bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c

Analysis

max time kernel
94s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
Size

896KB
MD5

b0ddb74c39450da4f55b327edebeec9f
SHA1

699c7b4cf1eef263cb8782dcd7c06933a74ab14b
SHA256

bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c
SHA512

a6fa6447e80a06fba80f6daf3ca4b41ed1e30c2dbfe4e9f3777fd22b714629f5229135bf262776a03199b07f24303d956e6ec17bd62f4c2893e95cff68fa6782
SSDEEP

6144:JiZxp7TVX3J/1awbWGRdA6sQc/YRuEunZHpFw:AtPbWGRdA6sQxuEuZH8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe

Executes dropped EXE 54 IoCs

pid	Process
2412	Agjhgngj.exe
3260	Aabmqd32.exe
4348	Afoeiklb.exe
4620	Bagflcje.exe
4932	Bganhm32.exe
748	Bjagjhnc.exe
1720	Bjddphlq.exe
2832	Bfkedibe.exe
3740	Belebq32.exe
4420	Cjinkg32.exe
452	Cmgjgcgo.exe
2900	Cabfga32.exe
1684	Cfpnph32.exe
1204	Cnffqf32.exe
1308	Cmiflbel.exe
2144	Ceqnmpfo.exe
2264	Cdcoim32.exe
2424	Cfbkeh32.exe
2872	Cnicfe32.exe
5048	Cmlcbbcj.exe
2768	Ceckcp32.exe
1776	Cdfkolkf.exe
720	Chagok32.exe
3180	Cjpckf32.exe
3920	Cnkplejl.exe
4972	Cajlhqjp.exe
3892	Ceehho32.exe
4896	Cnnlaehj.exe
4392	Cmqmma32.exe
1172	Cegdnopg.exe
3384	Ddjejl32.exe
2096	Dhfajjoj.exe
4592	Djdmffnn.exe
556	Dmcibama.exe
4472	Danecp32.exe
4828	Ddmaok32.exe
1868	Dhhnpjmh.exe
1976	Djgjlelk.exe
2752	Dobfld32.exe
3448	Daqbip32.exe
1488	Delnin32.exe
3240	Dhkjej32.exe
3584	Dfnjafap.exe
5092	Dodbbdbb.exe
4644	Daconoae.exe
2336	Deokon32.exe
4468	Dhmgki32.exe
2164	Dkkcge32.exe
1048	Dmjocp32.exe
4484	Daekdooc.exe
1268	Dddhpjof.exe
2524	Dhocqigp.exe
1672	Dknpmdfc.exe
4436	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe

Program crash 1 IoCs

pid	pid_target	Process
1524	4436	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 2412	3460	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe	83
PID 3460 wrote to memory of 2412	3460	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe	83
PID 3460 wrote to memory of 2412	3460	bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe	83
PID 2412 wrote to memory of 3260	2412	Agjhgngj.exe	84
PID 2412 wrote to memory of 3260	2412	Agjhgngj.exe	84
PID 2412 wrote to memory of 3260	2412	Agjhgngj.exe	84
PID 3260 wrote to memory of 4348	3260	Aabmqd32.exe	85
PID 3260 wrote to memory of 4348	3260	Aabmqd32.exe	85
PID 3260 wrote to memory of 4348	3260	Aabmqd32.exe	85
PID 4348 wrote to memory of 4620	4348	Afoeiklb.exe	87
PID 4348 wrote to memory of 4620	4348	Afoeiklb.exe	87
PID 4348 wrote to memory of 4620	4348	Afoeiklb.exe	87
PID 4620 wrote to memory of 4932	4620	Bagflcje.exe	88
PID 4620 wrote to memory of 4932	4620	Bagflcje.exe	88
PID 4620 wrote to memory of 4932	4620	Bagflcje.exe	88
PID 4932 wrote to memory of 748	4932	Bganhm32.exe	90
PID 4932 wrote to memory of 748	4932	Bganhm32.exe	90
PID 4932 wrote to memory of 748	4932	Bganhm32.exe	90
PID 748 wrote to memory of 1720	748	Bjagjhnc.exe	92
PID 748 wrote to memory of 1720	748	Bjagjhnc.exe	92
PID 748 wrote to memory of 1720	748	Bjagjhnc.exe	92
PID 1720 wrote to memory of 2832	1720	Bjddphlq.exe	93
PID 1720 wrote to memory of 2832	1720	Bjddphlq.exe	93
PID 1720 wrote to memory of 2832	1720	Bjddphlq.exe	93
PID 2832 wrote to memory of 3740	2832	Bfkedibe.exe	94
PID 2832 wrote to memory of 3740	2832	Bfkedibe.exe	94
PID 2832 wrote to memory of 3740	2832	Bfkedibe.exe	94
PID 3740 wrote to memory of 4420	3740	Belebq32.exe	95
PID 3740 wrote to memory of 4420	3740	Belebq32.exe	95
PID 3740 wrote to memory of 4420	3740	Belebq32.exe	95
PID 4420 wrote to memory of 452	4420	Cjinkg32.exe	96
PID 4420 wrote to memory of 452	4420	Cjinkg32.exe	96
PID 4420 wrote to memory of 452	4420	Cjinkg32.exe	96
PID 452 wrote to memory of 2900	452	Cmgjgcgo.exe	97
PID 452 wrote to memory of 2900	452	Cmgjgcgo.exe	97
PID 452 wrote to memory of 2900	452	Cmgjgcgo.exe	97
PID 2900 wrote to memory of 1684	2900	Cabfga32.exe	98
PID 2900 wrote to memory of 1684	2900	Cabfga32.exe	98
PID 2900 wrote to memory of 1684	2900	Cabfga32.exe	98
PID 1684 wrote to memory of 1204	1684	Cfpnph32.exe	99
PID 1684 wrote to memory of 1204	1684	Cfpnph32.exe	99
PID 1684 wrote to memory of 1204	1684	Cfpnph32.exe	99
PID 1204 wrote to memory of 1308	1204	Cnffqf32.exe	100
PID 1204 wrote to memory of 1308	1204	Cnffqf32.exe	100
PID 1204 wrote to memory of 1308	1204	Cnffqf32.exe	100
PID 1308 wrote to memory of 2144	1308	Cmiflbel.exe	101
PID 1308 wrote to memory of 2144	1308	Cmiflbel.exe	101
PID 1308 wrote to memory of 2144	1308	Cmiflbel.exe	101
PID 2144 wrote to memory of 2264	2144	Ceqnmpfo.exe	102
PID 2144 wrote to memory of 2264	2144	Ceqnmpfo.exe	102
PID 2144 wrote to memory of 2264	2144	Ceqnmpfo.exe	102
PID 2264 wrote to memory of 2424	2264	Cdcoim32.exe	103
PID 2264 wrote to memory of 2424	2264	Cdcoim32.exe	103
PID 2264 wrote to memory of 2424	2264	Cdcoim32.exe	103
PID 2424 wrote to memory of 2872	2424	Cfbkeh32.exe	104
PID 2424 wrote to memory of 2872	2424	Cfbkeh32.exe	104
PID 2424 wrote to memory of 2872	2424	Cfbkeh32.exe	104
PID 2872 wrote to memory of 5048	2872	Cnicfe32.exe	105
PID 2872 wrote to memory of 5048	2872	Cnicfe32.exe	105
PID 2872 wrote to memory of 5048	2872	Cnicfe32.exe	105
PID 5048 wrote to memory of 2768	5048	Cmlcbbcj.exe	106
PID 5048 wrote to memory of 2768	5048	Cmlcbbcj.exe	106
PID 5048 wrote to memory of 2768	5048	Cmlcbbcj.exe	106
PID 2768 wrote to memory of 1776	2768	Ceckcp32.exe	107

C:\Users\Admin\AppData\Local\Temp\bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe
"C:\Users\Admin\AppData\Local\Temp\bb2d39cfb47b535137cbdde45f2a59a4f6ff17627306e8608420a725b16aad5c.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\Agjhgngj.exe
  C:\Windows\system32\Agjhgngj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Aabmqd32.exe
    C:\Windows\system32\Aabmqd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\SysWOW64\Afoeiklb.exe
      C:\Windows\system32\Afoeiklb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 396
        56⤵
        Program crash
        
        PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4436 -ip 4436
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
896KB

MD5
a62f213b1a323bf04e4946933d5f3790

SHA1
2723b54d434d2931ba5306907f2ee6f41bf69f23

SHA256
0283f1bf3390172c94e8a09fb8f4528094582dbafcc4f0a8e1801d5810d21ab6

SHA512
2b613430bdcfe0fe4317a3b64b24f68f1f5ab4014b0db7cba4ac3e1f8b71c4b268b0df831b8a79e3c7b9b96690bbe76dd6b7559aef4d12a1c000e92fd21e95e7

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
896KB

MD5
450e27789b42cae1cc1a50a41ed7d91d

SHA1
ef375c1f057ed202eef85d8a93d5cf66d23fab93

SHA256
38a4cd424eca32f524d7f85f85609afe04f0ce23f42eb0b6ee5c9a84b629ea87

SHA512
302cfb193364cd0b2bb04bc45dda3d32f2b31b1e924e998cb97500441f2e598b649e54a459a726f48e6deb1f41acc21a2b8e67d61688e89087def5072b706760

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
896KB

MD5
38eba987e2880d1577746e62df9c7468

SHA1
cfb8f84df4fe3c15aebb0c970529b171b425cc26

SHA256
3ed741a00fe914b6c888477ee71c775bd7583ad129203429298bff261ca54b31

SHA512
822edadc32b5931e18e40b218db193bde7f8f6fbed805dc7ff1be26ab057ef509127ea740f1b2fbd49ccc90f8e205858169374955ba3ff2028c8d42bebdca331

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
896KB

MD5
a166c2758555298762ddacbf37d2f83b

SHA1
b47ba8e658bdc6f96b3fa468f05725ca81a0d12a

SHA256
5929eac1dcd447cf444e3688cc880a76e5b9c4144ff0ad1d3984f0e9ccd73b2e

SHA512
fb51d474b93ea561c3be500777779ec34df7e47e63d61aebb116ee85d01c4847b1d2755bb41dd1068372219457571694cabe2ea615bd5393402782cd264f28da

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
896KB

MD5
c280f85694ca3197a3baddc6a6232c30

SHA1
3898f4a6f30cd56deec6a579d0dee4200149b012

SHA256
8f46681ac3a9d865b314a1e159afb6c65f5769849af640e7f4cca4ed2ced595a

SHA512
e94ff4ea8e8224c415001ca9decdda19e09ce6552b558cff0cb4c06c90059107281f274794b69dac8bda0310f0a0a5cccdf1f38002852755a7fa7c23a874cb8d

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
896KB

MD5
3f57f5b7771999ad5aa2aa20bdb09f34

SHA1
e950f8f3b47be4e5302ee320d759707daf8b0f14

SHA256
93a38028d7d24f32ea9c6b8b59e813cccb035cb2f4e7570775754c81b9e7c728

SHA512
c6a981c3fd0473e7acdc8d0f86364bdf4623943236b3d51cd2b602dfc6436fe421685f727b98f0146d809e8957434aa20415f9220876954545122370b6f3c3fc

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
896KB

MD5
7434ead9b165be98c69bdcda82d5dac8

SHA1
fc9c196f4922cc9f655180fe841aa2292036adb2

SHA256
3e7fdcd1517f4a2299614a962c399aa201c829e412b76810bd8f4f57f998ca13

SHA512
1ea932a6703af65a59f27400481c44df9a7991a5310503208efa644b5504119c549c1c59af20f72ee30ec3706d5d3f08020bb5d119132cf51d531392bd9a4bfe

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
896KB

MD5
e82d6e0022bd06198de592807ae4d4f2

SHA1
790285fc7046b3d913f2c6217d802123ef2e2395

SHA256
5d58043e50bf3d00891c39a0f206e69e29832ca409a156115129146b6af8aee2

SHA512
88a9d3691a2d0a3f4f1374e5969535a65728ec29958d9e97fd6d4f8daa278f9246299912a1b824711c1cfcff6dea45fcb8aa515bb4bff1d6652dc537f5c0da96

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
896KB

MD5
1b3c235ce97ad5074e1a2e25c2ef5434

SHA1
ea8b7ea7b61630d610ad9322f5e927b5c2c42d28

SHA256
f348a55f9565040e121af9b21c9235348def07ceb2dea50d7e10af5cee287783

SHA512
c539f5bc4d49872365b5a749a4c449ee6b268703c412146f20b3fc95e2b12dccd102efc33ceea44cb2ccb7d297512e397ad514b42abf66396a5597fd33d49426

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
896KB

MD5
0060f2a95c54b520dd98674bd28d0ab0

SHA1
7a220e0d69588ab8c6f90a64052739559fd0ea9e

SHA256
a1487be53778b4f2a5a3d944e4216cf2704184ef77539f9d657ed41e7479291c

SHA512
0ba7bdb721a690b983b08e64d4651220497dba23b78884f43f20ac44c5aba8d8ea5c102ed14396825b6dc2741b4d9f5738dd867f495d21819e6cb592dbb100cb

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
896KB

MD5
62551edb4b2d6b662cd2d86d1632b96d

SHA1
df1b0b82bd24d61ec5d97924e609c9deef416eb3

SHA256
f797a738048f70d8e178dc49ed2686b7d2623f8b9808ffc761e6c476afc4b4c5

SHA512
63950e0ff1d267c4c4022a6c591fa2118013f6d7928303ac98bb56199506eab0d6b4ff2bffae4f228de9eab397dc219e8c99d58072805541372dce6a9fe73231

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
896KB

MD5
65d551735a4be4d5c0cc865e60b84154

SHA1
b58696952164f85ce84fca4bcb7f550dabd6cc06

SHA256
a371b54bd5454013c34d2dede2b54d29aad1d9c80cf99ba0fb5aa8395bfae0c9

SHA512
dfdb9f51e1fa775a0acf64776cd50cde2897b84676bce20179c040747f5269bcee190ee93f2d266d54988f719ad37858a41b188c1651e5b084ee7037131232c4

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
896KB

MD5
60b54be3504f33211ac5a8684416bb01

SHA1
0da186e5d95909daffa64e312a1c997ea6569753

SHA256
22376949b9bc2f45653b3be72e5ed166159346c7a16fceb0a6b4c2df563779be

SHA512
a5383b4108d02dfe25015c14a5aac8bc9a50828353458aac688ca269ffc2bae39569159738eed37bacf589cea9d4a18b5993db40ae3aa426004e174a92b076d1

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
896KB

MD5
45829dffae9d612f51b3c159972bf0b7

SHA1
eb4cd286ec5452d1e2b7ea31f1bed0e8c599ccec

SHA256
9b1245186687b8e562933cc7f23124f8c6569f3d18cfd3ea6d44e23f665edf30

SHA512
d015581f07c842252d6d32e911c5f0708c0f8c23079d00efc18e225e941c5de1d4e2222d024bd612d9b4b4dbc50ab5278c0006d59fa9efcc2f89a5f60ce57d86

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
896KB

MD5
21d533dd7ff35ec0eee3c28992926ddf

SHA1
31c8e0b318d38930495065b036f696bd7dd04c04

SHA256
66041c9275a7889ef58fceafdbe0c6f11d2078d71efe0f9306544708af517e1d

SHA512
637e7ff096ff25e6f68e6d0e49d57800f74294cb08d67f64c7e0863f0b77e0c2a348dc7b94906db8deb3cedb246bbdeb267524b2a80b706dacb3e4726c6dadc8

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
896KB

MD5
2a4ac9e1eb1d554bbbe474635563997c

SHA1
752ac129df550e0b0fc2e2497008dadffbb25114

SHA256
0a21d7761098d982ae5ce86827065037f6a27e6b3dfdea247a0a6b8a8a9984ff

SHA512
e9f90dedeaa7f47b61a9b54fc5329d3aa512ecb1a3a237d81ab279af1b45998eff0c5be4bf5cd9c070158562f696c9b3834824326fb3c2ca7a227917edf66763

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
896KB

MD5
b37b36b8d02853cebcc66047cb47e79c

SHA1
35219c14b5a0829e5995b9a06b38e02f4ebfda0b

SHA256
88eca3252625c15179cca8453fbe95596cb5af971e3a457a2052c7c2cb980c82

SHA512
7168a8e069513dcbd9d05ec2cd36afa7502f22cc3131d37d5cb5f2e875df40639a158087f0a244cd16710971f911744549641ef40d2e7621e9feadfa1ed03de8

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
896KB

MD5
bc80e21b08887be46f80af436b938c1f

SHA1
27b2d5c0f781a8cdf1b9b1e104df7d688f6bac2f

SHA256
daf89702938f6ca70c00713f8eee095fbf378f7b46853f30e0d157a905c87344

SHA512
73cfe358dde9ecac07b46b4548b5ddc40aa81583499d4bc6110b46ffb95924e768f8597c607b7a27617eba83ff965ba5cd52b9d28f6b923d862f02a1cbd28f85

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
896KB

MD5
9fc837b9d2694ee24f75c910cd8611f6

SHA1
878e4a5065249b68b846d7e4112311abf0e1f567

SHA256
597732310e3d2c929c1e1e4d1394fdec3d7cf79753301d1404e2dc26f8227a17

SHA512
c68b72790ed893f6fa36dcbb8a0829e744a472c3a2088f228649d5be1bd18d4f8fb90f4faa550984e19d7b363547d870c666dc7a81baebca4254a1a38fbf6b7d

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
896KB

MD5
360799f4290c3ff31bb212f593335d4a

SHA1
cac3be9be28db83b3ebe27964f0632e07b8c0192

SHA256
ca44d38d4f2ffe3f526e67e43579cf538890344429145edb7a9a4525f58e2eaf

SHA512
3f0828e84fe5886e1f05301b33b8c7f6d4217367d76cf2a6bde36ae562b03019821da4fb0743e31c30ae35069f0209a94bc9672637a47e6977d156be6aa368b3

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
896KB

MD5
52905ae2820ab979718944bb1b2b86dc

SHA1
f3c761df188e1c83fd4daa5135735dae2e2e2344

SHA256
b3380ab9b12d8fa85f1792f334ed8760305c0cca0b9a17bc46526ac9b29179ba

SHA512
a799fba519be32a92136e36607caefeac86526f581497a651966a4389a49a80e0a54ab1bf3e0c0dd4faa4ffd1785022a6ed8bedd4856e90965dc902de8278910

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
896KB

MD5
cce12253c9dd6ec14e8bfc10c857b0cb

SHA1
5622d16af0cc9dc7db2fb31df71a837982afe8bf

SHA256
7b02fde8aaaaaa4f6854d18aa6006d2a49ecf1119110d70d1bb207a70898a549

SHA512
5fc3028f450116f6331836a040ce2512bbcc7aa4450572289fa6b7c640f1fda5abd3b213e59deee7a3a4f5ed8a3b5a403aa4b4ec0fcfca46f3285177f1cb04b5

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
896KB

MD5
d6d73cf1fe8cd8c0c4cd4a543efc8094

SHA1
7e4c3a8ec20863e0b7687ce9338be2b45fc8d5eb

SHA256
745d5877fec9c1a6827829ddfdfa6f27041d14ca5673ad8a9afecf5b4bf25561

SHA512
11ebe338f8367d147e91a57b2ab139a19864e3591f4ecb3ff2b80c6e0947282e5455335a5c6f7c8cc4600db3a97eba68ed10e09a2523b8941c3f977201c7f6a6

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
896KB

MD5
0238595f9b1f37709216745e41071046

SHA1
735af9e4df1f78d520863c87f13ab0e96467da45

SHA256
060ba2780c66d7540b8e25a4b9952a60e6aed4176d9efc0e68536154f885e7fd

SHA512
1eef95b19e666da1553feaf02d6eec220d6616f852874d790aee9b660d5ec0996fabc3d53bdc07714cd05173c4104140b82689adf237c8d9321106e1d8757672

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
896KB

MD5
7780abda23133c0ea1255cf1d54c0bc8

SHA1
d97439a0f570a04712ccb916381f7f171e06e340

SHA256
2fac47dcc3571f764d8b076f7cedd5678f7f507517ba6f571d09851d4946b121

SHA512
8d72cc4aa1f273ca4aee80dff87ba2cf1a9c270e6e8257cd8ef14b58018e818a9d5d893c73ea156f1ba330239c52c11bb29cfee49b3d649f303731438bf6fbd9

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
896KB

MD5
db8ccf819a29ac57b6a8a2e9e0775a4b

SHA1
5db9b0cd20bee16b5f0d80ba7215a44b1084efd3

SHA256
0fd3524c5bf32809b846a197c78a9074163000fb63cd2a4eee1c198b30093146

SHA512
9af754e7ed58e06077ce6441404d0da1db620f4e9e2c4f9d524ca296ab8cacfab96a5576cd122c5ad65bbad90526421ee6fd61858e02c695128024f8aa9e6b9e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
896KB

MD5
39ff006d55bf85811334db32099fc844

SHA1
ab4ebfa8e35fc9f1230fd36d822e6ada7d2f9341

SHA256
18c8b6b882567a70e74decb80064b4ac715a9e529ff1779531ce030ca4f8ba52

SHA512
2d15a9ad1c42ce8724f42a428b5578ee3a2bb50fb553feca56d108c8175550d1e2e598020c7bdacf1bb642f286eda6960231ac608bfdd2e1918b44d0b711b268

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
896KB

MD5
f5ffb27765dd04a2581c9bcad49326e2

SHA1
635c18cb3913996c1e22ca141b55097e2884cfc3

SHA256
9ad59e8f30dcfc48e14f2e050e60ee73c67ed62e1905e6a54679997d748fc92f

SHA512
14deabfb8de2a43112ee8cbbacd29440bea945c471374bece356d758a4f356e0f19f2b34b24b81a361531310e0087a319548e4ded08d46e0ac0bfe82598141dc

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
896KB

MD5
3f0d9aeaea7e0030c9beba11f1eb6306

SHA1
e60765eecee2e16ac823eabbdbc1a597ba9be023

SHA256
24dcd2bb56fbc39313b61870c90ec9a984a1f3c42e077cf629cdd241b3466111

SHA512
ad9cc1b62db1a315820cfe8344505ced25595bec02fa942565fc0c9899b4f8909c06dd327e9cd8397550160e29bf1667cebece5d1a203e85c5df28a26cff396c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
896KB

MD5
98aae2d2332ae2c988c2dc166df36383

SHA1
ef6f3228b8adae9b4b599b68d8035cce52a1c5c9

SHA256
a6242f074573284fc5cf0984e349266c727c6129bb99f741f23b09f4de011dca

SHA512
ef86fbdbdf20e80bfa96f24680958a2370a8c9da3f6fa9f5e7c65c7e8efe5749cd1d011e8e2cced72f667ced96ff4c56087715ffd93c492a2bcc68ac15720686

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
896KB

MD5
2e1ed0b32cec85755bcc5d21081996d5

SHA1
3637568e021b51dedfab6137a8a07d276af1bc9a

SHA256
9a5897bcaf98206bfd9c5901a38fa4bc8afc70da7683f76942a21f561d552d2e

SHA512
16dbc71fea390bca3866ca349b106138bce4906d9218a05fbfb1b0b7480492c3490aa7295f5ecc21bc766b3976c04055a96214243a772d5e5e1dffe5d567c372

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
896KB

MD5
e7ea7e1a2bff689ac8ba0aeb61c08ad5

SHA1
03540f95f8eaef602088826c213ce8ca0c697f10

SHA256
230f80a372615724e7a5a75e1f26d29e69c188240a283892a6e0506cc456b7a8

SHA512
00137a42fc2c5d34802d747408db4b5563764f6dff0c871f82f57e2cb4adff6d8f9a8a971e16d573b09fd4952e4eb374ada7def10a0fb48ca82c612858284553

Download Submit
memory/452-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3584-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads