berbew | f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 05:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Size

368KB
MD5

aef9a6c1fdeb12b7d8a97f9d6e698aaf
SHA1

0a0cff465ab2901ab743250594f476e9635679d2
SHA256

f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912
SHA512

0ca36bfb565936c963ccd19735b607191f938f4dae1f2e618a8a6e32f3c0d67e78ca27cbf9ea8931555611ba09b876ab80d75ae59ed13d45bc4776b5d0da612d
SSDEEP

6144:8ujJYuWqANQO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwHlGrh/tOz:8sW/+zrWAI5KFum/+zrWAIAqWiO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 14 IoCs

pid	Process
4612	Chagok32.exe
2448	Cmnpgb32.exe
1016	Cffdpghg.exe
2276	Cmqmma32.exe
4976	Dfiafg32.exe
4028	Danecp32.exe
4400	Ddmaok32.exe
2328	Dobfld32.exe
2688	Dhkjej32.exe
4108	Dmgbnq32.exe
4564	Dkkcge32.exe
3820	Dogogcpo.exe
5052	Deagdn32.exe
1420	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	1420	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4612	4036	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe	84
PID 4036 wrote to memory of 4612	4036	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe	84
PID 4036 wrote to memory of 4612	4036	f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe	84
PID 4612 wrote to memory of 2448	4612	Chagok32.exe	86
PID 4612 wrote to memory of 2448	4612	Chagok32.exe	86
PID 4612 wrote to memory of 2448	4612	Chagok32.exe	86
PID 2448 wrote to memory of 1016	2448	Cmnpgb32.exe	88
PID 2448 wrote to memory of 1016	2448	Cmnpgb32.exe	88
PID 2448 wrote to memory of 1016	2448	Cmnpgb32.exe	88
PID 1016 wrote to memory of 2276	1016	Cffdpghg.exe	89
PID 1016 wrote to memory of 2276	1016	Cffdpghg.exe	89
PID 1016 wrote to memory of 2276	1016	Cffdpghg.exe	89
PID 2276 wrote to memory of 4976	2276	Cmqmma32.exe	90
PID 2276 wrote to memory of 4976	2276	Cmqmma32.exe	90
PID 2276 wrote to memory of 4976	2276	Cmqmma32.exe	90
PID 4976 wrote to memory of 4028	4976	Dfiafg32.exe	91
PID 4976 wrote to memory of 4028	4976	Dfiafg32.exe	91
PID 4976 wrote to memory of 4028	4976	Dfiafg32.exe	91
PID 4028 wrote to memory of 4400	4028	Danecp32.exe	92
PID 4028 wrote to memory of 4400	4028	Danecp32.exe	92
PID 4028 wrote to memory of 4400	4028	Danecp32.exe	92
PID 4400 wrote to memory of 2328	4400	Ddmaok32.exe	93
PID 4400 wrote to memory of 2328	4400	Ddmaok32.exe	93
PID 4400 wrote to memory of 2328	4400	Ddmaok32.exe	93
PID 2328 wrote to memory of 2688	2328	Dobfld32.exe	94
PID 2328 wrote to memory of 2688	2328	Dobfld32.exe	94
PID 2328 wrote to memory of 2688	2328	Dobfld32.exe	94
PID 2688 wrote to memory of 4108	2688	Dhkjej32.exe	95
PID 2688 wrote to memory of 4108	2688	Dhkjej32.exe	95
PID 2688 wrote to memory of 4108	2688	Dhkjej32.exe	95
PID 4108 wrote to memory of 4564	4108	Dmgbnq32.exe	96
PID 4108 wrote to memory of 4564	4108	Dmgbnq32.exe	96
PID 4108 wrote to memory of 4564	4108	Dmgbnq32.exe	96
PID 4564 wrote to memory of 3820	4564	Dkkcge32.exe	97
PID 4564 wrote to memory of 3820	4564	Dkkcge32.exe	97
PID 4564 wrote to memory of 3820	4564	Dkkcge32.exe	97
PID 3820 wrote to memory of 5052	3820	Dogogcpo.exe	98
PID 3820 wrote to memory of 5052	3820	Dogogcpo.exe	98
PID 3820 wrote to memory of 5052	3820	Dogogcpo.exe	98
PID 5052 wrote to memory of 1420	5052	Deagdn32.exe	99
PID 5052 wrote to memory of 1420	5052	Deagdn32.exe	99
PID 5052 wrote to memory of 1420	5052	Deagdn32.exe	99

C:\Users\Admin\AppData\Local\Temp\f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe
"C:\Users\Admin\AppData\Local\Temp\f8d370710550536ad7ef39b83c4b53c48f63035709935b3d60feffd7b79c1912.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\Cmnpgb32.exe
    C:\Windows\system32\Cmnpgb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\Cffdpghg.exe
      C:\Windows\system32\Cffdpghg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 416
        16⤵
        Program crash
        
        PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1420 -ip 1420
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
368KB

MD5
2a6702a60bd8fde766508d665737f352

SHA1
f6b5ea274aa24ac842fe3d36fa8357930dc5f642

SHA256
f089521d33d1cb57f81ad990afd4891ec13cf0c3a69dc65f7576ab969395c467

SHA512
d0c99e497b1120e30a1372c9a809f42b6b1dd9ee5d5716e8daca00d9ae452283a5e7bb5ee7888a11a8a0faaa48f858bd617e0454df04a8cceb990f5b42becc6c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
368KB

MD5
1404ebc3554e74b0dd28af1e005c129e

SHA1
3c9c30e91b88f93fdcfec7be62a175dc2a5ba37e

SHA256
63dd60bf59273dbc47a6ab16c70e3bfa3a83f04dd9aea903bd0b94f1ce941d5a

SHA512
e08bcfb84e10164631cbc2d5bbf3f394bdc157a8923d300c006898a4905245506673d4e4ece01665c464fe2481d479c0488d8405100681503317b2a345d195ed

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
368KB

MD5
bccc78a03ec470e3e7084d99081f0dd1

SHA1
786d1d784e865c55385dd3ce2dfb6954ec4ae24d

SHA256
c2fd6800a1bdbadb3478b6443888173c93e420920f83867b5a55132885f6e2d2

SHA512
3cb33d4f96f3ad20720bcc1e83e8693bbc15a117a745ef87fac9828ab073b77c42fdf2a56d4986da6e05ee6614ce92f477e0be0c41dd150e92f15c49a360f341

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
368KB

MD5
3f1dbfde614a51dc0e108dd038218598

SHA1
dad5fe361495d58f569cc43d01739022b01a924c

SHA256
e2af633a3610b68a855fd6f41b74ed9e0ff0de2bec3b1d7a3420272057ad0bf8

SHA512
b413295d41b1d5ad4429a265b3f95e0f043b22b0e005d1797ae50927cdc4713fa5927d074ff134b399f3507731bf3ab4bf58d02d22e8271f229af2e93637710e

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
368KB

MD5
94d7e2ebca6b470b29bf175fb97059bc

SHA1
28c9cce2796479270fc3d20e1e811bad7d7802cc

SHA256
28e941eea823a6a678b7729c75abe7ea90e280828fc2f220a9978dba7aadd9ab

SHA512
1a9bd40b6d91a9737e16d49cfc1096f0ab4494a750a5d42260d3456a61c3f8b191589fcf38605ece45eb6b65f6f7eefce336e0910099b81b16aaa9cba8690662

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
368KB

MD5
57b33290ca20330457728d89f084fecc

SHA1
91ed3096e5d81cbeed62d6922ab178ea5c8a8d8c

SHA256
8b6c04859374ab33ff0f5c4a06ed059ee4518f2578a4a66b0a1940b41211244b

SHA512
9a5995a240f8dbe5f89656b530de7a7a3682d69c25bbb4e2a5c770ae5a9ae109c31be9e9ea417d727af9e2491bc16630599c96b7be5fb65789b401352ac3e617

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
368KB

MD5
9b1a994fa54ba2643a28e4aa9d3e4345

SHA1
a9ba57d225971754f93e35eee478d0cebf8cd715

SHA256
5143fe01765cbb8c21960512e65291ff182e1ebfc186efd41ba1b28bd480af7f

SHA512
be877a35fffaac275a2edd3baf254a9155ae823a630d2050c76bb9f110e650ef8feee382669d8b36f877ac609eb0248cec07ad45d7681596f28e343ca6e1db08

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
368KB

MD5
f5ca911510fa1caa103801e82db14635

SHA1
8aa34c67c6a23409d60e1ed024dfaee7b4521b4c

SHA256
c97ca742b1b2597522f3974ba0b84877b81e91b27c1425d958d049d80279519f

SHA512
50faa098eaa1b9c5e7fda05ab9fc7e278e0758177905cc2fb97762e851f84117eef8076bd984243725df570ce5e8d3423cbd93059156eb128fa7aea0f722f58c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
368KB

MD5
8f97e1daf4a871c06dd29b9d1fadf7a4

SHA1
79c7be06c20306164daabfdc392e19995facaee6

SHA256
16a079ff7ea824c124f1bad606a9c071dfe074954c7a8636e9c64ad3bcf9bbf3

SHA512
3b0a515caec23554bee781696577b9a5220e3dab115d9f3348535dafe9e390a6d49ebfb22e26427f63afdc0230d8329d6e5092717f32cb1a7d8b0aba58e7680c

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
368KB

MD5
9e736a1b18e17a483b26522fa123612b

SHA1
3d8ecc4cf5cfadf0f5607ab57449433d92813101

SHA256
e1ffffb37760c865c163e15cb240201a16504c5c736eaf6bbab02b188306210c

SHA512
14b7ef0ba77b3298dd77ea1790b47201b693f41af1c1b8c5a8af8708ad734a69eea914e92c69f556a88fb26822669e033d11bd66a294117cbeaf0895b5d8dca8

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
368KB

MD5
587af0a1986659afbb3cabac461a1d56

SHA1
4cb038edcca6eaf764b31b4b556fce67f749d74b

SHA256
d81e8700b7eb4318245161a0f52c29776855c2e4ff1d0a4886b801ef49ff9324

SHA512
fe0a4fe0a44b919c7128bddeab6b7a9b9173abeb0d414fc3b274adc62d22f06ab087e0b89f21d0f5bc3cab2b8484ad1f96722edab24eb3d4fcb28f334fc65a30

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
368KB

MD5
256234c34e2048f3dc88598ea1f398ba

SHA1
0bba42c6ae276fb30b35ceb7af1c6c2d5bbd1078

SHA256
b800284539d51d111546d96c68511f826c4c3b2bba3b3f66f82cdbe4d6893bc6

SHA512
5d8997a79c74b6e141cc28a551fea5e9b8cf0aec7ddfaac8efb05f375758dd9dc9b47a064550785d3f128f69b16867cf6536942f77645290de16c49f4ca70fa9

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
368KB

MD5
330d6fe2f1f5d6d43c3d96346ab27fe1

SHA1
87466b5cb307580018d9f062e9ce0e93c28457e5

SHA256
4400ad545f8b8426bc4088295cbdb1b88e08dadea9d6d690b0d03b8a5ad84c3d

SHA512
ccd5b6d13325c8f5d3b3376812981929af05bb59409da89059f4d55e04665918e5153d36f8675e0ac1fbf33c041d58de47b9483349f771716b0ee16030acde25

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
368KB

MD5
863124951fc63659c87eae07550f558c

SHA1
1a76407b5cf30b79faa6b14c51b9a29e13cf23ba

SHA256
e4c6202d9697368aa2e166c55722cd1f5bc51e12f6e077333315e4b966995d67

SHA512
69ecc0beb3ea62f5dcd1dd98372284fcc9ed5f9858a7a50d7cd568c5fcf4c8902ffd9ba18feb158c1b9f281e99a1ac66e32f50fcdc8879666ff56a50941c85a4

Download Submit
C:\Windows\SysWOW64\Kkmjgool.dll

Filesize
7KB

MD5
8b48fb17ffca4a2ba8293213fce07d48

SHA1
dab8c9fa9f6371fd267e02f6d7a9564e5f7a8536

SHA256
f5cc2cb90ed5fa2f0692adbb29c3b13fa2a06f46ee8eb5ffb95737f3bcb015a8

SHA512
cc3525b0341fab55a12142ce23510d0d69c93a367b3929d53dcbf1411efcc6ff5c42fa18837adc4363babb68fb0d54ad27ecaedb4f9c4c20835739304ed3f309

Download Submit
memory/1016-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1420-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1420-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3820-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3820-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4108-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4108-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4564-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4564-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4612-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4612-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-121-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads