berbew | e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85

Analysis

max time kernel
94s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 03:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
Size

82KB
MD5

390dc80f95c385fee419227e52d09b97
SHA1

832f2fa6a9b7160039d0fa8f79d7f4e517b67a8f
SHA256

e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85
SHA512

e5c5b076b685d88685efd9cbc9ddf5d02fae815fc60b04c28b3bbd49e2662fc1982d614e1ea22bc25c6ad3c9c3475acf5478be646c797275685eafba2f15a18d
SSDEEP

1536:bBaEwdUJMvXZuDO+jkVrpQQvQSv8WSJ5+2L7npm6+wDSmQFN6TiN1sJtvQu:bIdUOfZCO+jgrv8WEDTpm6tm7N6TO1Sx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
2912	Bnpppgdj.exe
2700	Bclhhnca.exe
2148	Bfkedibe.exe
2308	Bjfaeh32.exe
1228	Bmemac32.exe
1184	Bapiabak.exe
4664	Cjinkg32.exe
4484	Cabfga32.exe
1548	Cenahpha.exe
3548	Chmndlge.exe
1656	Cnffqf32.exe
3912	Cmiflbel.exe
2036	Chokikeb.exe
2272	Cfbkeh32.exe
5020	Cagobalc.exe
4172	Cfdhkhjj.exe
3200	Cnkplejl.exe
452	Chcddk32.exe
3228	Cmqmma32.exe
636	Dhfajjoj.exe
640	Dmcibama.exe
4288	Dejacond.exe
3776	Ddmaok32.exe
768	Dfknkg32.exe
868	Djgjlelk.exe
2332	Dobfld32.exe
2004	Dmefhako.exe
2776	Daqbip32.exe
2628	Delnin32.exe
2044	Ddonekbl.exe
3640	Dhkjej32.exe
4768	Dfnjafap.exe
1816	Dkifae32.exe
1472	Dmgbnq32.exe
996	Daconoae.exe
4952	Deokon32.exe
2916	Ddakjkqi.exe
1964	Dhmgki32.exe
516	Dfpgffpm.exe
2680	Dkkcge32.exe
4516	Dogogcpo.exe
232	Dmjocp32.exe
4880	Daekdooc.exe
3028	Deagdn32.exe
2920	Dddhpjof.exe
4556	Dhocqigp.exe
680	Dgbdlf32.exe
3636	Doilmc32.exe
3288	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process
4672	3288	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2912	3652	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe	83
PID 3652 wrote to memory of 2912	3652	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe	83
PID 3652 wrote to memory of 2912	3652	e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe	83
PID 2912 wrote to memory of 2700	2912	Bnpppgdj.exe	84
PID 2912 wrote to memory of 2700	2912	Bnpppgdj.exe	84
PID 2912 wrote to memory of 2700	2912	Bnpppgdj.exe	84
PID 2700 wrote to memory of 2148	2700	Bclhhnca.exe	85
PID 2700 wrote to memory of 2148	2700	Bclhhnca.exe	85
PID 2700 wrote to memory of 2148	2700	Bclhhnca.exe	85
PID 2148 wrote to memory of 2308	2148	Bfkedibe.exe	86
PID 2148 wrote to memory of 2308	2148	Bfkedibe.exe	86
PID 2148 wrote to memory of 2308	2148	Bfkedibe.exe	86
PID 2308 wrote to memory of 1228	2308	Bjfaeh32.exe	87
PID 2308 wrote to memory of 1228	2308	Bjfaeh32.exe	87
PID 2308 wrote to memory of 1228	2308	Bjfaeh32.exe	87
PID 1228 wrote to memory of 1184	1228	Bmemac32.exe	88
PID 1228 wrote to memory of 1184	1228	Bmemac32.exe	88
PID 1228 wrote to memory of 1184	1228	Bmemac32.exe	88
PID 1184 wrote to memory of 4664	1184	Bapiabak.exe	89
PID 1184 wrote to memory of 4664	1184	Bapiabak.exe	89
PID 1184 wrote to memory of 4664	1184	Bapiabak.exe	89
PID 4664 wrote to memory of 4484	4664	Cjinkg32.exe	90
PID 4664 wrote to memory of 4484	4664	Cjinkg32.exe	90
PID 4664 wrote to memory of 4484	4664	Cjinkg32.exe	90
PID 4484 wrote to memory of 1548	4484	Cabfga32.exe	91
PID 4484 wrote to memory of 1548	4484	Cabfga32.exe	91
PID 4484 wrote to memory of 1548	4484	Cabfga32.exe	91
PID 1548 wrote to memory of 3548	1548	Cenahpha.exe	92
PID 1548 wrote to memory of 3548	1548	Cenahpha.exe	92
PID 1548 wrote to memory of 3548	1548	Cenahpha.exe	92
PID 3548 wrote to memory of 1656	3548	Chmndlge.exe	93
PID 3548 wrote to memory of 1656	3548	Chmndlge.exe	93
PID 3548 wrote to memory of 1656	3548	Chmndlge.exe	93
PID 1656 wrote to memory of 3912	1656	Cnffqf32.exe	94
PID 1656 wrote to memory of 3912	1656	Cnffqf32.exe	94
PID 1656 wrote to memory of 3912	1656	Cnffqf32.exe	94
PID 3912 wrote to memory of 2036	3912	Cmiflbel.exe	95
PID 3912 wrote to memory of 2036	3912	Cmiflbel.exe	95
PID 3912 wrote to memory of 2036	3912	Cmiflbel.exe	95
PID 2036 wrote to memory of 2272	2036	Chokikeb.exe	96
PID 2036 wrote to memory of 2272	2036	Chokikeb.exe	96
PID 2036 wrote to memory of 2272	2036	Chokikeb.exe	96
PID 2272 wrote to memory of 5020	2272	Cfbkeh32.exe	97
PID 2272 wrote to memory of 5020	2272	Cfbkeh32.exe	97
PID 2272 wrote to memory of 5020	2272	Cfbkeh32.exe	97
PID 5020 wrote to memory of 4172	5020	Cagobalc.exe	98
PID 5020 wrote to memory of 4172	5020	Cagobalc.exe	98
PID 5020 wrote to memory of 4172	5020	Cagobalc.exe	98
PID 4172 wrote to memory of 3200	4172	Cfdhkhjj.exe	99
PID 4172 wrote to memory of 3200	4172	Cfdhkhjj.exe	99
PID 4172 wrote to memory of 3200	4172	Cfdhkhjj.exe	99
PID 3200 wrote to memory of 452	3200	Cnkplejl.exe	100
PID 3200 wrote to memory of 452	3200	Cnkplejl.exe	100
PID 3200 wrote to memory of 452	3200	Cnkplejl.exe	100
PID 452 wrote to memory of 3228	452	Chcddk32.exe	101
PID 452 wrote to memory of 3228	452	Chcddk32.exe	101
PID 452 wrote to memory of 3228	452	Chcddk32.exe	101
PID 3228 wrote to memory of 636	3228	Cmqmma32.exe	102
PID 3228 wrote to memory of 636	3228	Cmqmma32.exe	102
PID 3228 wrote to memory of 636	3228	Cmqmma32.exe	102
PID 636 wrote to memory of 640	636	Dhfajjoj.exe	103
PID 636 wrote to memory of 640	636	Dhfajjoj.exe	103
PID 636 wrote to memory of 640	636	Dhfajjoj.exe	103
PID 640 wrote to memory of 4288	640	Dmcibama.exe	104

C:\Users\Admin\AppData\Local\Temp\e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe
"C:\Users\Admin\AppData\Local\Temp\e1751127cadb55ac72ec21891285d736912835d1583ae71f3363b4e3e54daf85.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\Bnpppgdj.exe
  C:\Windows\system32\Bnpppgdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Bfkedibe.exe
      C:\Windows\system32\Bfkedibe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 396
        51⤵
        Program crash
        
        PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3288 -ip 3288
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
82KB

MD5
202e7dba07b3a0bac705c96c8fb62d0f

SHA1
aec6836d4c3f35534e3e98b04862d69fba174cb3

SHA256
002362c4e2961b9ffaf73be2e78506c8f89b6e4b21605b1731002a03616bf8ac

SHA512
e1c0eae4b113248790ea52612c2d75e61ce98cef710ab895be7210fd4b8b01ed7b9868e8e719604a19a1227b4f16bd9574fbf038676f1c1a751506f84411378d

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
82KB

MD5
dc5655dc2250d7a25f5bf77dfcc21ba4

SHA1
a9215de782cadbfb66c7421ee55371cce3514a19

SHA256
82a4f2331e2c61f8f6e89c6a54deb53bb1475b5aa4985d715c71805b4369cc27

SHA512
b68b939345c48617d702c34ffb42e4ec54f5679daa96918ec50b7634537c4eb2a0dd4a6318b1537959c92078f2ba6c62764873189687fb9b757b5ed8aa902b7e

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
82KB

MD5
47f64ff41020509fb508e45f79df50c0

SHA1
270018477cf315144d01e251d75f19ecfef9dc55

SHA256
7eb94543e3d1202755719a459713c8cecd47ca712e821010ad570bf5c3e7663a

SHA512
c2b08393a688bfd86b54438dcbb9e6d6e05fcb0e9afa5c2aab641431b817962a3655a8a2e96184bf63811feecf65e3bad3b486572862a81792a12c759afade97

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
82KB

MD5
0486b39d673ab04aeb1a26464aa94f7b

SHA1
e0d426e21f39e6ae6d55ef5f3056ec0f8cfd6615

SHA256
3ea9375852efdcd34badc04ee2ab06662dd34160bd5469c6c3649f52d1a2217f

SHA512
9db3f2d398e4285eb938bcfc9cdb081f46b1b4260e0f574ab84a7c54cad44f55ae42ec2af6288acdab9b60a0f870a76b74138a2e895ddb6c0bbbebcfa0b96f03

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
82KB

MD5
b8391a8a8786353700612d602c45b5b6

SHA1
5aa2ea5fb5dda6082f77ac25e97de9a234bad6cb

SHA256
059608537d856e6569048617b7562521c5619089b21606f2641287a395834ec9

SHA512
18ffa90fdf505908a9ea5f54283135baadc490f9e3b599aae96b601402c98db1053beba3e4915e5145825828ee7de4f6bda1a79463cc793fe9d52f2ac78bee5b

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
82KB

MD5
fcdf8ccf442277edcba361a0ba7308fa

SHA1
004cb80a5f29633fa986a2aa113d81fa194de376

SHA256
6aef71534ed23fd9d10fc0d0a1652b5968ee2146d0986854b7817ddc97d87015

SHA512
4df854c03f6441fe813813dca20a97f065d1ca4ab836ff5bfb4e8178415670c62967d5a5d69303ed933ab8ba670497d38ec18bc87f7b29ac14d5f5461ad66547

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
82KB

MD5
95540bf992ba0a9456329bb8c4e5c1c9

SHA1
29bfaa2e5c87154f7d1ac14c6ed4e8e5b2905f09

SHA256
d1c1ad3b479a16934343f98a014f660dc8699de1a56f4e0dbe2b07212da07f09

SHA512
d6b576846484b3287173e79abfc4d5ebe67f548be1a251256f4ffe3edfc080ff7eeed8e7597e687435999411b63166e359ccf80b9cdcdf0ece782ccdf32d5a3a

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
82KB

MD5
60dd989412170cce7b5197a140078a61

SHA1
2122a6fe44b4a2a962234f8d4e4744b1e4555d4a

SHA256
9fb7f78c01f00dfd9618e16e0fb2139bdf9600cfd215dd286659e62abf03a61e

SHA512
fabc5da9d2bcd8e5b008bf25b106b703bb4d45ddd52dc47e9ee734f76f47394b073f2ca0e8433a8e551f2df864daac314c4ca0a37e6eefae3af04a49e4bb8653

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
82KB

MD5
fd5bfabc23111e0acbeec0f0335a7a7e

SHA1
353e51168a041b1e87109729f420a60ca66453b0

SHA256
d9eeb924324d8ab4e9458899e1d66242f81c447fb96f97aa1209300b79eda5a4

SHA512
69c6cb68145f6414685d1a4892fa7e8d5bc4cce1210526cd6e413ed79ac0d79f8495d4c67e3743f8f5393b769af54c6083a454339f78cbfc3fe957e03a9c3cf4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
82KB

MD5
3c39599cb1c0e91997a6e5e7237c104d

SHA1
d00307b5eb087ed88a42a1a1e7c3b9e44879e18d

SHA256
e6fe06a42e6eaa641e1774e5e4c09985d71ee9f73eef787548b8171da2e8b463

SHA512
73029c661c1c4cf7c955ff0699717514eef8d1daeeee46215a2cc66506a552246b6d982700f1eee069c91b0c7e2cc72210895935a43571cfdef5b80b4b3e3b26

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
82KB

MD5
9516075b7cd0cc234be1134216f3b494

SHA1
903dbf63660e12470d577124a480fb3b362699a8

SHA256
78bee3078de6a912148346337e0563668ef26d679fba4c14e76c481c83ced9c9

SHA512
8f6b561007b022fa33b2c5d7bd3bd3103a6cf6b2c846d021c6f9a3d78d02475811012b861f9acf5e072dabb1912e9c6bcc353d229fcac563d43c84421e1a766d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
82KB

MD5
b5c5a87e884a0d1d135bb2944efd120a

SHA1
d6764b554bcdcf9b8ec753175c67c0b2a0404d2f

SHA256
9c7f002e48d523961849f95c35408c0593d3b2f32677ca40766534d4f9354d92

SHA512
bc27d4edf895ab0a21342664aa3fd1d4f92965ed4fde090fce0630d16df5310b9478a136b566fca7ca7d73451d20df8bdaa0cfa01aaf9e047660bb2b9c619520

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
82KB

MD5
33f4dca30863b37cba23d8451fe98ca7

SHA1
486dd4a1d88f0b0909968e4224e234325b791e5d

SHA256
b51ee78683094f9d7fad12c891b0783446651d2a21ee69af06acf5b982b68b7b

SHA512
9a9d8d3afd07af38cfd8ab9f5a728433afce16502fb9be737c19b6ae3ac3b4cf0426311570ca5b1bb05c2c62d487ffc12cb293aeff14baaa89520a7528064393

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
82KB

MD5
a96b209b2a77f3aa25118b23fa23eebf

SHA1
ff3ef9c7dae1dd498ab6cfa7dc23ddf5ff048595

SHA256
9d8687aa553516b0180d47d39e776d8b942629824da0217745c8412a95d8a4c3

SHA512
46bb83f8365be09d90dc645c7b3709df626b4ff87bb3d86e918cb417ab353081331eb44126e8bb17ee959b32d15755106b826348fbfa343f06c1e912623e955a

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
82KB

MD5
9fc0f19a14a5479475faba577b2f9768

SHA1
657c00c92d1e07f9eed84c572ed9b84588e19385

SHA256
7da48fe866e817c9bde4bd1d4760ed7b8ee1077caa7d970ffd3f9df3ff5ec341

SHA512
d71c04e12552f8bfc2e765431a0894a11e86afec7b9835e3dd0017f145d7ec8676b41fd1db9384f3fed6035e7ea0f858598b041369aa0c6e3316ef6e05dbc87f

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
82KB

MD5
8bc312bb700f2b25c5262b9daff7d1c0

SHA1
960df79edd7adad20ee736a1d959ea330ea2739c

SHA256
460535b5a7797e67c37f13c985db87c3e6dac1d4be76cb960e631dceb3a5dbd8

SHA512
26fabcd1019e946ee4dba5e118118b8bf52a0882b057462364ec434ea934fc67069a78c68b9b5781f8780996e0631e8f1e7db285b0a5de2691e98c5561692040

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
82KB

MD5
f72baec35c584bed21cec4e1e738aeba

SHA1
23913f2fcb6652bf5d641bbe42c33e1e5e22b449

SHA256
57a9eaa85e8c912c4756d07f0b5f17ceb56866e4527b85ab8e24beaaf5b4a002

SHA512
ac9c383a6f533a260334c58fcf98369b3ad75014e0ac7100b24438a68f76276f8284b920e1badffc8f59d19aba2ae5c676d685ca81b18343f7cca34105b024fe

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
82KB

MD5
5a210b9bb1a1da93b01c1309e1cf3de7

SHA1
c983bbe656d067c20b7b74421f197f9861d4b29d

SHA256
85405b6df58da7cb9c57929a8f93fecfc489716e3c80a5f907c1831fd7c74901

SHA512
672a49831d16f1f43c9228bd0932a4e62f8d67b516e51468dbb669da3c24ec6c93d2c3557a01e0d107bf936ea5536591ed064cf05c51a4999906b96307e05dee

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
82KB

MD5
10446f43c359d6e968773dabb34fc6d8

SHA1
4804e18e0e9540815ccd5b27122e7da1139746f6

SHA256
aec62d090eac7c56ee784aec65a205fe4d0a9050677b887a7ee7b8b0a37b0387

SHA512
6502fb417bcc99e3ab86226c2dc1dc13912935b2e99edbb9ca4561c4cc9c1ab42ce81e9eb81d8964ab7db445dcf5f9a03f0e4a222ddd278f6d8acbfee6f83c7a

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
82KB

MD5
86c2b99b5e55b8d369320228568843ed

SHA1
ebfbaf84882de46a26cbbbba1b35c9d614bfa756

SHA256
d3538e951f6adb26cfaa8121a70053735face97bee29ad8b16e2e82b344f6b35

SHA512
ecec60d5bbd3e531f90b8c13f0e15cb98351c404725a149670bc5ac2095c96b8ed389fa5eb64068fc5eb4d77fb7667b97b68d3dd5069c88a5b6d878d6c862abe

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
82KB

MD5
b6ff4a676d4d8ccdbb1808bcd22bdce2

SHA1
b4614215f6463ab4fcc38e5fed65a65fd8340922

SHA256
2082ce693248eabceff52b0e8ad159ec85b7b046e2f7f1f89036b319f2be15e1

SHA512
f5f3df90461784db954b576525b5fec898d937c56a43b0db14b2ee265cc8491034fd0ad73063e4096676e01bff33ea054a040b57ea041582caf85d38490322b3

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
82KB

MD5
7705840e4f32d3c10fd4f4128e8644b6

SHA1
9d44dff1673e8f7c9f9a1ab8a9b44622a4c66772

SHA256
158da743f18f20d4e53615db7133e39241a6f439af625b7d93777b15f7e5ea50

SHA512
c70c787565e4988ed68eec2a7c56679fb6a52f98a63d1390c60630ddd83eb518c09d05b98afbeb54307bdb5a8f48c1de9f1e18a5191dca7c8c942d4c911caaab

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
82KB

MD5
c34d065ba4dc996038e621ca5694999a

SHA1
08db61b7c201d296cb6444993499f2fc3787e098

SHA256
872111bc4e1c744342dd6c8504d436b3ae1fc719633a196b949c6941510ebf43

SHA512
1513611427eab83e461a5879b39a9188317225c4eac625b5924582679a864655fd80c41253dbe292c42a9439b7c65b01c7fbf3fc00d0b9d9c8c8f0168c989e9b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
82KB

MD5
57a7c32e7118ca3273d28749e46096a6

SHA1
420c4471425eb0498f25256502fcc74af364f7a0

SHA256
4d8b8e6a06ccf1f5eab10ae69e7570c52582ac8d5eef697a56f9ac26ba354a6b

SHA512
a4d43dfb5abf051c0accb7a88ad36fa45a5e88a85bcdc9b354c80e3f5ef8ffd453da0ff06da42badc2317c7456914cfb543783f4a6be6c3850eb982db472c877

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
82KB

MD5
b30281e3c18052ed6068bb4c5dcbc3cd

SHA1
6f93b46afba286e367877b61a61a2f754cf4bc21

SHA256
3e0eb036e85fea9602d9420bd17da79fc32aa8a21935b705513668b4289d7b8e

SHA512
15292a6cae36c297e284005c11d50681d154bb48c43698a7b1641618e99aa356cedb320a14f11dc82fe46316071fead5ca836c36ce18b3ce4c64534dfa43626d

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
82KB

MD5
aa9079f7cdf46cacc67f451aa6624f32

SHA1
12575cd478b56a3c6792d81425dbc2d74a9a957c

SHA256
b1c8c53e271256712179235ebdf22aed671cfc91b0647586c2892fd34c76cf14

SHA512
a81998e6498959b3dac743281b95afaec91aad45d361d31d7ce9f892b19b3a0bf519437e3154fe2d2f0ce1277fa421c865e60a61fef2f145c56b73ce63562dda

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
82KB

MD5
74dc803c89ac03b13345ea6a3979ee7c

SHA1
238e8f4c963f71a482ecceed10417feadc4eabe6

SHA256
022d859d11e4461caa016263cfe94ac433fb916250fe269d4a20c63b5c355bd2

SHA512
ae09cd26865623ea5994329f9fbc894ef94e87729e3920e04b11b608f5c9f9180e0593ca7a3a87db4365d6ceb6bb09bc6dea04c42add779315e171d2fd281e93

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
82KB

MD5
60a579d195781d201f6cc9533ef45d28

SHA1
d3c70d1f552f50b97d6dc20e96f3145f6d6f3418

SHA256
3056d7417d5265521abc6d7ed87f08df57439bb19a8d621ccb381812df2918d7

SHA512
c1c801b1df4a8b3776316160bc54aea1fae11efb3e7a9f6ac6806fa8a6669874c7d3a88a950cb2cf3f3d8aeb0771b6e7582251a82f7c5be2daae2752bc8261b6

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
82KB

MD5
1ff969a402a4539f67490b8d01840ee2

SHA1
9483757159291d76430726cf45eaf46ca74fde7f

SHA256
08b382373e0f9a31e3feffda83e84e9eebdc7d89cd699dc4df97809cae0c4dff

SHA512
69453d9af6e1b5ffab7cfac3603c70a6e3fe1969fbc03f4681fec32dcd6ccb56d945e3a18133c4594844730f0791b4075418a0f841583de18011298dd96072ba

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
82KB

MD5
bcbef4845640dd817832bf75bff7854a

SHA1
b53889ea5ce6148e8fff3ea232685f1caffc7019

SHA256
618381e54780823beea5e21605f07464e65b4fd92b354353102e3ec05ec70e15

SHA512
282587f57824b85cfbea20d4794f92f32cb54ec8557db84aca24e5afc757e2b8d05a0470baaee4edbed99f305daf9c4c2632577a1759eb50f44f931332f715b9

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
82KB

MD5
572f42d142b95dfcc833f796594d3b9d

SHA1
a2b6c76e6c5d57eb9473e189500bc3de342551c8

SHA256
3c852af3554dde5a850582c75a7140bc6a17e409ca360fcb06314aec3490befe

SHA512
0a2b3458198984196e34f903250be314213c589def7b13eda98aaa38d37332db8d3793c272c7b44b97e7f3290bb2fb06a45a556a60cf8bb1bdacb72ff6e4b762

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
82KB

MD5
5580f6d5f0883655d118fe1c7e3ae034

SHA1
3dd069d7452327d59162e3277f485c67d3751564

SHA256
c91572ec64ad344c6dd38e5cb42218d01373da3ae00da2aca1c2159e057bf312

SHA512
4d021a8c3f280c66875f47240d0918698ddb3d58c0cb74b6a5e919a0196e85a9b0bcbdfd81aa6bc94d01ce1df15bc8fe4a916b3357d0ceb9d600b499b27e2cf9

Download Submit
memory/232-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/516-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/680-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/996-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1964-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3200-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3200-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3636-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3776-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3776-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads