berbew | 36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
Size

163KB
MD5

157079230568d6b4fcfa29b797e332a6
SHA1

c73dc6dfb4dde7c8e3f431203ebc994e16020d54
SHA256

36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc
SHA512

fdde72ead4f6250910ab43598b999276bdc86c5f2a0afcebb9643b80d583af2114fa5872290a42bc44afe1e3b5393ec38be6c525694d8060568caa9efd7bd30f
SSDEEP

1536:P70EoF0S5GUNMJtziDvC2sHvgRPnwfcNzOBP1s2SlProNVU4qNVUrk/9QbfBr+7/:wEoF0UsPgSfG6B+bltOrWKDBr+yJbw

Score

10^/10

berbew bruteratel gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cc8-224.dat	family_bruteratel

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 42 IoCs

pid	Process
3832	Cfmajipb.exe
4300	Cmgjgcgo.exe
2700	Chmndlge.exe
4924	Cfpnph32.exe
1932	Cnffqf32.exe
2804	Caebma32.exe
4228	Cdcoim32.exe
3936	Cfbkeh32.exe
3408	Cmlcbbcj.exe
1676	Ceckcp32.exe
1468	Cfdhkhjj.exe
2400	Cjpckf32.exe
3976	Cajlhqjp.exe
3204	Ceehho32.exe
4612	Chcddk32.exe
1600	Cjbpaf32.exe
1544	Cnnlaehj.exe
4148	Calhnpgn.exe
4740	Ddjejl32.exe
408	Dfiafg32.exe
3432	Dopigd32.exe
3596	Dmcibama.exe
4556	Dejacond.exe
4660	Ddmaok32.exe
3084	Dobfld32.exe
1076	Daqbip32.exe
380	Delnin32.exe
3844	Ddonekbl.exe
2616	Dfnjafap.exe
1816	Dodbbdbb.exe
4724	Daconoae.exe
4432	Deokon32.exe
4044	Ddakjkqi.exe
3636	Dfpgffpm.exe
4684	Dogogcpo.exe
4896	Dmjocp32.exe
4020	Deagdn32.exe
3684	Deagdn32.exe
468	Dddhpjof.exe
3124	Dgbdlf32.exe
1056	Dknpmdfc.exe
3968	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4676	3968	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3832	4308	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe	83
PID 4308 wrote to memory of 3832	4308	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe	83
PID 4308 wrote to memory of 3832	4308	36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe	83
PID 3832 wrote to memory of 4300	3832	Cfmajipb.exe	84
PID 3832 wrote to memory of 4300	3832	Cfmajipb.exe	84
PID 3832 wrote to memory of 4300	3832	Cfmajipb.exe	84
PID 4300 wrote to memory of 2700	4300	Cmgjgcgo.exe	85
PID 4300 wrote to memory of 2700	4300	Cmgjgcgo.exe	85
PID 4300 wrote to memory of 2700	4300	Cmgjgcgo.exe	85
PID 2700 wrote to memory of 4924	2700	Chmndlge.exe	86
PID 2700 wrote to memory of 4924	2700	Chmndlge.exe	86
PID 2700 wrote to memory of 4924	2700	Chmndlge.exe	86
PID 4924 wrote to memory of 1932	4924	Cfpnph32.exe	87
PID 4924 wrote to memory of 1932	4924	Cfpnph32.exe	87
PID 4924 wrote to memory of 1932	4924	Cfpnph32.exe	87
PID 1932 wrote to memory of 2804	1932	Cnffqf32.exe	88
PID 1932 wrote to memory of 2804	1932	Cnffqf32.exe	88
PID 1932 wrote to memory of 2804	1932	Cnffqf32.exe	88
PID 2804 wrote to memory of 4228	2804	Caebma32.exe	89
PID 2804 wrote to memory of 4228	2804	Caebma32.exe	89
PID 2804 wrote to memory of 4228	2804	Caebma32.exe	89
PID 4228 wrote to memory of 3936	4228	Cdcoim32.exe	90
PID 4228 wrote to memory of 3936	4228	Cdcoim32.exe	90
PID 4228 wrote to memory of 3936	4228	Cdcoim32.exe	90
PID 3936 wrote to memory of 3408	3936	Cfbkeh32.exe	91
PID 3936 wrote to memory of 3408	3936	Cfbkeh32.exe	91
PID 3936 wrote to memory of 3408	3936	Cfbkeh32.exe	91
PID 3408 wrote to memory of 1676	3408	Cmlcbbcj.exe	92
PID 3408 wrote to memory of 1676	3408	Cmlcbbcj.exe	92
PID 3408 wrote to memory of 1676	3408	Cmlcbbcj.exe	92
PID 1676 wrote to memory of 1468	1676	Ceckcp32.exe	93
PID 1676 wrote to memory of 1468	1676	Ceckcp32.exe	93
PID 1676 wrote to memory of 1468	1676	Ceckcp32.exe	93
PID 1468 wrote to memory of 2400	1468	Cfdhkhjj.exe	94
PID 1468 wrote to memory of 2400	1468	Cfdhkhjj.exe	94
PID 1468 wrote to memory of 2400	1468	Cfdhkhjj.exe	94
PID 2400 wrote to memory of 3976	2400	Cjpckf32.exe	95
PID 2400 wrote to memory of 3976	2400	Cjpckf32.exe	95
PID 2400 wrote to memory of 3976	2400	Cjpckf32.exe	95
PID 3976 wrote to memory of 3204	3976	Cajlhqjp.exe	96
PID 3976 wrote to memory of 3204	3976	Cajlhqjp.exe	96
PID 3976 wrote to memory of 3204	3976	Cajlhqjp.exe	96
PID 3204 wrote to memory of 4612	3204	Ceehho32.exe	97
PID 3204 wrote to memory of 4612	3204	Ceehho32.exe	97
PID 3204 wrote to memory of 4612	3204	Ceehho32.exe	97
PID 4612 wrote to memory of 1600	4612	Chcddk32.exe	98
PID 4612 wrote to memory of 1600	4612	Chcddk32.exe	98
PID 4612 wrote to memory of 1600	4612	Chcddk32.exe	98
PID 1600 wrote to memory of 1544	1600	Cjbpaf32.exe	99
PID 1600 wrote to memory of 1544	1600	Cjbpaf32.exe	99
PID 1600 wrote to memory of 1544	1600	Cjbpaf32.exe	99
PID 1544 wrote to memory of 4148	1544	Cnnlaehj.exe	100
PID 1544 wrote to memory of 4148	1544	Cnnlaehj.exe	100
PID 1544 wrote to memory of 4148	1544	Cnnlaehj.exe	100
PID 4148 wrote to memory of 4740	4148	Calhnpgn.exe	101
PID 4148 wrote to memory of 4740	4148	Calhnpgn.exe	101
PID 4148 wrote to memory of 4740	4148	Calhnpgn.exe	101
PID 4740 wrote to memory of 408	4740	Ddjejl32.exe	102
PID 4740 wrote to memory of 408	4740	Ddjejl32.exe	102
PID 4740 wrote to memory of 408	4740	Ddjejl32.exe	102
PID 408 wrote to memory of 3432	408	Dfiafg32.exe	103
PID 408 wrote to memory of 3432	408	Dfiafg32.exe	103
PID 408 wrote to memory of 3432	408	Dfiafg32.exe	103
PID 3432 wrote to memory of 3596	3432	Dopigd32.exe	104

C:\Users\Admin\AppData\Local\Temp\36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe
"C:\Users\Admin\AppData\Local\Temp\36dbb51828b8065b45bc6b539a225c1668ab1e6d100033ecbcdc6f31bbb0a2cc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\Cmgjgcgo.exe
    C:\Windows\system32\Cmgjgcgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 396
        44⤵
        Program crash
        
        PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3968 -ip 3968
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
163KB

MD5
5738dbc5760c241c2a2a79ecaf0f6b1e

SHA1
ed919ee6495678c056f7c566b461966f01490a24

SHA256
b6b360dcdd2fad3ed1928436a3dcc6f5100d4cf6b6a96d20141f5fa8df3fb337

SHA512
828c451e5e2c492abc24a7c487688e231264b8edda1f4e0e9cf5d0e4b264deb19979b6fb457789fed1a5e1fa62984e950289b0e1890ae4cfc0262116386b58d9

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
163KB

MD5
50f245a1f652ee09860c288f2c2e9cc4

SHA1
3efa1a25037cc6d9712b292cab6c09c1fa27e88e

SHA256
ba1645c3217750f020f1efee14b1ba9b74d28fef761c9385792e288ab43b7525

SHA512
49f679a98ca7593cea5ff8cc7b3aab2b28d042fc4620666f3819f3d028fcf84243ad409cce88ba67949fd9651e69aa4e0a94fbdb436000bf1893387881a1867e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
163KB

MD5
bc5e06f4fa9ea64788318d0051b863af

SHA1
1f6ae76d4a3774ab75d3a99306cc969f428cd381

SHA256
44acd45d8343da2868538e7319eaf0bac759bf98d1a4068b6e0147518d7fa89a

SHA512
0a783a2a3e5d6bb979970951833286ba102751269e5d8e47e0fd9668ef06a2bef831f60971be9f04aa3bcdede8566c802ff33da7fcf1470106eb11f31ea9d497

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
1b58c0e9919e50f68d9a93030658cea0

SHA1
238de745b029be7a4eefb2194de5b54972ebd3c7

SHA256
ec752ed51bef007cca5caef524d27718cefaf4a73b78d9ff56c1dea121426952

SHA512
1259e8240d4c06112e3231c31aefffee2dfc97e7a2f9223d8c42520558e6ff8e6e47bdf9b2b07f11cf44acfb150b4cb22b532e07588a98109c817b0cc97e7d7d

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
163KB

MD5
6c259b4107fec230e9c8b7949db69985

SHA1
7b419bc129e3667123c4518874f5c1491b2d55dc

SHA256
de439d452ef1f700bf8f76c92b4056014af13c73b788b93a06484c7427c1eaac

SHA512
a7188f4a70a781fafa87882249db5e696fbe109dde23b6674c2303a82aae34c58405c76c195c8d993224c776adf168f47aee75cd22b764c0dc5c883513013d9c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
163KB

MD5
d53d99c36245e06df0821a2dfbee44d9

SHA1
af43343f913df1c4d3a909c95ebbd630c34629ae

SHA256
4186c592ffb1f61b0027020c3ffdaf9cc8e1eb9cdcc95f122684532443caa1f9

SHA512
055da1f92de54569204bd1084e95176da124e2071ecd03b7a6c937be9be38682a01e12d0196f1f1de66a5ab28daa9e308fd97de2ade29a80ab0f014b64d05287

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
163KB

MD5
7e4dd9e68873960b44745f4564129b71

SHA1
49328b947e0fa138de0f3bf0d45141b769e818a0

SHA256
ef921a9d1084aad8c9394169f705e3160851648067c4c7c1ee3da73b115bebe6

SHA512
643e68ab3dd83b020b63e1605643934cc2ecf70002b4beda20d910f1aede1f206f252fe033977275b93100f1b467fed7282afff50d95c4a823c61e475b80d826

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
163KB

MD5
ee5eb8cf000bcb9156c5a914c158656c

SHA1
1910daebab93c0155008ba188c5ed576497a8cfb

SHA256
e058988dcd67bf53ed54624c6a18bafb5b61b4d4381627d5f912c7ff1534d2d4

SHA512
ea3d74fef772bfbd1d189d440021f16f52f72063656566c9a2f115f864186737d7ed579ba954977881922ed62b458480f968167ae071f99d42064f20c36dde0e

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
d5d1e06b1f8bca5ec3d455d59ed8cff4

SHA1
e31b572d9fe22218e1ad22e8a58b531de42e72b5

SHA256
ad8897db29094f072aaa52a6dad5641bf5ace844faf053f31170629186504049

SHA512
a4aa1e34f2be0449128763fc3bfaa3d6822684ce6cc5703b7580f29d3d5f37c37807a8d3a3c9d9aa32786d59ed54fc723aa039e66553036ba7c246919d5d80f4

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
163KB

MD5
db81687983fe3df62161337ca1b0bf64

SHA1
b869e8cc075e9175d675a9d8d9d48bc989d31d40

SHA256
d7dd018bdcb011511703a06daf45477e161dfc4c0363724549939602a0b45d75

SHA512
bf59e0b9c4b0c618b8ec98d5f5a0bb9b4ce5c52a20d244f0ca8ba33d6dff7e6137c8d71d2be84a22b801d19805b28b0d852553fd7597d004ff6bbd97917eaaee

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
163KB

MD5
edb5aa5bb9c75ca801627c9bc3428cf8

SHA1
20965719d3313d6956c6453c1017b82b4469bc3c

SHA256
80a85adbdc40aa9a3a3bf709c0c749ac1c53661fc2f3fced0b7581fda11e34fa

SHA512
c23b9d2115e31b0121c87093916328c704e39be218f9c8cd3eaad387941a4ddd628892e5573f045220203e63d03afb71addeb2c00fa625046bcfb363d14aff24

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
163KB

MD5
5f5c7c61ac811c38a9f9d57090edec10

SHA1
2528218290bbe56591d0088ff895c139998e417b

SHA256
67fbeef1fce79ff113af913948aeadb46818052ed4e3e9a482f8870f1f4c9efe

SHA512
17e4ca4cc51fb9e51fc91f4a73171160c9bec8a24053cc7b7d81075d9d394930e30d2477f255913fecf38041dbc429960a071269ee76d36d7af140f0280d2216

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
d3b1c84a81390c38bd0bc6bb186b1260

SHA1
78b5bf298aaab70164e282b4567fa8d2f79507cb

SHA256
ef3ffc6d582f00026d0f8fe3a1e7621b699e25a5f8cd8189c566bc61657df174

SHA512
2e619452586e132470c9bab1056d9c8fb8d7cbc68e367b5a50d055eea9e0310a747a400519ac1d2127c0ac0a849c31786117269654eda842ad75c06167dceaae

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
163KB

MD5
9df7f67f01bc73137b2b35453a7123c9

SHA1
716e31e161cd920517173a40c9a2ab8df2f4edec

SHA256
8db3d954cfc9ba86f7bce0cc6d39dd7ce8359033cbc10ed223b801de83def400

SHA512
60ae8b43756147faed2c0cd97fd46a6d4fb343167fb395c2e5345de4e618a2fdec2755fcc1c64cda175edbd6fbc599afe4c4483076d22ba278148df1d6d49ba2

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
163KB

MD5
490d825a36e53645c303fd559a7c2722

SHA1
fdc1a893b813550c637d35817c8de349bbbbb906

SHA256
b44b1f1ebeb8cd1ae95538ded4f6462a42b6ec0a1191667d3d61aeb06fb0d8e6

SHA512
587ee39aabf43e48107168966f7497314b2fba37481522bb6da880b1bc20fb5824f59bad275c67d9427c407435bf33f84a3e6cb2453b97d5aa195e4ae7f5b733

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
163KB

MD5
604c548296a805a39fe34f9888b2c1a3

SHA1
8e916e3026a72c83472251dad21ea924efe553fe

SHA256
28d01c9067363c9bb2d0a14f195823eae4ec4463ac9d60f79f9bb224215dad05

SHA512
89a932cc574ec714e29b4e457a2c5fdd136910a4f7e230a93b3471ce1b21e508c4b54bcaf19d2a427ee70466acbd94d502ba063d2dcc8b6c3293458a1baed8b6

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
163KB

MD5
3756315509f34b6da3caf41793dd3d4e

SHA1
a3797473c0b66d225995f8206a4bf6ffd7f8bd21

SHA256
e279498e1fc34b2e41935c3632e22c26fa7a84d8822fa0619c14bd0824cd5227

SHA512
652cfd3b8eb5861017afda78240d8f0b509828efff49b82d9a136f91dff5bc60ec93241f4dea7ae2fca01d168a0467c276921e9db6834dc30b3d91c171461c31

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
163KB

MD5
eddd1841022e9335a4679729b73d63be

SHA1
3b250281967321d68c587067313ada9591847ad1

SHA256
2c52240c0db3aa949e1ea5422a71e5fce916309320506e257c9cdf3af019b9ed

SHA512
7460030b9fa1b1601250450de107a0eaabfd6b15f4bdaa2d750ab5e1e85379934e1a30675682c301535de9e36a9a4ace2e3d044043159f5ade87dabc91fd2b8c

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
163KB

MD5
86b395138074a0d5d30f048a670c17c8

SHA1
92789535692ef79ef7c8b532897623ee12ebbc4c

SHA256
0502c2251e1c5a8b8ab74bd8024d75c851ccbcfd13ef7a69b75589857ba002d1

SHA512
0604a7eee5aed9048b8cd5ccea5c20a83c218e5e07717cca4fdb764d96558cda7bb3cf892a782da1130b9786b44a421676b66467b745ee58c4f2827d798fc844

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
163KB

MD5
a7fbef19b6648debef3477c136745f45

SHA1
f5ae67c41f242e4eab7a4e97fd0fa8b7047ab3b6

SHA256
849f42f348cae1882c43fa088f7f563ed91deb85bf1d41bedfceda45a7a99f1e

SHA512
a781e70ec0f243f115c134329fcaa3e54e6216021300eb714ba7decacb961bc06546ea9ffc329e0f39d53fb8686e7d3a6180bad92b57d022e6761e9915bab68d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
163KB

MD5
cd8806230d54f329e65f2d43556a24dc

SHA1
573239239b4bbc5bacf58fd72bdde2cedcd490b0

SHA256
ad334f7309684dd1b543a77d9fdd8cc6c9e6ac886a606efcbdaeaeb4721ac49b

SHA512
6ecad3efefef03aa0439a6f3fac023845aed60232cccc13d8af23b5c36e9365fb002a929d62ee8d8ef028114ee3f6bdc99aa005b2d6c3ab0a8cbc33e95fb64a7

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
163KB

MD5
1033f6e6af745d74c6824b9cca90b163

SHA1
e2b9119f55a81bb480737c722b34f5b895f07872

SHA256
fb4b2405763a14d796499fe1e09129c8c57f19ebb616a615a3d472abeaa58007

SHA512
d5f67d005c053e079adbabbd617a28696e45cb5150eb8f7f705c949c24ec0152a0c5f0ed443019669c757d111ad7399e2ef4387f37c3fa6eaac62549ecd26e85

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
542d30cae8e5679352366adbbba5f231

SHA1
94e08041e57a38dce6ec74e95a1cd86ba2fac74b

SHA256
08faee59f574debf94bd7f7d1ba38e971a9009f6daa8770ddc350f6bc47d51ff

SHA512
afa2f896471b613ae95ef97d69798b31f2d535320712106295bc3c6548fa1d94270618bd20d274250961f7339effbe8e006c7005f803c46fc7ca5771524fdae4

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
163KB

MD5
dbd8747f0f41475c6f01bce3aa47d42d

SHA1
e978fc54547ac83a485f2da5ea161ac9c81236b1

SHA256
836dc06787112fcfc2fba1473d28a2b2ebb648faa208dfad732421dda3ea6f9d

SHA512
ffd80a2db919b02c9be2012c28e439d9efad200a019e893fcbe7a098a2b6e39c1875f2b3da283ebe913e9278de947027da924736a2d5892a196d12e2d34600dd

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
163KB

MD5
444f142ee861eafef5926921cdcbe837

SHA1
eec4de6187d7a84b11a6bc3eed56183b98c31c87

SHA256
4f347ef4341e3a7d5544a976c55dabc41cf28f1c748625f45b8a21bf91f4c54c

SHA512
f1ceff234fba23383aac505002bef00443f8d03c18e127c902c3c90174e7783bc4dc9df76fe586ae301f5ccc06d45300986044ba2e04e86634f5ad4f264b8de2

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
163KB

MD5
41f0818954a730de69cb7e29ab16a970

SHA1
6f2d028fe883b372905b141730d24fff75eb180a

SHA256
9d5e6f95a6f84ec57f386d02f1422345e698e98bb633c27a27f6ec3bd8baec6a

SHA512
2955264e68f18955cdc702c478582dd16cfd6032762fdda763057404af3720904a580c120f743c6ee69546bd5840ce029daf5b2eb43ac0573ec1d10a1b59cf8d

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
163KB

MD5
3163383009754a26b4952c01968a44ce

SHA1
facdc462ed1100401baad3bc0b3f9dbfdcf27d64

SHA256
154a9f0e1f0b0040f32dfa57426dd0ba48db9010b0a0846b9dab54a1494bbb41

SHA512
fa4c06a2143f3ae2f5ecd1b01ea54531e73870de8ed8b50bb56d0760e25c524f3eafbd745f753025a533a4791fcbca7dbe8f78e6de9cda9300137436c53b96d9

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
163KB

MD5
6f1dd620eaa46b75b4244476a2d337e7

SHA1
d2e50245d8a36dbdb58eb872ca50ecd6013716a7

SHA256
0152064f154991a14950b84e997a7c85258f81a9d05fb2b02da0ef2f6d525d1d

SHA512
faf34a05b9be4cd2abca17c3869d2a0fd4dee883c0cd33c58889a550086d792011c216d7a5f52fcc5f2231af5fcf6af98bc37036f2a099e20b6cb349576150a0

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
163KB

MD5
0153b9c51033035de616f8caf92f0c77

SHA1
49437aa67e9cedda81048822f73f2d1295675d5b

SHA256
967df4a72f512d3bee38c14c1c1eb4eb67fb58221ff559bf36a3a13f27f7adfd

SHA512
a66e54eaf1a39529574bfbe1094c5a8b851c889bc182b0c2386c9a5336f36a9b36cf4580c0de5178f4fd614a4cb58ac3a097dca8cfc6099ed3e794bb99a34e49

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
0f8d0497f605bcc5b6705857262f07d0

SHA1
f78e31f1f6f29a8c201eead7c5c61ed9a3e7f22e

SHA256
42924730c96f4f8245d8318361bdd6218f4c7e472103797019295d8681bbabe7

SHA512
cc3f3845dd92b8ac9ba63bf1f1ef8d6426e24286b33dafa913fea57f4e7c90c092e89cfc11f24f1a24a738911e52b963196e7116448852fcdfaee55cf2d19e8c

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
163KB

MD5
de353c8270d2773457406b3da8f7874b

SHA1
41b957fe2154a56a6484d098eaf59e033a170955

SHA256
a496acccba7cb299e046a7f956378fa298bd81b05363e57b2dceb5b0fcc476ef

SHA512
948948adf039dbac0716eb63949b258a2acf3664bf1999f75fe3449165623c9d93d81c4fe6776533f764958069f948aac72e4c57588d5b632c7ae8a99a60da7d

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
163KB

MD5
c209e506ad7f3e3017ce8884f9e1e809

SHA1
2565396596cbb8886bb3466be87cce9a8fcdae7e

SHA256
461124c5603dec99f32f5e8f2df536ac330e01a9fd0077f6ec0c798c6f51e1d2

SHA512
e26386de31459bd95622550e67b72b5243e5dc0d7c0f90c7a89c1c1ecb2bf34db528e7128c366de02baaea79ee05933f163ac5cbfdd76fc548ce441286dd6cde

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
163KB

MD5
30f45897c8c501c7c23b5dd979d1bbd5

SHA1
fad4269447b550716d76d662e027dc0d6778849a

SHA256
001f3898b3164fca695c08f27ed8bb6d8e8912db55b58779238346c40d5b04a1

SHA512
e1e392868378442ea51f1a72c4b96e30d62c91a76fe1d949fd3b382ede55bc26be33af72277c3e66b4acd12115974653548a22b861ca84c48d586c52804ce0e2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
163KB

MD5
0d46ddcda72045b7312a31481ce295ee

SHA1
d353ebb1f96e77f05045f1ff80e8686e86e25d87

SHA256
addf9a72de9bdd3a0a4a5868c6cbd21da461650f10e332abd8af364ec13e8d22

SHA512
dba2128804ebd3de483233dfe87d8ced7bd3c34b80f3173e943223df5bd243533169c369104f1c808167272a1c6ac756b0cc13716250a62b15a37f0da343b76f

Download Submit
memory/380-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/380-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/408-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/408-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1076-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1076-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1544-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1544-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1600-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1600-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1676-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1676-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1932-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1932-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2804-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2804-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3084-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3084-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3204-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3204-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3408-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3408-381-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3432-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3432-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3636-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3636-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3684-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3684-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3832-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3832-397-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3844-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3844-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3936-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3936-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4044-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4044-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4044-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4148-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4148-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4228-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4228-385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4308-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4740-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4740-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-391-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads