0ce0606662c38b6466e4dd25c8831358681e3ddbf3624f72a86553f5da901543

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd1b0a502bb5ad3772369f5cc9c4a7c0N.exe
Size

352KB
MD5

dd1b0a502bb5ad3772369f5cc9c4a7c0
SHA1

02c4832040d03a896f97342b981710a98fe14a21
SHA256

0ce0606662c38b6466e4dd25c8831358681e3ddbf3624f72a86553f5da901543
SHA512

29ebcbee06ac24fbeb6948995566b83334643716cb68059c057c9275e75a8cad0225bc111436eacfbb77385c12063b47052d1ac008323786210ecf9a79a1b506
SSDEEP

6144:XR7EHlD0HMkTpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFfX:jH1rCZYE6YYBHpd0uD319ZvSntnhp35N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qclmck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidehpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccggl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglfbkin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adepji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe

Executes dropped EXE 64 IoCs

pid	Process
4600	Qamago32.exe
116	Qclmck32.exe
1592	Qfjjpf32.exe
4240	Aabkbono.exe
3208	Aimogakj.exe
2804	Aadghn32.exe
908	Aiplmq32.exe
4060	Adepji32.exe
1660	Aplaoj32.exe
4280	Aidehpea.exe
952	Afhfaddk.exe
1284	Bmbnnn32.exe
1580	Biiobo32.exe
3264	Bdocph32.exe
4872	Biklho32.exe
3168	Babcil32.exe
2468	Bkmeha32.exe
3932	Bmladm32.exe
1176	Bpjmph32.exe
3580	Cajjjk32.exe
856	Cdjblf32.exe
2180	Cgiohbfi.exe
784	Cigkdmel.exe
5100	Cdmoafdb.exe
3520	Cmedjl32.exe
1976	Cpfmlghd.exe
3276	Dgpeha32.exe
1400	Dmjmekgn.exe
448	Dphiaffa.exe
2676	Ddfbgelh.exe
1008	Dnngpj32.exe
3956	Dpmcmf32.exe
4664	Ddklbd32.exe
4276	Dcnlnaom.exe
4216	Djgdkk32.exe
552	Daollh32.exe
2588	Dcphdqmj.exe
4292	Egkddo32.exe
2268	Epdime32.exe
228	Egnajocq.exe
3352	Ekimjn32.exe
1808	Eaceghcg.exe
2580	Egpnooan.exe
4208	Enjfli32.exe
1172	Eddnic32.exe
1644	Ekngemhd.exe
1748	Ejagaj32.exe
2856	Eqkondfl.exe
4792	Ecikjoep.exe
4428	Ejccgi32.exe
4668	Eajlhg32.exe
2280	Fclhpo32.exe
1740	Fkcpql32.exe
4332	Fnalmh32.exe
4352	Fdkdibjp.exe
1136	Fkemfl32.exe
740	Fboecfii.exe
212	Fdmaoahm.exe
4844	Fbaahf32.exe
752	Fdpnda32.exe
1236	Fkjfakng.exe
4312	Fjmfmh32.exe
3496	Fcekfnkb.exe
3764	Fbfkceca.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Eqkondfl.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Emjnfn32.dll	Gkalbj32.exe
File created	C:\Windows\SysWOW64\Mohpjh32.dll	Hkohchko.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Biiobo32.exe	Bmbnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Ijkled32.exe	Igmoih32.exe
File created	C:\Windows\SysWOW64\Ibbcfa32.exe	Ijkled32.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Hkmlnimb.exe	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Jjnaaa32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Aabkbono.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Ijbbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gkalbj32.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Jbbmmo32.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Jbbmmo32.exe	Jlidpe32.exe
File opened for modification	C:\Windows\SysWOW64\Qclmck32.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fkjfakng.exe
File opened for modification	C:\Windows\SysWOW64\Ibnjkbog.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ieeimlep.exe	Ijpepcfj.exe
File opened for modification	C:\Windows\SysWOW64\Jehfcl32.exe	Ijbbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Fkcpql32.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Igmoih32.exe	Iabglnco.exe
File created	C:\Windows\SysWOW64\Inmalg32.dll	Qfjjpf32.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dnngpj32.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Egnajocq.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Hegmlnbp.exe	Hnmeodjc.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Daollh32.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Hannao32.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Hkohchko.exe	Hkmlnimb.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Ddklbd32.exe	Dpmcmf32.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Hgpchp32.dll	Hkcbnh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5912	WerFault.exe	210

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hccggl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qamago32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adepji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmoih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjjpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadghn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmeodjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhfaddk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkalbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgagm32.dll"	Gnfooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompbfo32.dll"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohnnkjk.dll"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qamago32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopbppjf.dll"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabkbono.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkehj32.dll"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcfmhdo.dll"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpchp32.dll"	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll"	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 4600	1820	dd1b0a502bb5ad3772369f5cc9c4a7c0N.exe	90
PID 1820 wrote to memory of 4600	1820	dd1b0a502bb5ad3772369f5cc9c4a7c0N.exe	90
PID 1820 wrote to memory of 4600	1820	dd1b0a502bb5ad3772369f5cc9c4a7c0N.exe	90
PID 4600 wrote to memory of 116	4600	Qamago32.exe	91
PID 4600 wrote to memory of 116	4600	Qamago32.exe	91
PID 4600 wrote to memory of 116	4600	Qamago32.exe	91
PID 116 wrote to memory of 1592	116	Qclmck32.exe	92
PID 116 wrote to memory of 1592	116	Qclmck32.exe	92
PID 116 wrote to memory of 1592	116	Qclmck32.exe	92
PID 1592 wrote to memory of 4240	1592	Qfjjpf32.exe	93
PID 1592 wrote to memory of 4240	1592	Qfjjpf32.exe	93
PID 1592 wrote to memory of 4240	1592	Qfjjpf32.exe	93
PID 4240 wrote to memory of 3208	4240	Aabkbono.exe	94
PID 4240 wrote to memory of 3208	4240	Aabkbono.exe	94
PID 4240 wrote to memory of 3208	4240	Aabkbono.exe	94
PID 3208 wrote to memory of 2804	3208	Aimogakj.exe	95
PID 3208 wrote to memory of 2804	3208	Aimogakj.exe	95
PID 3208 wrote to memory of 2804	3208	Aimogakj.exe	95
PID 2804 wrote to memory of 908	2804	Aadghn32.exe	97
PID 2804 wrote to memory of 908	2804	Aadghn32.exe	97
PID 2804 wrote to memory of 908	2804	Aadghn32.exe	97
PID 908 wrote to memory of 4060	908	Aiplmq32.exe	99
PID 908 wrote to memory of 4060	908	Aiplmq32.exe	99
PID 908 wrote to memory of 4060	908	Aiplmq32.exe	99
PID 4060 wrote to memory of 1660	4060	Adepji32.exe	100
PID 4060 wrote to memory of 1660	4060	Adepji32.exe	100
PID 4060 wrote to memory of 1660	4060	Adepji32.exe	100
PID 1660 wrote to memory of 4280	1660	Aplaoj32.exe	101
PID 1660 wrote to memory of 4280	1660	Aplaoj32.exe	101
PID 1660 wrote to memory of 4280	1660	Aplaoj32.exe	101
PID 4280 wrote to memory of 952	4280	Aidehpea.exe	103
PID 4280 wrote to memory of 952	4280	Aidehpea.exe	103
PID 4280 wrote to memory of 952	4280	Aidehpea.exe	103
PID 952 wrote to memory of 1284	952	Afhfaddk.exe	104
PID 952 wrote to memory of 1284	952	Afhfaddk.exe	104
PID 952 wrote to memory of 1284	952	Afhfaddk.exe	104
PID 1284 wrote to memory of 1580	1284	Bmbnnn32.exe	105
PID 1284 wrote to memory of 1580	1284	Bmbnnn32.exe	105
PID 1284 wrote to memory of 1580	1284	Bmbnnn32.exe	105
PID 1580 wrote to memory of 3264	1580	Biiobo32.exe	106
PID 1580 wrote to memory of 3264	1580	Biiobo32.exe	106
PID 1580 wrote to memory of 3264	1580	Biiobo32.exe	106
PID 3264 wrote to memory of 4872	3264	Bdocph32.exe	107
PID 3264 wrote to memory of 4872	3264	Bdocph32.exe	107
PID 3264 wrote to memory of 4872	3264	Bdocph32.exe	107
PID 4872 wrote to memory of 3168	4872	Biklho32.exe	108
PID 4872 wrote to memory of 3168	4872	Biklho32.exe	108
PID 4872 wrote to memory of 3168	4872	Biklho32.exe	108
PID 3168 wrote to memory of 2468	3168	Babcil32.exe	109
PID 3168 wrote to memory of 2468	3168	Babcil32.exe	109
PID 3168 wrote to memory of 2468	3168	Babcil32.exe	109
PID 2468 wrote to memory of 3932	2468	Bkmeha32.exe	110
PID 2468 wrote to memory of 3932	2468	Bkmeha32.exe	110
PID 2468 wrote to memory of 3932	2468	Bkmeha32.exe	110
PID 3932 wrote to memory of 1176	3932	Bmladm32.exe	111
PID 3932 wrote to memory of 1176	3932	Bmladm32.exe	111
PID 3932 wrote to memory of 1176	3932	Bmladm32.exe	111
PID 1176 wrote to memory of 3580	1176	Bpjmph32.exe	112
PID 1176 wrote to memory of 3580	1176	Bpjmph32.exe	112
PID 1176 wrote to memory of 3580	1176	Bpjmph32.exe	112
PID 3580 wrote to memory of 856	3580	Cajjjk32.exe	113
PID 3580 wrote to memory of 856	3580	Cajjjk32.exe	113
PID 3580 wrote to memory of 856	3580	Cajjjk32.exe	113
PID 856 wrote to memory of 2180	856	Cdjblf32.exe	114

C:\Users\Admin\AppData\Local\Temp\dd1b0a502bb5ad3772369f5cc9c4a7c0N.exe
"C:\Users\Admin\AppData\Local\Temp\dd1b0a502bb5ad3772369f5cc9c4a7c0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\Qamago32.exe
  C:\Windows\system32\Qamago32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\Qclmck32.exe
    C:\Windows\system32\Qclmck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\Qfjjpf32.exe
      C:\Windows\system32\Qfjjpf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        38⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        50⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        60⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        71⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        72⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        80⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        81⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        83⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        101⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        104⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        106⤵
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        109⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 412
        115⤵
        Program crash
        
        PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5912 -ip 5912
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabkbono.exe

Filesize
352KB

MD5
18fb2b5c77537fe9d7870f63ec81f0fa

SHA1
770d79e13162a6c1bf2f276885e8b051ee16937b

SHA256
8a89d5e93ceb64629a6ac0372e6833d4fac1fd460a580a2d4d27f18304dacc79

SHA512
09d01fcb9dcb39eacc7138e93d800621d57a52d2b8634cbbd9b124a83535a682920398bd8d8c0decc7fe03ce370b4d3c152ed52514a8710f7263c4cf4281e249

Download Submit
C:\Windows\SysWOW64\Aadghn32.exe

Filesize
352KB

MD5
405d6073440679d646157cee86bca52d

SHA1
a88414bd41f48486f434d7ef3d60d9309722b126

SHA256
2a767f1514478a7f067a289db964e2e055df62bf53492ccc565a0919e06da1cb

SHA512
33aeabe5f63cd31895ab4909267bda09b9c99002057839d55ab85a4841c8027e1c9e484e4ab1064b65e3d701e230aac532f1452253b54f70532657d64f627f29

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
352KB

MD5
1ebf94a1c1504aa10333b457844e276e

SHA1
644ed42a01d4c8bdcc93cd9e50fdbefeee03e2d1

SHA256
76caffe5e9037a7ed2a002d6ded1883a716d848eafd528e34397473fa7590d28

SHA512
afc940e13cc9d9792ca9e70594d7953e29e23b86000ba0428986ae358680ed4d86b05241b4f8a20b0450267c5709348cd3de9ea21f2d366ce7ec869b1ddf571f

Download Submit
C:\Windows\SysWOW64\Afhfaddk.exe

Filesize
352KB

MD5
ec47e6d282e39067297d6428ee9c6e30

SHA1
20a50d66df5cb76f566a19e5429a8c1dff54e68e

SHA256
e8d2d84a72d91ec48406de3fc439fa63afff3eeacff47a0c00d0e94e8384c9b4

SHA512
1e9252919162d78785fad1ca9facdf05e01eff6aa3bcc93c94d376092a8e758567d5e6188ce8ae0ae7926d7d040d8eab513145f58973e065baa4a39268e9203b

Download Submit
C:\Windows\SysWOW64\Aidehpea.exe

Filesize
352KB

MD5
f0402c1116c156c848e185dd53ef46e3

SHA1
f6b0c050ade736a09914e1151f3c4ff99078f75f

SHA256
7406cabdb99a8bca6eaed08b1a8b5270c0915ceb4a2fbed4ba808919bb8411e0

SHA512
f07894c8707b5056135c9e75abb4b4ca0a7242e3bc0d7e93a9a22435014c1c3d73d1165ee93823a158de3f715cd447f7426d572051a9c0641deec9d377861be5

Download Submit
C:\Windows\SysWOW64\Aimogakj.exe

Filesize
352KB

MD5
3f472cfad025e6fca0eb5d503efcb5fa

SHA1
478102bc3a8a3fa236c90199e4ae9c61d99d77bc

SHA256
b397d0df0199f638238f74363c7d23a995c39d607c339408a1ace10b711abb4f

SHA512
c513f42d9145c4ba494d89a5867e5f1e77b05ed9efab26c2107a42f592b38956d9dd6230fbbc3734b5c50bdd90f52294d6f114dece903e94e4808f7de17d6ace

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
352KB

MD5
9a67fb2bf6ba8b3d0319a9f3ed0d8542

SHA1
6f51b65dada7f12aa700494777f8e93e464d6c05

SHA256
c29508ec0f9bb3879d031f89bdb1d93593659926965adeae6df8d17e1c2ed98e

SHA512
b9e17f0244a5062a9ca6d930db60c4215abb76a85fe886ed59f4d4b1e0ce9efbe375ae9d33feba468c60330761bc61817ed9eb0d3103828cfc75575b2184ffa6

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
352KB

MD5
40353397f6faff56fcf4860f11cf1450

SHA1
286bfb75aba1f2d45bedb2f8a81b4c269ea7b214

SHA256
4b2ae937fe3156e4ee122e8e2b1c4b045a53b7093e7ba3a02718fd6c5f7059a6

SHA512
0031eb6bdd606242d9e123079ba4d110eee7e076992dd4de9630911e5f155041e6d60db5b6ed721f565f01361af79713e5c3ae15cbd66c20cf6b9d48eacbd1d8

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
352KB

MD5
e597148c69d8089ab5916fe0e8332e30

SHA1
6e91df8bb2f55294f7d21314887b7904e6793892

SHA256
ba9f501fbe6b7c716ebfebc57c5766f555f9313319d6e739a476ddc61ef0ed60

SHA512
e0e7ade9587bfd9c8796c4f98760bb464509335f920ab74800a7f3865d6214712b876acec87280390fc26c257a50d65180a59c852d3115c6013f3d603256ed74

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
352KB

MD5
f425257f87d4b8aea0aba7228c37784d

SHA1
0572a55b3d3b551b9763ab2aa01c9bea6ff0f457

SHA256
32180a72823275708d283a7c42fbaed83ea6c284d740ebcb787fa50d3484de4e

SHA512
0d5a6a445d2c04745a25264b1bd3eec984a01434db69f179f466a23145a2d16bf415eeda465c8211e5e3faee39bfc3410189123c0bd66a8f686f893ecb0c95dd

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
352KB

MD5
98874f1ea098d9babc742b33ef875f9c

SHA1
d621d9ecf8ca85bc7c4bd66286dee3035e160b47

SHA256
585a93d39673eb5780344c8514ff9896f452b570dbed95994e645fac7280d38b

SHA512
d587e1215d09a56fa25f7fbb11df65a0dc43b2d6b8f1a7b12e2fbc058b938d6cf103bf345f01cb893fd2d6b9b746ed69fb5b8b088b21505fca91082d891d10cf

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
352KB

MD5
03eaa6ee32f3ab83ec1d04555c84ce15

SHA1
52fc3487a94fbef3e6714a9e73dbaa0a8e5ceddf

SHA256
326dd879ad5ba47e8ea0358410b4d6c28f0801b5eec0176c24792b0e3702eeb7

SHA512
fd024ade5008c9ea60295e85457801054949ed01f40324a6de479786038f75f1df1ecce82d25e08119920133bee13937d1821b6e711f6590721a16a99e840377

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
352KB

MD5
c822b451dde5ba1f4640c4ec52d6e9ad

SHA1
793cd0d05fd078a8272a548dcc54ebb340808608

SHA256
6a5da916e5bcb04e4ece635a740b9cb168f7100aa9181bb85f2076d5b4a277b3

SHA512
3f5471d351fedfbc5bffdf268633e5c77915eb4d7e0fe4fc3c39d39331012f2fe1900d842dcfc6b44d2e42adc16edff2a5fa0f63780605d4dee0c7fc28432c9c

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
352KB

MD5
37be4ab54fee463241ff7c919fa8b3e9

SHA1
784fd32956655474357bc2bb4bc9458c152cdb21

SHA256
81b62c5e2fda301b733dda6459f5afa2331f3b0c751de723789182459f400e13

SHA512
7f2a5fe88bc686963f6067d183504f96363a5ca273aab989406b1b440c26853e115c812ae98cfac9b911e3a9f19076747157e94e256c4009739ce99e27bab92f

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
352KB

MD5
9048362a5e1ecdb2d98693cf19526389

SHA1
1ddcfe92ca776592af05f34bfb1632c9bc25ecc5

SHA256
a4d6188391ef5abc3bb327e00043f8ea8ce39bbb263edaee7d187ad46758c00b

SHA512
768ac66a3187617af9e21e630365229e971ceb3023ab3453d7c6f9727e7027708504fbd230efb63ed50bbd76c55f107f29d52814b2037023acaa7acae7b476e8

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
352KB

MD5
3ab78bc63beb0a4457461a04aa02e993

SHA1
7ec96a090a0502161789bad2a8e0a0157a01bc4b

SHA256
2fa15f6e9f7d4fa5f375e159d465e85d2b858f5de102841c4073f3d74f86f479

SHA512
8058c570c948165646c110b5dd1a59553a24803059e175cc23caa99fee0ca4c881611c42df1ea08f38335efd17043652c45d93843d3bbf24b81cf6a84a746f74

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
352KB

MD5
439c3ac9466c2a825252c8b44ebff7bc

SHA1
307bdf42baa9318ea9a6ebbeee59528ce31c6996

SHA256
02d04c317fcb3ed2f6fbfa6c2c7ef3064bd410a35e7ce8e1ba42f9cce03b6bbc

SHA512
02a9cd74f72008c696a95b457fbc859cf14a57f4e873ad70760b276d09e7bdf342654ebab570b36393aed94c59bad0bbc7e3d3b99b42099f23099cb96b3e8111

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
352KB

MD5
1ade0a3b628ccd128b08f74f23df9fa8

SHA1
0073f6f32335d1bc60e12026f608e456ea2b1ceb

SHA256
861256b1405357cce8589f0025eaeee508158cb78b599c7cbcbc4bb2ac36d630

SHA512
4928c44761065523605040fababd1d3ebf34433f98772b054ae557f9b0d63470048f114f828e7f352eae18fbcf4a7e8ed53f6630c1afd27128838300a9e2ef0a

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
352KB

MD5
4efdf0c5368c515c916405955918c97b

SHA1
34c239d04be1e928c45c57f8da4b2810430d0847

SHA256
a4924b463bff63e4c22306548febb5d17bc76ed299fd1b9a030ea7a66b11d492

SHA512
1f44ce67334170c0070a609fe0a8a2e27e8d18470c7db0b1e1bea7073d09042f0bfc22a2269ad23570dab770b49c9be983377470a2bf3e0fe21ef3fa148a862e

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
352KB

MD5
d27aad46a5a4479f6f163072330eed1f

SHA1
2f1774ca761bb0ebe86f534caa5d4ed7f49898b1

SHA256
0337a6f22fc7c342135413fc4c2e95cd6b455dd089326129fb6d4a6edc60d135

SHA512
ce26d92422513548e00e58ffb8e7d152d748c47e88b18b40185d2805023b3794d1f8bb642ba41814d9b0e8ebd9071c5bb05ecffc082d2fbbf4d3d8ee3717c54b

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
352KB

MD5
1701895fc843af707553405e069af12a

SHA1
13787a5f4037ae824d0c06d5f1bc06ebce4fe979

SHA256
97f1ff314d22d0d7f3ac8f713f40e100b967ef30640cc69621dec777fe6a76a2

SHA512
285fba8d8e8ffaf21d5e28f756c9263405b9daab5fa090d9ccf26cc50000878eb68a19c2347709bfb34bce9209a895e789b2b0e1675ea3446b492b0ca641bc5c

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
352KB

MD5
5c5a81f05eb94e31d83e3fd8bec042b1

SHA1
50f9480cca3b30b87d5f219249a8539e024d86d8

SHA256
87eef147d63d2bcca883deb3a21c2f9c042a42fbbe9e331b940315f34e61af0f

SHA512
7cc399911dc546d817f97ce26832a8d04d089d4b0bdd45fee3d8dd5a14020612ab6a2628e62159ab712592a22d32673065ff14103c481a849cab1d32cc42d15a

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
352KB

MD5
7e6dcb85e3e63d56fd55d24493fa0aab

SHA1
e203caa1987c6da222e40b944728d1d0bf97f077

SHA256
e8f9baf4044e2d9ca5b87b0013ea979b2f072d2f701e723b75c99487baf400f3

SHA512
174a965648a7f66090277c713ff2f9ac694abc2bfb590b2038be342d6a933183065634757c6999a0a061ddd7fc9f6b993eeb9358010f753e426f7cc7b1041a71

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
352KB

MD5
11efd8b1c49a7c74ca8e429c38030e55

SHA1
e66ec29b847fbcd3bf37a6a10d375f8c37b5da1e

SHA256
0135887b4c0d31a4fcb15e1bdf42fb7ce8a8776b2aeffd61a9ece326046b3e11

SHA512
359f96f7287d4329e3ba215a7597352087f05bd55a211e4ee2121bc281ad40383c6db87d0e36c01ff050d109e84e8a244641bb035b08cd5e627b5ec8cdb79b27

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
352KB

MD5
ddd5aa83ae9fee6f871045fdad49a2c9

SHA1
05a27e0f6c0d78a4c60e0d3c2a47d1e4c9222562

SHA256
50616b8e53b01515d875132c5010e680d453102a60f0148eb958c4b19257bb4b

SHA512
e9b8111f73445d9c43f3f2a0bc9cbb454525887b14bd4dc9a7d8a5e4ca912bc901ddba84ebb4a202afcecc66f29f992d71b8c909ca25a86887a66b7b574a3d02

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
352KB

MD5
74627154c00c23ce18f726d665b46ff5

SHA1
42fd36181b25913c5d2bafc81adf9ae45a318a16

SHA256
c9853743f9469b7d06d0ca0efcccbc86826e6783caa6ad9f6adcf512a4bc7bea

SHA512
e79f73df165004123c28009b00cffbc41bc34673f02fa1d0afe84a8c170e6081f76c2c20e222fc2e394a27b12ce5ad0c66a5736bc405fe9815d5cf718cb4d271

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
352KB

MD5
7b396a101c8764e70475b61bb594471f

SHA1
9ea1e54172176dbc226051acff7237cd7571b013

SHA256
df0d44fd5e4a2fd7ceb6524873c7755cb478300a47e28128a60e2545a402a646

SHA512
a3c8b1c4024a4b1211a6f9ac287cef6872a92e2cf060abe132c3b6dab2bbb73cb86a20b6b73795ae26ea9b4f8cebda1856fdfb49c9cb9498a12006489c0639b4

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
352KB

MD5
59724a6037d2273bb1bc76ae37a6ba27

SHA1
28f6bbe54fc9d37bb1534e58c2407d231c18901e

SHA256
2430b22946bf521b298ba6ae395a0e668a99d6bcbcc30ff974f0e9164a861095

SHA512
99ae5884716c3278d49cc6b9507c48e8555dee4151dc892f15c8f619b7e10c2414875491990cb43c8beab6c1c1545a6929e3ca5f81b10821c1b812dc80d169a4

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
352KB

MD5
f18a8535687808088dd7144e780852a8

SHA1
8eb36bc4f94cfb36db8239c6880b70d4720f6afd

SHA256
aea09a1ab8fa87f703d5935405eaa65e2b902412affd0baa7b45437d0d05fa82

SHA512
af3120f6131df606c28e46e600c15257c17b3961c956dbb03a948a501fcbaaf154b331b2016a42e0773cd3ea0ecf13d107bef933c4dfcb66fd920f9180fc9803

Download Submit
C:\Windows\SysWOW64\Dohnnkjk.dll

Filesize
7KB

MD5
01e63dec51385a308db75762796552a4

SHA1
0caada1ee0f62c25c441041e13648ce732d2d8e2

SHA256
0a3c63884407ea57b9a23c27745b7c11ab7f96122f2b0032a9326651e158dedb

SHA512
31a6f13f05b35d8467fdd6b2328df19b469afca06cf08d742a75e7ee9556bc8f76f53d065040184ddb357038d5147ad0f795dad5e070196fe4c23f8c577a1388

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
352KB

MD5
167412e172274bac4e30c2d08cfa3fe5

SHA1
e375139f0102516a94f9ddf16a24575992362d7b

SHA256
5f5b730264f27e26e5d2062c7bddd14fd9878dae73a79fe48c4cad770f844de9

SHA512
0ad6e343810a03de3c8e2d53e2be2a9b48d75dbeb1974f7aa6a48043cea87c60fa23b80164d8a4f47a4273bd234635803f3a829916b309b5b80d87b963b4ddde

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
352KB

MD5
0144aa612fc2d192b70dbef5ffe5e401

SHA1
b8a091e7b8e793677a19c2ff7dfcc2fe5ae325be

SHA256
6340fbabc9e3731ea57cc93628ab735669acddc34bad33f994bf62a18523c971

SHA512
750c533dacae09fa2bc7d280a89f2ac31b1cd158ebdc80f0cbdc8278fc54c16da8972c2f9a3843a34555b8c5e245e2e839eff5df094a46b3e1bcb6881b96aa74

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
352KB

MD5
451a985b6b5bce6bb847638bc575906a

SHA1
ce202cd8261943adab8504783bd366dfa2e0f889

SHA256
d527882aa92d607b5d55efdae47e72431b3b326588e2309adbddaf78e4a0f076

SHA512
6960f1fa5d0e6433b57da96775273e295a973d14207fbd0b4a9cde0de8e51d2ebe571bc2310aa26d0f103715a0931159f09d39539a18da9988167daa330a8565

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
352KB

MD5
4d8b53f4052ef05980b77c8ba81c776d

SHA1
8bc33d6819dbe8755958bd09e0f0032ea3dec5f3

SHA256
9f3d6ba2c6136197efe03f245cadb69f7551412d7f695569468df76617ec63c6

SHA512
e422c4341f6eaf4db76d8b69166077dc725133d42fa65b39728000c287968178d3e44eb341393e043db49bb38ed5012f87c6b602ece85e60b75bd047a9aadc41

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
352KB

MD5
6bb39ae6a9562e6c689ab60065a3ed80

SHA1
88b04208880040cd005a8eb034545f9964917bd9

SHA256
a3f056514b657bc3559873d57dc198428adc01bb057eeee63200d07dd34c443d

SHA512
8e7b19d7f1ad01959e9571e61812c759236f399fe714ead7a6b9508ff33a59570381c8b3769c59f371fd08b717a9b596ec3101f784ef2c2c967206e958dc0c2c

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
352KB

MD5
b2d8223f10149299108d66566c595aae

SHA1
9bd06bc68a1df5b81b634fef0cf1f83aec290682

SHA256
d085889f2d871821f39e7bca7fcf31a7c47ffdd4835cc7f8f4679944e5433b1f

SHA512
7078e3c70dccbf7a4ab41089eeb66fcf79f6465eb517fbb432a3b9285063bf33df98157c33a2640a74fa92344fab042f4bea49b0ce077f43eb92495afb3e0adb

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
352KB

MD5
f74090a335f77400fd3bc69c02a8e69e

SHA1
0e1e52c8700b35ad0883944eb7196aae526f997a

SHA256
81f8af62264c9daa7797e7f18b65a3cce2c9f66e8e84407188a2be8a710f7b82

SHA512
79af9b34c177b5eabe212759e857084f8dbe302197f4490838d7181eb9848b47256683bff2eedc57f5a423b78c9365598b5687f74c85d755f1a97a84b9aba7ea

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
352KB

MD5
b76cbbaa519b1cb40f635a74cb229049

SHA1
e450d09766c2c26d482e66efef4a740d12d0258d

SHA256
db9c478455ebaba1e2e3284cb64d66fe9c91762cecbd781c839216e86d5d05f0

SHA512
e04af41be8ab374aa773591430bd6cc937a8dee0c8927c9e15d0e0e8408639a10575bfa4302912cf51f6454ae2f9400f9b18d933d892879323f7e198f8d1254c

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
352KB

MD5
3a5317da27f96c49a0a3c40426bdbeee

SHA1
c2795b8620c1f02a51a14c50429495b64c8eb8c7

SHA256
9c697cec3fc537cd4357734ef81c9d6ffe8c2249d8e66b691df34960f573b16c

SHA512
659005826f71f866ba20b1963aae7f4735604bed7a211cfff24166e33f8b0dc3a042d8d9697849e24ce4e47337907d42f745f9e8109c97ed91029c8083b32671

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
352KB

MD5
a2e80a55ddf97376e730e1c1150e2e13

SHA1
bcf21a84f319341f8e4697d925df90eaf5f70b36

SHA256
e5d89ae6082a13afb6313c5b2ba7053ce63919d1b292578dc178b8819570c6ab

SHA512
7f23932b8c90f21d0f1012ae452f2cae175ef9367ca68e4faba099b3de720bf0254e1a0427267d16d353ab39693b7a3b6b3365efcd1376a271227552c9aff8ac

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
352KB

MD5
0c52263dedc0b20eaf50f8d5365976b2

SHA1
557af7c6ea991336a545a8cad2a2922e2e395848

SHA256
e149675b8be6b47d4129b07a7496d2482c5aef6f4ae7a232541b514e73f24580

SHA512
8ed95e04e5c08fdb3271b487e4f8f63fbfc95a234ded11316bbce72f057adbd0b7345a35b62c06ff794d3c9f2b4297a8c5e8c78acf92df8af43a978a6f3efdd7

Download Submit
C:\Windows\SysWOW64\Kdmlkfjb.exe

Filesize
352KB

MD5
0d98493ee593ec77b4f96d643145bb22

SHA1
1ef90fb0da601c43df12d501605144ec892af264

SHA256
711aede9a2236cc4b6715b38e035288239cea52258cfb232ac2417ff3e61c843

SHA512
8fb6ef16cd82dbb608f974aeff97537ddea6880d77e2634a829ea612320994bcc03f24242242693bc80c439ec2c4bfbfea416af7884d01fc8c3e13dc9420eabf

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
352KB

MD5
a7ca21e92db378c44c4d1b3b5d69f9cd

SHA1
88189ac6feaf14f3cdf864ad3057f403b593d390

SHA256
4ea18d22f894049158301712a9a2ad54b54f4839808ee131a8b0621b40f43543

SHA512
777ed04a0004f0ae03ece1b49666567fabe01a870f46222ebcb7befc5a4daa2c243672406e5bef2b6ff6c7d670f4efacbe33bbefac76f1568b969060043f13db

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
352KB

MD5
91e4fdc50fae073d7f9dd76587f79255

SHA1
e81cd55946004476245d8940bded397024d3e525

SHA256
668b4f0ffb05bc1bbc89ebe5f6b93488100155475ceab6da742ad3a901bcd2aa

SHA512
192e063e933c5f53f7125d65cac8d045885a57545f7201975dd877720153ffcc683a207383453bba2a18a7230d35e222130c6a6c09df66b63ceafa6d95c857fd

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
352KB

MD5
eaf7b1fbb7ab8ba4d5c08a6197e5e3a9

SHA1
39b5d3abc6b9abe735308c46be1198d8166293a9

SHA256
1d9f751d79cd1957b6cdd8df45a80456d1e154d6627dd4691969d1992407b8d7

SHA512
d483b023b69b2d583258fc14a8a046317c0143a40230f2056e2518bcd69d3ee6ee57b14c02f397fbe06fa9cc976ce754ef7471aa2d21b8aeb5d8cc72ae2b71e4

Download Submit
C:\Windows\SysWOW64\Qamago32.exe

Filesize
352KB

MD5
89b803bac4988623237c48488c567ef1

SHA1
4fcf5e801dc2e91753167fde86110a5c88f287bc

SHA256
04a5c987f851cc0a074786bbebff2638885c2f0d78994cdafb165900f91a3d2e

SHA512
f085f350fc5b192d610da4abffe3fb0c8733c7028520f2fbe04f007c92c3633a8d802042848453a8bedfe0ecc3a6a55757ce1fe4396f253e594ccc73502a21fa

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
352KB

MD5
0b9faefc1b5375fea6f26f137b3c14e5

SHA1
7e11e76c3ff974b04c43cafcf632d6c3ba471616

SHA256
175420c9a576b8de696339df633b9442dda5b70188abf60eaf2f5ac9771facbd

SHA512
d4e2f54b1bc1c545ec03b18d9a2bd49f0b7264e67ac883ca6db2cd5971e0efcb91b7dde38c98fa2523d1a7dc38b4a3b5fb1007e63c0d5f2983138fbd040b4ee1

Download Submit
C:\Windows\SysWOW64\Qfjjpf32.exe

Filesize
352KB

MD5
b4a9618451e2fa39863dc437e617362d

SHA1
c8c8500e0a25876e132502151df43e3844f2909e

SHA256
5e16d022fc78b3adecbe835789588f12c565c423e1a89178e45ce60f3184f911

SHA512
25876c59a1e8b603734b944c9fda816a1de2ef7ce499da81f431228f4fc67d71e07762086924d8ea491773db2ae0d8460fee8a16fd3e7dbce0d83820b395f9fa

Download Submit
memory/116-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/116-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/212-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/228-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/552-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/784-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/856-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/908-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/908-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1136-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1176-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1284-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1400-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1660-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2180-181-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2280-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2468-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3168-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3264-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3352-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3580-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3764-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3932-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3956-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4132-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4208-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4216-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4240-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4240-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4280-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4312-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4332-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4600-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4600-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4668-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4792-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4872-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5100-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5132-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5140-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5180-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5212-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5220-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5260-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5300-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5340-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5380-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5420-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5464-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5504-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5544-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5584-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5640-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5680-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5740-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5796-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5840-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5904-570-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5964-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6000-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads