bc722d88527e66

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
90KB

MD5
a5233a9b78aa3300e98113904eda9b8e

SHA1
c65af88fef9a2b2b2db44ec0e8ea022fe3520d5f

SHA256
e6648fa1e200fe5b6d4a38bad6803c452e1f30dc5ed4d08732b5e245fe2542c2

SHA512
8bdea749a7d61da35675604baa0b0953ea16b253a4d8fce93c395ba6d039a496e3724ff76e133c4dbbcb3fdea13d0235aae677fa647a059702ce581863ce5129

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
90KB

MD5
02a33a480417b78037e5c673cb696d02

SHA1
a1943d4dd7b48ca3ffc97fb286337e7a1551fd2b

SHA256
4e8efb91e35f6399f892a99c1f7df0a572e7978cb8f56509b6e699b52f17440f

SHA512
d690c64c364647a3b31bbd1497dec64c90977eddc8c50c64c84d94affa95785b1d20ca1e8a01461caea634d56f84afc8ba45054fe0c6635c679aa9b5b519b4c4

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
90KB

MD5
4780c096de2b826901cf1384392c3647

SHA1
288a961917a609080c9d7d670c24a17585d0a6d2

SHA256
87bceda23c1f83eecb8274c364c419e1c967fdc65c1f98494dde7aa5f5343426

SHA512
7e362b443c2ef3afd59069ae1ab30e4121543e56ba42e5c4d73df76e86ffcea00eefec7e52b4601af4209162ef5bab8a6fc6dcb54940c8766740d5685243a578

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
90KB

MD5
51bb172a2fba1449c497c4d600c596f4

SHA1
32ee1e502db672d42a6182effeb7e645ab80e8f1

SHA256
342dd9491dcfe9a43a2d3c67722f39954cf28755eb3bf079c2577e1b0f902071

SHA512
3157081933fa7054239ea936baa78712eb8345a76c746fe854afe8a284f200dce4a76cc27727c4b660e4db3d9540d3a2e58d6b3892b6d376356bbfc616a7f4fe

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
90KB

MD5
822429db64dabe6a2c09c7df31f3d96d

SHA1
5477754394d2c177c400e2cb2a5fae1e1f33a34f

SHA256
0c013d58c0b8eafb867311a364d34ac63791a45e3526fad21a0b7a215b14521c

SHA512
f394c3d8bff747974ce58d167af6da5828dd5fef569df2d4dc68fc55791a25da825a613098c4339bf99f83a5f2d7f40bb03138bc0c11bfd8b1b4149d9aacd409

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
90KB

MD5
0f32b17f58bfce5a8da6f5cbaecf188e

SHA1
03bde15c76ff7246245b1652ff9cbe50b428d723

SHA256
10a2fd5ccbdb49e4d964c83c5ecbe32686df86f557306c18f823b26da6852354

SHA512
586970010866afc1607fa5bbac79f540f31de7864aed701701fe5c9de3773d053c134aa1c6d341bfe803055c7112d2a815ad1d8664d3eea1f4fda2af37084888

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
90KB

MD5
47018d0509c4ad476443f22809e3e293

SHA1
b8dd496365d3ee833e9b68b80f747d81c705c0be

SHA256
34c7bb8b19db6d8ca4690f5155ff771b3932045ebd3189e7f294786c7390e6eb

SHA512
9ae6ef791ceacbb97cc432e4f24341c9c55f9f70b1929a309d86ac61e0e41ce96e34de91a4bf3432d411c636c2c6c72a05094fecee90c9874fd28c38ad0c063c

Download Submit
memory/544-363-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/836-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1036-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1128-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1196-567-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1196-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1324-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1324-574-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1376-389-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1400-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1408-383-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1432-311-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1616-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1712-287-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1764-227-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1852-431-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1896-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1956-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2004-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2036-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2056-323-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2256-335-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2400-395-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2504-299-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2528-407-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2544-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-401-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2912-560-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2912-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2972-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3060-60-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3060-588-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3192-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3232-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3240-371-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3344-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3408-293-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3476-347-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3508-365-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3652-317-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3736-196-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3752-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3752-581-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3764-425-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3924-419-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4012-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4064-329-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4080-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4080-546-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4112-353-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4204-377-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4316-553-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4316-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4332-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4368-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4440-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4512-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4512-539-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4528-341-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4612-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4752-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4780-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5076-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5088-413-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5148-437-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5168-582-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5188-443-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5228-449-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5236-589-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5268-455-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5308-461-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5352-467-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5392-473-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5432-479-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5472-485-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5512-491-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5556-497-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5596-503-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5656-509-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5720-515-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5760-521-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5800-527-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5840-533-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5880-540-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5924-547-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5976-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/6020-561-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/6080-568-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/6124-575-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads