berbew | 6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe
Size

85KB
MD5

28956ec7425a5d85e159f579728da68a
SHA1

e9eb5369e88409d54de6ed13136cd639fc4d9fa5
SHA256

6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428
SHA512

c9371769f3037336e03981f72518aeadd66d4313b6bab7b6d63634c44e4d0d99579851ad82f4a61c842441cc8f700a0efcb630ffca8c0f1ddab5cab9857b8580
SSDEEP

1536:SjPZXML5jL30O0zPK5e36f7Gg/AqlO7uXcNvvm5yw/Lb0OUrrQ35wNBZ:wu5jL30O0zPStG+47usluTXp6Z

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3096	Jcefno32.exe
4020	Jianff32.exe
1120	Jcgbco32.exe
4492	Jidklf32.exe
1636	Jpnchp32.exe
2424	Jblpek32.exe
708	Jeklag32.exe
3116	Jpppnp32.exe
892	Kboljk32.exe
1096	Kemhff32.exe
628	Kpbmco32.exe
1092	Kfmepi32.exe
2112	Kpeiioac.exe
1016	Kebbafoj.exe
1252	Kdcbom32.exe
4440	Kipkhdeq.exe
4448	Kdeoemeg.exe
4204	Kmncnb32.exe
1968	Kdgljmcd.exe
4560	Llcpoo32.exe
4172	Lbmhlihl.exe
1036	Ligqhc32.exe
2572	Lboeaifi.exe
3380	Lmdina32.exe
1684	Lbabgh32.exe
2088	Lpebpm32.exe
4300	Lgokmgjm.exe
4672	Lphoelqn.exe
3192	Medgncoe.exe
1156	Mpjlklok.exe
4788	Mibpda32.exe
1348	Mplhql32.exe
2388	Mlcifmbl.exe
4600	Mgimcebb.exe
3040	Mmbfpp32.exe
1744	Mdmnlj32.exe
1144	Miifeq32.exe
2532	Npcoakfp.exe
4016	Nilcjp32.exe
1588	Ncdgcf32.exe
1956	Njnpppkn.exe
1992	Nphhmj32.exe
4496	Ncfdie32.exe
1768	Njqmepik.exe
1516	Nloiakho.exe
4772	Ndfqbhia.exe
2704	Ncianepl.exe
2596	Nnneknob.exe
3888	Ndhmhh32.exe
4780	Nggjdc32.exe
1708	Nnqbanmo.exe
4536	Oponmilc.exe
216	Ogifjcdp.exe
1940	Oflgep32.exe
396	Oncofm32.exe
2272	Opakbi32.exe
4656	Ocpgod32.exe
3652	Ofnckp32.exe
3180	Opdghh32.exe
1528	Ocbddc32.exe
3500	Ojllan32.exe
5040	Ocdqjceo.exe
2380	Ojoign32.exe
2280	Ocgmpccl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mlcifmbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5804	5572	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpphah32.dll"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll"	6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3096	5096	6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe	83
PID 5096 wrote to memory of 3096	5096	6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe	83
PID 5096 wrote to memory of 3096	5096	6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe	83
PID 3096 wrote to memory of 4020	3096	Jcefno32.exe	84
PID 3096 wrote to memory of 4020	3096	Jcefno32.exe	84
PID 3096 wrote to memory of 4020	3096	Jcefno32.exe	84
PID 4020 wrote to memory of 1120	4020	Jianff32.exe	85
PID 4020 wrote to memory of 1120	4020	Jianff32.exe	85
PID 4020 wrote to memory of 1120	4020	Jianff32.exe	85
PID 1120 wrote to memory of 4492	1120	Jcgbco32.exe	86
PID 1120 wrote to memory of 4492	1120	Jcgbco32.exe	86
PID 1120 wrote to memory of 4492	1120	Jcgbco32.exe	86
PID 4492 wrote to memory of 1636	4492	Jidklf32.exe	87
PID 4492 wrote to memory of 1636	4492	Jidklf32.exe	87
PID 4492 wrote to memory of 1636	4492	Jidklf32.exe	87
PID 1636 wrote to memory of 2424	1636	Jpnchp32.exe	88
PID 1636 wrote to memory of 2424	1636	Jpnchp32.exe	88
PID 1636 wrote to memory of 2424	1636	Jpnchp32.exe	88
PID 2424 wrote to memory of 708	2424	Jblpek32.exe	89
PID 2424 wrote to memory of 708	2424	Jblpek32.exe	89
PID 2424 wrote to memory of 708	2424	Jblpek32.exe	89
PID 708 wrote to memory of 3116	708	Jeklag32.exe	90
PID 708 wrote to memory of 3116	708	Jeklag32.exe	90
PID 708 wrote to memory of 3116	708	Jeklag32.exe	90
PID 3116 wrote to memory of 892	3116	Jpppnp32.exe	91
PID 3116 wrote to memory of 892	3116	Jpppnp32.exe	91
PID 3116 wrote to memory of 892	3116	Jpppnp32.exe	91
PID 892 wrote to memory of 1096	892	Kboljk32.exe	92
PID 892 wrote to memory of 1096	892	Kboljk32.exe	92
PID 892 wrote to memory of 1096	892	Kboljk32.exe	92
PID 1096 wrote to memory of 628	1096	Kemhff32.exe	93
PID 1096 wrote to memory of 628	1096	Kemhff32.exe	93
PID 1096 wrote to memory of 628	1096	Kemhff32.exe	93
PID 628 wrote to memory of 1092	628	Kpbmco32.exe	94
PID 628 wrote to memory of 1092	628	Kpbmco32.exe	94
PID 628 wrote to memory of 1092	628	Kpbmco32.exe	94
PID 1092 wrote to memory of 2112	1092	Kfmepi32.exe	95
PID 1092 wrote to memory of 2112	1092	Kfmepi32.exe	95
PID 1092 wrote to memory of 2112	1092	Kfmepi32.exe	95
PID 2112 wrote to memory of 1016	2112	Kpeiioac.exe	96
PID 2112 wrote to memory of 1016	2112	Kpeiioac.exe	96
PID 2112 wrote to memory of 1016	2112	Kpeiioac.exe	96
PID 1016 wrote to memory of 1252	1016	Kebbafoj.exe	97
PID 1016 wrote to memory of 1252	1016	Kebbafoj.exe	97
PID 1016 wrote to memory of 1252	1016	Kebbafoj.exe	97
PID 1252 wrote to memory of 4440	1252	Kdcbom32.exe	98
PID 1252 wrote to memory of 4440	1252	Kdcbom32.exe	98
PID 1252 wrote to memory of 4440	1252	Kdcbom32.exe	98
PID 4440 wrote to memory of 4448	4440	Kipkhdeq.exe	99
PID 4440 wrote to memory of 4448	4440	Kipkhdeq.exe	99
PID 4440 wrote to memory of 4448	4440	Kipkhdeq.exe	99
PID 4448 wrote to memory of 4204	4448	Kdeoemeg.exe	100
PID 4448 wrote to memory of 4204	4448	Kdeoemeg.exe	100
PID 4448 wrote to memory of 4204	4448	Kdeoemeg.exe	100
PID 4204 wrote to memory of 1968	4204	Kmncnb32.exe	101
PID 4204 wrote to memory of 1968	4204	Kmncnb32.exe	101
PID 4204 wrote to memory of 1968	4204	Kmncnb32.exe	101
PID 1968 wrote to memory of 4560	1968	Kdgljmcd.exe	102
PID 1968 wrote to memory of 4560	1968	Kdgljmcd.exe	102
PID 1968 wrote to memory of 4560	1968	Kdgljmcd.exe	102
PID 4560 wrote to memory of 4172	4560	Llcpoo32.exe	103
PID 4560 wrote to memory of 4172	4560	Llcpoo32.exe	103
PID 4560 wrote to memory of 4172	4560	Llcpoo32.exe	103
PID 4172 wrote to memory of 1036	4172	Lbmhlihl.exe	104

C:\Users\Admin\AppData\Local\Temp\6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe
"C:\Users\Admin\AppData\Local\Temp\6bdc3c9e2baa680184dbfd354202eef1c701ccaa4541f980729c1da546ab8428.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\Jianff32.exe
    C:\Windows\system32\Jianff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\SysWOW64\Jcgbco32.exe
      C:\Windows\system32\Jcgbco32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        26⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        30⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        46⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        49⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        51⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        59⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        67⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4480
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        70⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        80⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        81⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        82⤵
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        84⤵
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        95⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        104⤵
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        108⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        111⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        113⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 400
        119⤵
        Program crash
        
        PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5572 -ip 5572
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
85KB

MD5
c30c12d02a67bf5d9fb6ed9e1b38f495

SHA1
74ce74a80eeb743e71ee746dfb8a4b0d31796a4b

SHA256
8e5d2e3f5de56848c97b79b1e3fce6a999f9be84eec13f898d6f15acc683e857

SHA512
4ec3e0fc393269eb59955374ac1f352444d9ccf0a3b5c896cff249d82c5d4ec883b15804a30dcf80f70b12e431a2c1f5d8bcc5028995655ecaf4c9f52a51634a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
85KB

MD5
223544e9ba61d85e1e8d7f5e30c10107

SHA1
235094924c50758a11c0e0107f9b49c0714eeb6a

SHA256
c64ba326d4feef1b8bdc5154ece149e92350fc7ad1aec556f0b9c0164e4b4b57

SHA512
65fe09877790a1532479c4045cab4e6618ad828c48eee9e25e558e675dd27e4021f745cbcd2f2b19a9e8c723b20f06e9365c4dad1c84dd31ea1993d178d5c664

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
85KB

MD5
46b2241e4f2cd1059caeff2f3b106939

SHA1
3ac18a6e0bd2d36494ccb61da4b85fcef36528f4

SHA256
2aa3e62edc2ba95c56369a05c546ea74d171dd8dfdf9d23ce31ff4f38fcf50f1

SHA512
ee8b1e81b2586812e78428482648edaa900dd55d067e35b9782fe3ce0733ada7eac03e7ec2f669c26432bfd17f9c7135abdf96830c86b50ca90784c634d9c3c6

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
85KB

MD5
15b761a8f126f179e43cb8dd56c135e9

SHA1
1e915ddd7e02168b0d5687a9d47c837903830a31

SHA256
da12f9f9282c93853a906a2b2ce4d5e7bec94355695e39ca8a680b941f2eff72

SHA512
ccf6410c5b93903ca9280d84d51e67703c8e65bc1147d118d460092b787986a3ebfbbe892c5853e4280f7ac4ce3b34d00ed6367c389e15afa119a7b1078b8080

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
85KB

MD5
1cbf70560df5200a2152c2f398d07c4d

SHA1
16b061bb02842f35a9fa8293fd43c4f45dc58a68

SHA256
75cdd47018101dece6e837da501c68fe2bc39c4d2ca507109b12faa621b0513c

SHA512
9c3751a7bc39a829d698b5700c5e5fef09f04f4f81b1572547121e8c406b73ff7ce175c77b4ca4cfb776ce35fce6a90b7c76bc472e9e4f416fb4908dfd4a7547

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
85KB

MD5
d4a92abf96a64f587c9145f8475fe65e

SHA1
caf0ae2ace0abcb1bb9f805dbf1004e26f8606da

SHA256
2e89c4ecaedebe2db33d780e87d15c34b484cd2e1746c16098bc6684195aeb52

SHA512
7458ef87365fcc3b82e2a87bc54e92c0d99e0410d45ff0b9378bc1255946196d530c18b19825364877a831f98bd7b4d6e36d04e84d7a98bdbee98dedec3bf182

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
85KB

MD5
a2449aeebe77c524d4e3551f9801a4b4

SHA1
2eb632ce9e72e96678ead063c82609d086141860

SHA256
82eee9f8410fc5f30c33d863a12e5a3465283656876b0b69749c48a3b20bfa69

SHA512
b5dad7d8d273278471d1f5558e11d13d408815dcaa1d29ac8f4a09158ed80431a717dc138c760e46878ece3b884ca98c98082f10a2155207dff7b9316d0b84ca

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
85KB

MD5
1226dda56d59e358a483c0b288fd8758

SHA1
19d01412caa983cea81d1dcd82eeeaee28377e6b

SHA256
96f04f0d8360a8a99fad39c1164679eb69cb1fbfbdb87ba1bbd8d30a87e4ef01

SHA512
32a77dbd443c44359325f5348b0ce4fab3e314233a3dfe7eb04187623d693ed371fe4bc6335559118a5ffac3ff1710c9f1ed09e8067370729bc31967e21821f8

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
85KB

MD5
d857072c182fc4e9bc086ac580f470b0

SHA1
3e65dc02642233a2133293bac9e480e55902c82a

SHA256
50e8bf6b91f3d096f23880b0725a2419ade85047d5d79c20fec7ffeada5b6090

SHA512
b348615caac64cc892b45bb1bebd954a8e38efbb64a88dd8acbc06daccc20bab2518621aefac4b903f9662305f1bc43b10eea8a6ca5309c6f5436baf42271b03

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
85KB

MD5
a8e860ac2b24c521b9dc11548a3984e5

SHA1
4eaa9fc05a1385d2355c469475a92d0f33b4f1e0

SHA256
025d00e27bbd75112e3ee4bdfa055fc4704386853cac8a0bfee08998833f59fe

SHA512
7334acd41797611edf7f6c5c53b661a586ff113dd38c2253a9fef6ec871e2c5e10bcffb3de8b72dedb3bbb40ba328e65af8f6817f0fc8aac1fce019caff8d6d1

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
85KB

MD5
f426968a63fec431137138cdd0f54aa8

SHA1
5aaa888dc29934ad992e15bd070fe02c7689abd1

SHA256
f745021a62b481f4ce68b39f3ed82cf54f5a978a8fbd110a5036abead3e7ec17

SHA512
34ec89373cd29401cc6f8f227cd202720273e91244a3aa952e6b150155a4f9ad8368c441e82e51aa8a5e3c64c30b5d8495895adc8e6fd2b9fa3287b22d457b62

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
85KB

MD5
61ff4a7f1b65a09113eff9872d2ab404

SHA1
0f65ed97a9f2c59b3e6e1fa4154749e0b7d059a4

SHA256
cc2cc48aa508a490405c944e1e52aa3ae230dd2edf4b1946cb9b8568a687f2ef

SHA512
48fab42e5d2a77ca3e7abfad3f921b248507566182edec2f252f58bec20ab38bf298069e49f2f42c58609503d992d2a0d6921d70a37d4cba3daa67de26743fe5

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
85KB

MD5
f53ebd9536c4120ab66b0a5d30b7baba

SHA1
de67873282e83413d690f5752a14afbc3b0641e5

SHA256
bc804b4b3b328a91a905b3c405cb0247699da892ea7ba405c52eb606d4af6dab

SHA512
554afb3507e7a237564f07ebd769b84e469609e67411178341dc988d9a1e1aa102c29702ebfd129efc4db0a84c25607e09b1f870ead2dba6b69d3ba6bceecf0a

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
85KB

MD5
301cdca6395b7086e644729fe9e65eb5

SHA1
6a5f262fb1f7213631852988c994c4bcc07d2546

SHA256
e13a09a72588f3560c3449f89fe85033b7a8ba9ac6009e4ccd530a42bd0e0e6f

SHA512
a819517c6ca64c1889039b354f9e8d79a687e2125eed5e3eaf0e1b0f099e8aeb23f29ae8512c956e279016f742fc83b027617fdf7243819319ba394a05733eb9

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
85KB

MD5
baa0f73c2c09490fdef14b094ce332e6

SHA1
4b28a063ab36dce26872b15ba0e73865e8d04c31

SHA256
e55f025b86a49840750e2ed2e70d51335ca0f7a6e4923ee1ef66bf42c2b96087

SHA512
7176e5f24f2145a337a60a78eaad5af65b7a4f3d5733d177149888871d006935f235a0ae0a9dbb267c59661b77c29ecc1b8967554d3eff65ae931d180345f003

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
85KB

MD5
9f6739d7e39d51c56fa64072d587f535

SHA1
19866e2fa8cef9ed1b73581aa6035fef1484bdbb

SHA256
78a04f8ffa11306f84998cb11c78e00a3fb9c44fd5e33bc4ab6e4058cfff2dd1

SHA512
633c8e00acafadad7c9cd0e946733056fd934aa6bf63761f446f9a9f2a663490cc52e15ffee766a9d93b56a724126f7d5bf0c27b5fef0c1e56e18f63bcac534d

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
85KB

MD5
8bc2f6e1fd753e7c8d32ced3eaf2fd92

SHA1
f0dd1a60ef68d8da2a0844b3abd8d5f375e01284

SHA256
eb77fa15f7c1a001e26ee6a3bbd60ca0c2c03673f0146f29a8c5c0d7e6abcbb4

SHA512
dd01f2a952cc39e29c0f11e144ac1d67370c8030630ed8d5d3473ed7d14f53e754afd5102b5e1e4a8fae6527584f8499f00f2d27d100b278924be3ba67b5805f

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
85KB

MD5
978d108d06660ac1e09d70cd30afb018

SHA1
f03a8684d18b5bf2278193510a8a90f6dddeaade

SHA256
eda360ff47b7a30c2b0f156bbdae4ba863486729d761feea6020b77aa031aca7

SHA512
5df80b60445ad1895c04f79026e1407a7c023dc9591659e713c54f5d6578e0ecbe9861bee74305e38f03c36417ba9bd5d916f01f5d076211689e084a5cd2b893

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
85KB

MD5
f5f86ade5a6f4b70967b21c964e2b4f4

SHA1
f1d246f7f283aea0a2ce96e4d4abca7fa6f6bf4f

SHA256
6db0125b1516237ec1bc0d69a676107cd33cdd6140086541e7e2cc3e16d23b22

SHA512
b64ffecb119d8104e6401112a6023a7035304aa8e5136b777201a887f70adc3ee099b0cf6739cb75659fa1361d37a22c6a41f8b6ffbc8db26a3efea4892439da

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
85KB

MD5
fc8109ddeb4dffebdc09e6e46b02ea93

SHA1
ca91ec16e7d56a299b85e5daf0828cc0ad98f6ce

SHA256
22dfbb8d0f91c6f7930304aaa480ab61664cfc319e22a0d62f26ca55f958bc58

SHA512
b00e4e00e53b0bb75c828eba71c0f6cf60b4c499defdc6b04e0f0816b752778c05fc83fbac4833521dd023b0e9675d2284445c84ee2aa0f582e18c02c087d638

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
85KB

MD5
ebe4dbaa1bbc3b0c0d78a10bb45e8725

SHA1
f06e896891064ae0dbde14ba2def232cf32da47c

SHA256
244fe878f39d8f90dadd6ce402da23cf01921a72bfa3f03f65fa6828a195fe70

SHA512
8a22c2045b3c39bfc346700cfe4ed8bf698d595ee544db4fd2c5a4919604c4344098944b4dc84478323afb13e7153d6061b834d66f0ef3820727fb575ff0cbcb

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
85KB

MD5
92ae375863eabe3fda394e9fb12268da

SHA1
8c90b2f96dbda823b4118abb6bea060d705cf6f5

SHA256
a3194cc9a1fe6e8413ef870ecf2c0af270afd69a41e0e0619bb2039d5d253648

SHA512
31c4829e3a3703522ba7e1a523026dfa9f1abbea954ce491a8177e9f6eb64761e5d3aaf753acaf4ce685b5b22243fe3712cb8f5b8eca472f724e9d2ca6e6e590

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
85KB

MD5
a356ef71032d544e5b4279b699efee73

SHA1
89c87fc8855fc137ffc7eebbb247264af763ff22

SHA256
cdd65fcd0af9d20ad4ffdd7fc783581564351fac300fd8ccb617a14bc29a0936

SHA512
90171848f352160b332f188670b7d3d2f883f5ff210b64b92616b137e7d8eaef27d6f248a52537d4d0c4b9d04106c550612041dd5d1f1a08d6925235752323ce

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
85KB

MD5
86d2156bec6b946a208d5e65b9c4238c

SHA1
5693456c9746e14ec83512fecee1b330f8ad9eec

SHA256
0174f65f00ffed909461122bbca4097d5457a8270ed2c4be7690d8da2aad0bb5

SHA512
7c7b4ca39e11233b0e704b367dbc0c8c27f81e50aa93cb9cebce0fcaaeaff145c80dba81d235854a75124ad8db1ec7793b283912a80e1e0b0e9c41f4db2d92eb

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
85KB

MD5
bd9a2486d283baca2fa9b598a606cad4

SHA1
3411300e6d7819b98d962d2b49a20ffe220f6e39

SHA256
0645bb4c1d3295818833a3d642529a6f1bb6665495d7fa3ed3d4a83056a4e3c8

SHA512
85e38d6575ba321c95ed9548a8abc290dbe8f0266567caa343f76f595f4e3cde021dede00461a99ab3973a86eeefa1615f3892617b52f1502e7b7b7a198f45fc

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
85KB

MD5
d52d7ba1ce33e4b5a3761a32c1443be1

SHA1
d52ce17900d3a30bcae62283076aa57a3a7d12d9

SHA256
53caf1731dd07026ed8e732f8aadca8789c809072951c9cfae99e918eea1b2e9

SHA512
d3b369f93a9d0907638aa381d1fc33a51c53d520c5a10fa1d7f499cae19eaf89c7ccff5705fbea29a1df8cb1bf6f2df71442b21aa1d5fdeebd082dec2dd55ff1

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
85KB

MD5
1972135969835085e314f78128f0f56e

SHA1
6276a4cdd2d04ade42662ddcf5c26f7ca98ce6c5

SHA256
b867aa2e58c7ba97981e2db0a99d5678780039c97e8769401f0ab36b03d15048

SHA512
67251cb3386e0e978f91570d2693c85c35f7e693a1a72594de22e8faede8529bb7abd2c9c9db3f535ba51a6a0ef50dd8d63b55829899b2f4647afefe12fee96a

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
85KB

MD5
9f4713c12202b507e8490ff3a09221be

SHA1
a39b0f28e93deddad9d1b79b71df9b1e9b482fbf

SHA256
9b784c85eff8a7d01a072be98ef56a75a2bd0781a99e75dbe6287a7e121f0c7f

SHA512
0c91f2061bfc8fa714415c59741c1c60c27f4e74499c4b3a8f91a7aae57860826018f5669fb7a6291bac217ecc67a3aaf22dae6c7855f94a6066c8b0f5511653

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
85KB

MD5
49f4169f418cf8caaeba2bebab1e6be3

SHA1
079de0c2e3802c4c51bd9863177644cb1456fb6a

SHA256
1d7498928bec58e7c2a71b2e430c05d2e8fc9f0ca7b516a449e28d456b82596c

SHA512
c1ff944a3a70a6c062678498283a7ff674e50ad82e1e7be3fcaa6ad7f72abafa12a77c0ac095fdf6e23ec0bcc5a35afef9b7c58f51be7d2775b0437cd94f07f7

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
85KB

MD5
636e96e4155d71bfe4d3becc1fb6b5d2

SHA1
302c7836ca41af1daa84124f7b6320314c44971e

SHA256
330d7eb0b4f1f82bf8b77e776b4566b051fb77771fda87c15e725ecc56f39de2

SHA512
689429c89b6fc72bed3b7fd9e244173397015c71828a7b87c926ea6425702c7018737f561bef4933522f817007e589673a2c76ef417926f11d000914d6c70110

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
85KB

MD5
c840497b46ce3115389843490aa4f1c2

SHA1
fb14f8fd33193226a506487ad251db94a3f08845

SHA256
d591860e707d7496f24145dbb9c0afec288b42a68135ddf9f0aee6f351db62e0

SHA512
f169babf84a55f68f7c1e0a79de342e18cb91b6d09b839b21163338f9dbf85818eed96ec56ef1730f2222a1743e2e4287c8ec63cc3abc9dae2c75c2da2048f48

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
85KB

MD5
8721d62d6cfcf566f2443b49d607259c

SHA1
639848def36edd3c509957fe4d8f01233f5127e1

SHA256
0cdda8ed72b786b4400f28045c3c1fcb8011498da758d312ba258970ddb3c3a3

SHA512
f1860d3027066e4ec28e5eb0f1ca273fe9745112a6fdbb6965729540c45edbc65b4eb9585f65fe126d7093a2a8b60f93c84d8aa9e4b05810ed47c8a12ee8b3ee

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
85KB

MD5
fe24347a3e838b901f56507b044cb8e6

SHA1
1c6595f68a37fc607aca9c338ec0c13c398449c2

SHA256
3daaa9e144dd8111fe15148f10e76de270afc1bde08e3638b83c99721941f8ba

SHA512
c4150877a9e034fe7023bcab47e15678196d7e4e7c33a2bab397ae782b192e83fef78736594126d6781e1db84ba28838fb35e508871cb62e0eda03f3536a20db

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
85KB

MD5
1a741aad17e661411a0e423e1de2ab6c

SHA1
e3eca6187b84bdf3d4eb763f6638d1319a3990ec

SHA256
b0d47d4ea96e0c224fdb58430911324020d6dddfe30e8212766808a456fa329a

SHA512
6fc727ced80548bb21f847f74d116b60337a109fcc57efb4038ca25c358af9e9a9e2ad415222e12280fb48dbfb2ce50353a484cc177d1b7bae5e7fd096ba2aee

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
85KB

MD5
faddbc3365805fc068c1458d777800eb

SHA1
ba313421d96cb042beadbfc43059488d0f468c29

SHA256
96b0fc0524a60553017047f01135d9d2c49439fc2ad6e3664f98118ccfacf979

SHA512
efa9b8a2047868f9073637dd206b7e5145ede40f92ec13da931194a2c329623f2f50c141c0a9b44d338e79647601753b378b0edc0daa871cebb5e02ef766ed64

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
85KB

MD5
90199f8bd40faf2b56a6e8850a31f678

SHA1
1a03b695a33923ba5c56c8f6721cf45e6e867795

SHA256
90c35ad2c80a6e1e616502d84982a9d61093591da41afe00c2e4aad0470a38ba

SHA512
c72999b3c2029f224621c008c82df91ff1bd8a9f1a7c33a459dfce88617525cade78b5cc55f4cea334d3b84f39e97807539139ca03637568c60e767bbf348082

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
85KB

MD5
2ecc0ca4f1e751392c369512cdab9cf7

SHA1
2e4bb6854b73734943155007a3c8aa6056955f62

SHA256
827eeac53553f056f37f34a1acfafde698f786c67fc2d947d7d8404d9346f7e8

SHA512
bbc5f2008cb2f2b37f2fd3b5c33b6b7101eae20ef0793e06ddddc9b6c1a51d6b2837cbe8a9d27999b2f79d3f0ae6ed1ebb52b5e8e793bee4fa4bb9e1e6191a03

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
85KB

MD5
d1622cba810553776abe2c5874ea56a3

SHA1
fb108fee1f9c6efb9d453b350e165f15fead7213

SHA256
3ea4f3801230d6ef7bc97fe490084a42378c6f5b8a96788f1c6dce49174936a0

SHA512
c1b2d1233da5b9cdebc1ccd2990425eab5f4cedf3a3ac763cf00954cf9d97b1a0969373f53348bbdfe7cce41918ae4c4ba3118c293d54bf928ac43aaa1f28dae

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
85KB

MD5
65046d1811279b963cc23fce3b57314d

SHA1
d18c7788745ae9e191a61666bd0ccae08df25ab9

SHA256
86c9fbbfda7a13a84718e178bad5d554a1d5625bebbd23f41702b1fe73f3f210

SHA512
6f9d92ea716acf80be79ca4f22455e68e350264e8cef63ec0d87e2981edd87e4ac4dc3f3e25a1349ce8637942b4cd07e6459040686da9513ff85e4c64a9d18e2

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
85KB

MD5
81746f339290c6853ef1bd68b3ef7ab2

SHA1
8eeb60a142c3d3d58890dc3c29fdacfa51973fbe

SHA256
8df8976e845431f266c81238667d3193f2d25cbdc6ca168845254aff2b22b57f

SHA512
2811b7d01747bfb971045cb2c7400715622934d3d0a24602db0fdccac544f9a78697f9254fd3dc4a491c128e2b5e5b65e468f6ec6293771a2abfcd26b9f7f34e

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
85KB

MD5
77a3d29d483770afc97e8a97825eba2b

SHA1
69f3343e623f9bb777d696e9e4829560a1f83855

SHA256
3262de66e72bd6b7717b0d90abdb165a6187751cc6f71d2ccb013b5cd41d4f2f

SHA512
0335ef977862c24c17a82acff41fd05b3294829bcb443ce3bbdca5cfb08cc518140fe18ec285318af274e4ac6aa5c3133005c4aab0631e5da0b90c27ccb4d5e0

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
85KB

MD5
afc6d45448e7af9d378a09b83b49fe5a

SHA1
70e09ea8bb6943f9bfd9df156b63ce3a44dcbcd3

SHA256
adcd9c56f24dbb5eb983a1569488f53d54d3a6d12f8f85c4df02a32f4100bf38

SHA512
867f42899ca41975806b126367363ab61c76d647dc9b5d33bb27c64ddd0d84d92281c4d3a88cd36d328d2fe89d2db74eeb8bda0fa1eabfe40337630ae38c09ac

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
85KB

MD5
ccc7a1e70b1415272132ab25894e84e3

SHA1
629696ab8353af697715ba7c0a90d65e76a6c19c

SHA256
0ff34ca03c0b82695b29c1db0cfff519766418de1d98505c93cb21c00c019865

SHA512
385b590c876c7ac77cdc0b2ef121afdb3004b8f2bc3435df4c2e625240549dfa4cb943824113c9add8571474c2126385564bb9b2ffcbfa9701982d506e290c9d

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
85KB

MD5
fb3e45b1c283475525a80ad11643ee1d

SHA1
c5f2bf22eec460d9c07f627d407cc595ccfedefc

SHA256
a0271fa5fe6c40a317d1ead09df294faa9b3e873524437f91b151cd701c24b61

SHA512
4df33945ec1a842c8e77bb4a4e7c42d0645ce28f87096c18a8622c9c302794df04e6da9a664e021dda2d3c43a0c6d3282b55e4e84cfbccfebe08ed3a1a76df19

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
85KB

MD5
160100657c85927a42c6ef1bc00c60f1

SHA1
86ff5479376779915ba3aa642d51ac16204027a3

SHA256
3043a9b6a6fc7f858f59561edab1dd083d36baf0bf63a6cb8ecbbda136fa7921

SHA512
96e35d9a3a8acc462c280700976a99156098a4c2bde147f03c31a173bc6b90a77202d6fab023789160e5b84e89f2f5c9b4a3be36cf78f4a366a5e95dfc337fc6

Download Submit
memory/216-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/708-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/708-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3468-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads