8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4d

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
Size

128KB
MD5

bbc26ce79e93766d1d1082ef21e1b670
SHA1

0390627b270c324b30f24b70261761dc66781fca
SHA256

8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4d
SHA512

3d1bdcae8832eb722b355894dcbf1d531e380b1acf29a6f32c73971ee4e1f4573d46c3aa8c2ed6d84670a845d73e6234ffd7a79b63f65893b0e9bac4a239712c
SSDEEP

1536:Y1LgV3YTpZ/xsoarjakvLrIs+0wnDqrsEznYiGzBn2rq15bLSwiHr//:YlEiGrrjxrpwn+rsEznYfzB9BSwW/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe

Executes dropped EXE 44 IoCs

pid	Process
3664	Banjnm32.exe
3384	Bpqjjjjl.exe
2844	Bmdkcnie.exe
3644	Bapgdm32.exe
2164	Biklho32.exe
1956	Bbdpad32.exe
4388	Bmidnm32.exe
4520	Bdcmkgmm.exe
4940	Bmladm32.exe
3088	Bgdemb32.exe
2696	Cpljehpo.exe
1508	Ckbncapd.exe
2724	Cpogkhnl.exe
2380	Ckdkhq32.exe
1968	Cpacqg32.exe
2128	Cgklmacf.exe
3408	Ckidcpjl.exe
2840	Dkkaiphj.exe
3652	Dgbanq32.exe
64	Dcibca32.exe
4540	Dajbaika.exe
1944	Dggkipii.exe
1248	Dnqcfjae.exe
3976	Dgihop32.exe
4188	Dncpkjoc.exe
2880	Dcphdqmj.exe
2460	Ejjaqk32.exe
4560	Epdime32.exe
3536	Ekimjn32.exe
2420	Edaaccbj.exe
1512	Ekljpm32.exe
3916	Enjfli32.exe
4840	Eddnic32.exe
4748	Ecgodpgb.exe
2924	Edfknb32.exe
736	Eqmlccdi.exe
3636	Fqphic32.exe
2784	Fboecfii.exe
4264	Fglnkm32.exe
3988	Fjjjgh32.exe
4348	Fgnjqm32.exe
1484	Fnhbmgmk.exe
1272	Fklcgk32.exe
4340	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cpogkhnl.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Fglnkm32.exe	Fboecfii.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Lpphjbnh.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Dcibca32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Jjnmkgom.dll	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Bmidnm32.exe	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cpogkhnl.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Podbibma.dll	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Bmladm32.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Dgihop32.exe
File created	C:\Windows\SysWOW64\Ejjaqk32.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Apmpkall.dll	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bmladm32.exe
File created	C:\Windows\SysWOW64\Dajbaika.exe	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Cpogkhnl.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Bmdkcnie.exe	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Dcibca32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Elkodmbe.dll	Dcibca32.exe
File created	C:\Windows\SysWOW64\Gfbhcl32.dll	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Epdime32.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File opened for modification	C:\Windows\SysWOW64\Cpacqg32.exe	Ckdkhq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
856	4340	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcmkgmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmidnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbilm32.dll"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epdime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojkgebl.dll"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll"	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Cgklmacf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3664	4692	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe	89
PID 4692 wrote to memory of 3664	4692	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe	89
PID 4692 wrote to memory of 3664	4692	8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe	89
PID 3664 wrote to memory of 3384	3664	Banjnm32.exe	90
PID 3664 wrote to memory of 3384	3664	Banjnm32.exe	90
PID 3664 wrote to memory of 3384	3664	Banjnm32.exe	90
PID 3384 wrote to memory of 2844	3384	Bpqjjjjl.exe	91
PID 3384 wrote to memory of 2844	3384	Bpqjjjjl.exe	91
PID 3384 wrote to memory of 2844	3384	Bpqjjjjl.exe	91
PID 2844 wrote to memory of 3644	2844	Bmdkcnie.exe	92
PID 2844 wrote to memory of 3644	2844	Bmdkcnie.exe	92
PID 2844 wrote to memory of 3644	2844	Bmdkcnie.exe	92
PID 3644 wrote to memory of 2164	3644	Bapgdm32.exe	93
PID 3644 wrote to memory of 2164	3644	Bapgdm32.exe	93
PID 3644 wrote to memory of 2164	3644	Bapgdm32.exe	93
PID 2164 wrote to memory of 1956	2164	Biklho32.exe	94
PID 2164 wrote to memory of 1956	2164	Biklho32.exe	94
PID 2164 wrote to memory of 1956	2164	Biklho32.exe	94
PID 1956 wrote to memory of 4388	1956	Bbdpad32.exe	95
PID 1956 wrote to memory of 4388	1956	Bbdpad32.exe	95
PID 1956 wrote to memory of 4388	1956	Bbdpad32.exe	95
PID 4388 wrote to memory of 4520	4388	Bmidnm32.exe	96
PID 4388 wrote to memory of 4520	4388	Bmidnm32.exe	96
PID 4388 wrote to memory of 4520	4388	Bmidnm32.exe	96
PID 4520 wrote to memory of 4940	4520	Bdcmkgmm.exe	97
PID 4520 wrote to memory of 4940	4520	Bdcmkgmm.exe	97
PID 4520 wrote to memory of 4940	4520	Bdcmkgmm.exe	97
PID 4940 wrote to memory of 3088	4940	Bmladm32.exe	98
PID 4940 wrote to memory of 3088	4940	Bmladm32.exe	98
PID 4940 wrote to memory of 3088	4940	Bmladm32.exe	98
PID 3088 wrote to memory of 2696	3088	Bgdemb32.exe	99
PID 3088 wrote to memory of 2696	3088	Bgdemb32.exe	99
PID 3088 wrote to memory of 2696	3088	Bgdemb32.exe	99
PID 2696 wrote to memory of 1508	2696	Cpljehpo.exe	100
PID 2696 wrote to memory of 1508	2696	Cpljehpo.exe	100
PID 2696 wrote to memory of 1508	2696	Cpljehpo.exe	100
PID 1508 wrote to memory of 2724	1508	Ckbncapd.exe	101
PID 1508 wrote to memory of 2724	1508	Ckbncapd.exe	101
PID 1508 wrote to memory of 2724	1508	Ckbncapd.exe	101
PID 2724 wrote to memory of 2380	2724	Cpogkhnl.exe	102
PID 2724 wrote to memory of 2380	2724	Cpogkhnl.exe	102
PID 2724 wrote to memory of 2380	2724	Cpogkhnl.exe	102
PID 2380 wrote to memory of 1968	2380	Ckdkhq32.exe	103
PID 2380 wrote to memory of 1968	2380	Ckdkhq32.exe	103
PID 2380 wrote to memory of 1968	2380	Ckdkhq32.exe	103
PID 1968 wrote to memory of 2128	1968	Cpacqg32.exe	104
PID 1968 wrote to memory of 2128	1968	Cpacqg32.exe	104
PID 1968 wrote to memory of 2128	1968	Cpacqg32.exe	104
PID 2128 wrote to memory of 3408	2128	Cgklmacf.exe	105
PID 2128 wrote to memory of 3408	2128	Cgklmacf.exe	105
PID 2128 wrote to memory of 3408	2128	Cgklmacf.exe	105
PID 3408 wrote to memory of 2840	3408	Ckidcpjl.exe	106
PID 3408 wrote to memory of 2840	3408	Ckidcpjl.exe	106
PID 3408 wrote to memory of 2840	3408	Ckidcpjl.exe	106
PID 2840 wrote to memory of 3652	2840	Dkkaiphj.exe	107
PID 2840 wrote to memory of 3652	2840	Dkkaiphj.exe	107
PID 2840 wrote to memory of 3652	2840	Dkkaiphj.exe	107
PID 3652 wrote to memory of 64	3652	Dgbanq32.exe	108
PID 3652 wrote to memory of 64	3652	Dgbanq32.exe	108
PID 3652 wrote to memory of 64	3652	Dgbanq32.exe	108
PID 64 wrote to memory of 4540	64	Dcibca32.exe	109
PID 64 wrote to memory of 4540	64	Dcibca32.exe	109
PID 64 wrote to memory of 4540	64	Dcibca32.exe	109
PID 4540 wrote to memory of 1944	4540	Dajbaika.exe	110

C:\Users\Admin\AppData\Local\Temp\8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe
"C:\Users\Admin\AppData\Local\Temp\8e4e5100da74012368879266476b44edb4e0c7d32332891bb294cdf132a6ef4dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\Banjnm32.exe
  C:\Windows\system32\Banjnm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\Bpqjjjjl.exe
    C:\Windows\system32\Bpqjjjjl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\SysWOW64\Bmdkcnie.exe
      C:\Windows\system32\Bmdkcnie.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 236
        46⤵
        Program crash
        
        PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4340 -ip 4340
1⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banjnm32.exe

Filesize
128KB

MD5
a3d6dca3a728e7ccf59467256c486ce0

SHA1
7d570d3afe53ffbb51f45fffb2be9bb718a5b62f

SHA256
d5f849e82fd7748df8cf637d7d47befa9afcf8afbc0ccefe1095b7222a8184fa

SHA512
5d1040ed10820be740210811562d3fdef7ee26d1b9862979ed6d38737d635dcf58e28611ac9afa0976331c66d8d4a9bcb8ddec8889debd1f89899807df8b135d

Download Submit
C:\Windows\SysWOW64\Bapgdm32.exe

Filesize
128KB

MD5
9d6291e00d01bc7ebba30e1c116ab527

SHA1
190cdd80614cc2ac20d6f6d4be9833e4c0bb1cab

SHA256
c52040c6c4d11abc1f14231d5967210c48e0a8c15b849b5335c91c526741ddb5

SHA512
5a904a6857482c780da0a4a820d26c6f0f54e2e068ff5d20eab49237f7d93281e8d3f677b43794909ff3b46360acea875f40c6a81cbc73103a46a182a7d67c2e

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
128KB

MD5
bf5a47849c8a39989f9dfc3b004d6732

SHA1
d54ff22f33a9fbd3573459194b752680092ebbe2

SHA256
a890402ce28256d2128e7d436f09194323998297dad0af9901befbfc761e4bd1

SHA512
552d4dbfbfdc08ec9e81866d78126e0e54d0e4c429b2673c5c08f339f7e246ec759732ddf6731f50a6d14e9bcbe17bb94629a4830d0db05b05129d10bc9bc86d

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
128KB

MD5
c3043da12a244719e7d2249ef9e3b9f3

SHA1
60912bab71949fb3d8c4d2cd77abdc81c5f8d64a

SHA256
b0f32c625d1ac5223fd7bcf1bee7b912d7e788f93769659b9fa5c2a6847e3aff

SHA512
337b07bab10dbbecb78aa9969b478a395657771f8c17c1755cf9c051b7e2512f34049208fd069de72c403fd272250b4cc47f1d19486ac390fdb76df55fa9dbf8

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
128KB

MD5
4f0a3e46d6fbc5a6cc1f195ec345b46f

SHA1
b9e696b0810a173368e8da063c7a3b87c9c793f4

SHA256
7c1b60478c699e52e307720a06c5934ea101ebe8253c542fde772d797a03390c

SHA512
0a2e93b32de35b619b084b3425eb3faddb874c257803032a364e15f2c2ad532a46bd9bfb5709d9f39c4658dbd26d84715b62f3af45d13a6e8a474da00d722f5e

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
128KB

MD5
5ed6dd2ce7fe7537e8268e1719e09bdf

SHA1
e84007d39b912f8fc9bc42720c791ef2b4bc7ff5

SHA256
57c9b0b5a4f06a387b720a600c0b0c8afc5b413ea44cf3fb44b1fc6b5399fc5c

SHA512
f6d19e05f185e87ba1acf83bea4c3e459363574ca40b9ec25abfb62f7ccfc8e992c437dcddd68d60fe5b49c9a2d9542efe2d8fb58b87621631d35ce0a31b04f4

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
128KB

MD5
1b014b9d9d1c11ed30341bb5cb8d57d6

SHA1
94fe0cc25bc8dfd1e0ed6bae2386a7df61c469f4

SHA256
1a0bb08517a37e5c55fc73ccde754135a131af9ada58d2c8c287256bf6bf85e2

SHA512
4ed5457d170f78e7cfa0f43e754b79877aa9aeee094885c314b93c507f20370f1d980c0b1d92ba11d66d0c6405315891a97e8efa4566d0d91b10d8bf21dffc28

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
128KB

MD5
b4933552400fb9c67ed2682d16ed2405

SHA1
ce13cd66af94206b0fffd32b0b32eb2ba77f9642

SHA256
8542f13e7caf3a73e7da0c8d27ed8ece7e2fe08a2c4f2d396b7c9674ef9b132a

SHA512
6aac43ec5cc89be28f25a0328740b79c1e4915104a14f023abbbca64f9688688fedccdb8bce38c78585e4ed14654375cb0c2c89aec0cf0588eb9d417d4fe0169

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
128KB

MD5
a2c38c7ace3568c9d1ec542f295cd0d7

SHA1
b9d0223a30a502fc339977a45962684cbf46f05d

SHA256
996e7e71dc1ecc79dac5329c496e88573b90b584a6642b0fefe6cb9c27147f96

SHA512
26f7420096a72ad1007bdbcaf4c9685b6acda30d97759c7ea49f26b56e3cbced7c9721f1bdb3e21516b184266d35c138e6f4c80f85d2c6aecb98e22f43cdb4c0

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
128KB

MD5
1fa47e0d191e29d34075181cfef06013

SHA1
5870b85b2b1cf9c252a9345d6b0e2d496241f916

SHA256
23d975e13c8b300352fa9495ddf2b78b9bd0b4ababa58b142059e0820f70f77d

SHA512
955f39b7b64cb6063d0e9e54104e10de78407cb340937ee72ce61075f31c6cae261f00af87e3c20989b269729f339ed193613d0682fe2b1ac8fb6a8919c290ca

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
128KB

MD5
cfb1ba1de1eb601280be471b494d345a

SHA1
1b8ecfcb671f9409af43800a209da5eb1201e919

SHA256
22d067e63ea87bea67cc316fb4b1d40dfbd5686c178c8e970c9ae9f2b67c9815

SHA512
6a6def91ccfc734848bb97d30581e1a0a48796be7cf1b1163a56d1e1dac35981d3401850e6ad1fd017a782d879c710e3fa73f2eb6c17566a4bc9ffda54c6754b

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
128KB

MD5
62470805340a452df88bee192852b930

SHA1
9850a30f7e57c551e90488421022d694497c93f3

SHA256
0c8d550acc8e5614b56fb780b24e00db9ec4115dad7c05a8e359f1190ce51317

SHA512
b192bfa7fb943d2df0b1450485e348c0bb5b36509d192e01bd264e8e5df76b37b35fbde7de70230577e071d12448d7d090688e1447f5ab65e5854c32eedd3daa

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
128KB

MD5
3ccba5cd490e66c5e3ead04430700e58

SHA1
b9cabc917d1f41ac4b510f1d6c12a557346a6da8

SHA256
92d97937b0a7c834722ff4772db3e15ea1f0c485d938ea612adc7aa983e3e842

SHA512
21c764d2c4919d42a459f378e207cff40f8721848369ca5766fb97e6cbf0c5ce6638d6eb170eeb2ba4b5f63d799072b6b28dac46e2a2200125202442bc7e7a6f

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
128KB

MD5
3698aebc5b2d411497a83b1ed413f641

SHA1
ca8b139165559e8c4f11d9977fffd317c91f208c

SHA256
73c085c7da2ebc5d3f13a9293748543be94545ec2f06cf6acc62822ebe751927

SHA512
8094899e1f20b06159c2f77e37e3bcb747070fdf20d144b75d3105b02a32afd6e73da737edde586f05a7abd6da3647da51b421cfc1df0dc5aa9cf2cbae0a0730

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
128KB

MD5
0e359252165c45420bc558c5fcc954a1

SHA1
b3430b2e909176fe69829c0ce0d3ce80db2aea3f

SHA256
187763edd4c36e7621804b3f29cc69c839916f0ba6717b24aba85e6d2afc908d

SHA512
674cba2cc3ad76ec1d4514bfd46379b03f0c73d37f50a9c159edcb8bbcde47598dc5e6cef1746ac95602c9152f9ff34b6e8ca3259650abe9284f8ad38b54e505

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
128KB

MD5
793f2f74c9513c3a9538878bb4e582b2

SHA1
b9e99e64bb754b35f3480253bdb91c215f652f4a

SHA256
320db42f52632cd2d9e9246e175d7c25ccfba0dd90d37394674b793a5f06366e

SHA512
2471e39d66193329e781efeb073bbf490a68c63bd2776630802b0792b1af17853abf9b821ca050e4903c42ce9e7633e255e744c348ab92b1b711b5a09fcb0df7

Download Submit
C:\Windows\SysWOW64\Cpogkhnl.exe

Filesize
128KB

MD5
aa2a3751e9354932883f5bb2aac2d1b5

SHA1
06843e729a770ea9ac5d3ee0712df8c23246e6d5

SHA256
4e32da44271203b3f26b3d418ed15c22ce01902abf0c7f41f5e09d367ea8f529

SHA512
ba914f1bb5df996424f8dfff7f0741e05b1a8aec4ce4bab96113936df09134e38dbc743138f6681b4158542cf872c1976be320615ad1205b67899056f8c5d815

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
128KB

MD5
68437996abf18ece958ea53560985e8a

SHA1
ba79d9be52959bdef29fdd8f269e7f23feefb0e7

SHA256
8ec64038af4a8cb73797de6f9b387f951bde4474b233768e9ad81b8f5c2a13e0

SHA512
ff7ee42bb59bdb39be0b3844140e86dc90a6c3f5f589a32b29de7d519ffb36a6904377ec68d104275d9f40ce618d73e2461af38367a942f599ebea662956ad98

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
128KB

MD5
c9c540934d48fa692eebbe6e03fbfc35

SHA1
c11ad23ee684f4e466e24637285f2d6f94fe170f

SHA256
924e4b585e219983b894d8c5aec92777e6659c5e13481aa18fe1d331465ccbb8

SHA512
95b34c2501f52448b9b161c419c72427ab4f8f9b0d1c9181e528453b55ed9ba65c1dcc694986ee6856a88cae7207e60ab170018e5cf10c9567000c6098c657d1

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
128KB

MD5
dfa591a8e1656e6873785af92ef8e1b5

SHA1
78a50c402f086c0650192c0c5a059c9f9d0f6991

SHA256
a9d9b9755395d327f15bbee5229edd907b4139c9c6ea57fadf71d7bbdef1079c

SHA512
3ac98c7dc8e68bb3eee9bb0c13f5b68628d912c1bcd96df425f5baa72ee8270878b97786b688e3fb34459628b1633ddb8edf4a2df94c4a2c24f95358794bdad8

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
128KB

MD5
7aadba4f65b08e5ffcdb924983c48da3

SHA1
249c5b97d5d9f861532067ca01f10e0b4c0b513e

SHA256
e116b04720aa54dbe5906516b349fe81c8f0191103ff62c05113ffe98b60977e

SHA512
17feeab6b6c8f729da3144e896a3a02ef9234f1e48226bffe1d23863e5e904b097fb918d1c2452e304ccdc76c277a0c66a5e027fa553877bb9c99f53b139a895

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
128KB

MD5
6e6c057cac43ce2e9f80ab9f88668871

SHA1
525b5c732d649919cc99b9010dc6cf2daa355e18

SHA256
34098748cdff364222028eb9b9bff8ac553ede6e5aa7783827079fd1c88f4198

SHA512
caafdc4fcdc9234844a67f1e6eef7dc8f56a44ac6d9540f4d4c4ea101cd6bba453de98e444848e084847afa0bd152b662f9cf2e47bf9365ee23e1aa9834481d7

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
128KB

MD5
e50236f13cbe09b4c27c063cb10c3b80

SHA1
2cce35648bddea3b302d294db8826ccde8d1e40a

SHA256
326e4daa4b6c8f86c5228ec9ede5a2493710d0c1f94de6be36f00f21038069d3

SHA512
fa6312228cd759b0a0abac549f6bcbd4e9cffa6ea5096627f1a27b0dd3a5765f4a534e5e3f2a8b93cc523dfa9fd01e8c4eeb19f486e8372822bdb7ae59d82e74

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
128KB

MD5
f5f7552fa6e3486764b3040a202971aa

SHA1
895ef11feedfbff12bab34a5acffc45ee229f4bd

SHA256
1ad80a06fec8f383ee779da638a9ed1d32ada24b65997a797dbaaff1804324cf

SHA512
788545c6d37e5aeef8294188bcf4349658d26267d7a31d2550e1fa402938a10052316d2faa260773fe368c5e43826161e80df319f18a6ce6182bdf26d20d4ff6

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
128KB

MD5
bbbb8120e0e954d45d4f1c9ac032a138

SHA1
8b9fd66ff0dfc9824e8653568828e77b6bae6fe7

SHA256
7e8a0b4a6bfdaa1baa8b5ddccf31985e3143fa3d447f377cda5ae5dbb57869c7

SHA512
58fa893c7236eb6627c12cee7d8f259b79faecc533d3afee18daa669ff4c3fde0af4b7541d9a4b0d701e31b44bfd21e8399b5cb32c4e44876d97f39c797793ee

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
128KB

MD5
b8a1e02e828502da085fd32e8968531b

SHA1
e82655a486d20b49d90937bf25a823b26312b415

SHA256
c9465fbb72dfd54b40ad60ef8b7a798731c086efc97bb69a6b3d24b14966b8e6

SHA512
722a35741260bf45b434b8c6ee5cc74f5e00d3ba6d6ac4bbe5a955e73939c50e9456c96631c8de5aafe6d59bb1e42fc884384ebf6101a6a6cb403cc402990f72

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
128KB

MD5
399572bef099f2b14cb0c8b67ee1f80f

SHA1
adef3964be995a44294320ff9514b20b42344146

SHA256
2f5c5043ddb9997188efcbd7d73a2d408dfa8fae442465273fddde5d34e28dd2

SHA512
653440fff99693f7835b4e12d544b4e015bae9c7529ca0fed5c91f3202493bcb63c5421fcdacfb4cf103363b5d91036204601538a9931e45412d00299409d74b

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
128KB

MD5
f15cc74e0faa02c370df5d0006cae30e

SHA1
3a5d3b7af58f18a0ef2f1c47c201a27a2dbf8ffa

SHA256
4caa18eafaac369000e74784a83c7a1c0aa192b3a7371a8945a8aed462e6911d

SHA512
3b0dc12b3e68037c452fc6775de9d5f19f52e5c57ef2f34b6aa31a090195d0b0bdb8585254bac055032dda2a0d04971d779bc7cc9eecc608814c2876b62ecd22

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
128KB

MD5
7578aaba120763fd2d55abe27b90f0b3

SHA1
55223d19dd2d992193a0f9302a93911373cf29f2

SHA256
7faf6641a1a208fa5b81d367b35f293cbcaf849653f6281a243c7fd608e4ed53

SHA512
9c1f9c2a3882ebb91cc157c79736501a27e4df3f592ac4bc40793aafc320baf6f2a8574e3a7cb3088b7963d614febc2502aa415ab312b54d69848f39755bc4e3

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
128KB

MD5
640f27a9aac5a2c0b1ef092f55f6e3a9

SHA1
491cef849ff846a64a6cb92ddab8621616a71f94

SHA256
d9d7ffce0d5b047b2e10a0857e9051c2644096c46f7233c6286556d17a70fda4

SHA512
94ff363e67b2c675a717529d2487d46f8f420bcb44e1d5d09b81b3bc709b0d29ef5c3f3877f33f74fab681db116a81cc70972356ba2135cb517077a85bfa38f4

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
128KB

MD5
92df3701daef6dca6eed2d04b9582015

SHA1
1aee66ad76a15197e617208b74afbf79150dbc76

SHA256
6c9fa09e35ad39d16b1ae57200c274f674ef3f3a97ff47372f59524c9053ddb9

SHA512
96b3795d8a6fed6abedd07ca1a352668cf87a478358ab8de2b07b15d7ecddf1d7f06a3e7a472b946b05d23efa60a4ad3c424179c59261dae53ba5fb784ea22c2

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
128KB

MD5
c1917477d4594e4264249fb2a99d2815

SHA1
0ad7bc45be9c6b39175775a9436613743d81ba2f

SHA256
d93831b2a4c424f7f50eb568b4093cc8b980eaf989414a4991455aa92c9cb015

SHA512
57db1f9087568552050bb93c3fe86560c9de6ad2571dc7dadcde9511a347412e814519ddcbddf9237d0b93266635a65b9ec4c474950133ca7c63054d0f2afdcb

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
128KB

MD5
998c97df3224dbd3dd9fbf132f133e8a

SHA1
15423dba2d2187066260427c75de4932c8d8a668

SHA256
29749296d1cb86678cbe91546eb78a3aaf38b389200b870322abf14b5ea745e6

SHA512
7a54c2f669ddcec1428cc6693190dfa4222fa6cbe957cf8b85ab8c32ac1ed1f29a5cfaa3f12c35fe22e548e6b6f0cedeb1ca0501001c5c2c18ec5b2025a72229

Download Submit
C:\Windows\SysWOW64\Lalceb32.dll

Filesize
7KB

MD5
50e2ed35acf6a14ea50272882b918654

SHA1
401a7df61084d2cd9e5474c1a34957c6dc9322c4

SHA256
425cdeb9f8901b9f143a49fa83358a9c9e71424e59d4658e1ffcf5c385213abf

SHA512
d5ee3399674b1c9245c03ac98bcafcd23a4cc1a258e8f49f51dcb6975128b4f1f86d5ed98476b0490c4e045f01d5c6a8ed143b111a14035e83c814336ed25fa4

Download Submit
memory/64-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/64-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1248-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1248-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1484-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1484-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2164-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2164-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3384-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3384-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3408-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3408-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3636-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3636-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3916-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3916-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4188-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4188-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4340-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4340-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4748-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4748-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads