8d3b7fb5534e52abd6c63a979473c3f14439f543c6377af57dd18a47ae239d94

Analysis

max time kernel
166s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 06:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd23d47effc55a92b4fb5a6e030a18d0_JC.exe
Size

59KB
MD5

dd23d47effc55a92b4fb5a6e030a18d0
SHA1

f17885a2d387feb4ac61ab80244ade45fe0f7549
SHA256

8d3b7fb5534e52abd6c63a979473c3f14439f543c6377af57dd18a47ae239d94
SHA512

25e89c17c14d69f2643621bbbf627e95461ab573d3727e75d31d37c6c968ad87124673d817617f624e475182c73e7dcdd2a62f0be65d47e2a1994a2c1f9cbc4e
SSDEEP

768:Cn1jmeyXFAxoXfD+RKtYOW62WpNB3K+my+bT0ddM5DvISq3v2p/1H5sXdnhfXaX3:C1ieyGxoX7+RK26zpLmy00dSmSw2LsO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnnjmbpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcdjbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoideh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iliinc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokgdkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoideh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd23d47effc55a92b4fb5a6e030a18d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cleegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfglfdkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmkqpkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goglcahb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoclopne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldglf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offnhpfo.exe

Executes dropped EXE 64 IoCs

pid	Process
3708	Chglab32.exe
2336	Cbpajgmf.exe
3124	Cleegp32.exe
3736	Cbbnpg32.exe
2608	Ckjbhmad.exe
1776	Dokgdkeh.exe
2376	Domdjj32.exe
5024	Dfglfdkb.exe
5092	Dooaoj32.exe
1164	Dfiildio.exe
1020	Dkfadkgf.exe
4104	Dflfac32.exe
4856	Dkhnjk32.exe
772	Eiloco32.exe
1156	Enigke32.exe
4232	Eiokinbk.exe
2612	Eoideh32.exe
4920	Eeelnp32.exe
3216	Epmmqheb.exe
3752	Eifaim32.exe
1896	Eppjfgcp.exe
816	Ebnfbcbc.exe
1036	Fmcjpl32.exe
2600	Fneggdhg.exe
4160	Feoodn32.exe
3272	Fealin32.exe
1928	Flkdfh32.exe
3776	Fmkqpkla.exe
1932	Fiaael32.exe
2660	Fnnjmbpm.exe
3328	Gidnkkpc.exe
4928	Gpnfge32.exe
4952	Gejopl32.exe
3620	Gldglf32.exe
2160	Gpbpbecj.exe
4488	Gikdkj32.exe
2056	Goglcahb.exe
1616	Glkmmefl.exe
2716	Gbeejp32.exe
2980	Hmkigh32.exe
3060	Hoobdp32.exe
1916	Hidgai32.exe
1816	Hpnoncim.exe
60	Hekgfj32.exe
632	Hoclopne.exe
4720	Hiipmhmk.exe
1500	Hoeieolb.exe
4248	Iliinc32.exe
4808	Ibcaknbi.exe
4900	Iojbpo32.exe
2964	Ilqoobdd.exe
3908	Ickglm32.exe
3268	Impliekg.exe
5116	Jghpbk32.exe
4376	Jiglnf32.exe
2256	Jgkmgk32.exe
3872	Jmeede32.exe
312	Jofalmmp.exe
3136	Jngbjd32.exe
1048	Jcdjbk32.exe
1604	Kjeiodek.exe
4948	Klhnfo32.exe
4824	Kgnbdh32.exe
2464	Lfgipd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jeeobqbq.dll	Dfiildio.exe
File created	C:\Windows\SysWOW64\Npdpachh.dll	Dkhnjk32.exe
File opened for modification	C:\Windows\SysWOW64\Eoideh32.exe	Eiokinbk.exe
File created	C:\Windows\SysWOW64\Fkccgodj.dll	Flkdfh32.exe
File created	C:\Windows\SysWOW64\Gejopl32.exe	Gpnfge32.exe
File created	C:\Windows\SysWOW64\Hlgdjg32.dll	Impliekg.exe
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Ppahmb32.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Pjpbba32.dll	Eeelnp32.exe
File created	C:\Windows\SysWOW64\Fealin32.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Akcoajfm.dll	Hmkigh32.exe
File opened for modification	C:\Windows\SysWOW64\Mokmdh32.exe	Mnjqmpgg.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Hoclopne.exe	Hekgfj32.exe
File created	C:\Windows\SysWOW64\Ibcaknbi.exe	Iliinc32.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Fmcjpl32.exe	Ebnfbcbc.exe
File created	C:\Windows\SysWOW64\Aknhkd32.dll	Fnnjmbpm.exe
File created	C:\Windows\SysWOW64\Ppihoe32.dll	Glkmmefl.exe
File created	C:\Windows\SysWOW64\Iliinc32.exe	Hoeieolb.exe
File opened for modification	C:\Windows\SysWOW64\Iojbpo32.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Gepgfb32.dll	Fealin32.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Hiipmhmk.exe	Hoclopne.exe
File created	C:\Windows\SysWOW64\Jngbjd32.exe	Jofalmmp.exe
File opened for modification	C:\Windows\SysWOW64\Mogcihaj.exe	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Opnbae32.exe
File created	C:\Windows\SysWOW64\Bacjdbch.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Konidd32.dll	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Gpnfge32.exe	Gidnkkpc.exe
File created	C:\Windows\SysWOW64\Glkmmefl.exe	Goglcahb.exe
File created	C:\Windows\SysWOW64\Mqafhl32.exe	Lobjni32.exe
File opened for modification	C:\Windows\SysWOW64\Mqdcnl32.exe	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Dfglfdkb.exe	Domdjj32.exe
File opened for modification	C:\Windows\SysWOW64\Gidnkkpc.exe	Fnnjmbpm.exe
File created	C:\Windows\SysWOW64\Impliekg.exe	Ickglm32.exe
File created	C:\Windows\SysWOW64\Jcdjbk32.exe	Jngbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Hekgfj32.exe	Hpnoncim.exe
File created	C:\Windows\SysWOW64\Nkbjmj32.dll	Jcdjbk32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Npdopj32.dll	Ilqoobdd.exe
File created	C:\Windows\SysWOW64\Nqpcjj32.exe	Nfjola32.exe
File created	C:\Windows\SysWOW64\Pdenmbkk.exe	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Mmjmhg32.dll	dd23d47effc55a92b4fb5a6e030a18d0_JC.exe
File created	C:\Windows\SysWOW64\Cleegp32.exe	Cbpajgmf.exe
File created	C:\Windows\SysWOW64\Gikdkj32.exe	Gpbpbecj.exe
File opened for modification	C:\Windows\SysWOW64\Hekgfj32.exe	Hpnoncim.exe
File created	C:\Windows\SysWOW64\Klhnfo32.exe	Kjeiodek.exe
File created	C:\Windows\SysWOW64\Mnmmboed.exe	Mfeeabda.exe
File created	C:\Windows\SysWOW64\Kllfakij.dll	Mgeakekd.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Eppjfgcp.exe	Eifaim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6064	1280	WerFault.exe	212

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lckiihok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd23d47effc55a92b4fb5a6e030a18d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll"	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjafgpmo.dll"	Fmcjpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll"	Jghpbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmmqheb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eppjfgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chglab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domdjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll"	Dflfac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll"	Cbbnpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkpophj.dll"	Hiipmhmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll"	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbbnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iliinc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll"	Jcdjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll"	Gldglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiildio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll"	Mgeakekd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3708	2248	dd23d47effc55a92b4fb5a6e030a18d0_JC.exe	86
PID 2248 wrote to memory of 3708	2248	dd23d47effc55a92b4fb5a6e030a18d0_JC.exe	86
PID 2248 wrote to memory of 3708	2248	dd23d47effc55a92b4fb5a6e030a18d0_JC.exe	86
PID 3708 wrote to memory of 2336	3708	Chglab32.exe	87
PID 3708 wrote to memory of 2336	3708	Chglab32.exe	87
PID 3708 wrote to memory of 2336	3708	Chglab32.exe	87
PID 2336 wrote to memory of 3124	2336	Cbpajgmf.exe	88
PID 2336 wrote to memory of 3124	2336	Cbpajgmf.exe	88
PID 2336 wrote to memory of 3124	2336	Cbpajgmf.exe	88
PID 3124 wrote to memory of 3736	3124	Cleegp32.exe	89
PID 3124 wrote to memory of 3736	3124	Cleegp32.exe	89
PID 3124 wrote to memory of 3736	3124	Cleegp32.exe	89
PID 3736 wrote to memory of 2608	3736	Cbbnpg32.exe	90
PID 3736 wrote to memory of 2608	3736	Cbbnpg32.exe	90
PID 3736 wrote to memory of 2608	3736	Cbbnpg32.exe	90
PID 2608 wrote to memory of 1776	2608	Ckjbhmad.exe	91
PID 2608 wrote to memory of 1776	2608	Ckjbhmad.exe	91
PID 2608 wrote to memory of 1776	2608	Ckjbhmad.exe	91
PID 1776 wrote to memory of 2376	1776	Dokgdkeh.exe	92
PID 1776 wrote to memory of 2376	1776	Dokgdkeh.exe	92
PID 1776 wrote to memory of 2376	1776	Dokgdkeh.exe	92
PID 2376 wrote to memory of 5024	2376	Domdjj32.exe	93
PID 2376 wrote to memory of 5024	2376	Domdjj32.exe	93
PID 2376 wrote to memory of 5024	2376	Domdjj32.exe	93
PID 5024 wrote to memory of 5092	5024	Dfglfdkb.exe	94
PID 5024 wrote to memory of 5092	5024	Dfglfdkb.exe	94
PID 5024 wrote to memory of 5092	5024	Dfglfdkb.exe	94
PID 5092 wrote to memory of 1164	5092	Dooaoj32.exe	95
PID 5092 wrote to memory of 1164	5092	Dooaoj32.exe	95
PID 5092 wrote to memory of 1164	5092	Dooaoj32.exe	95
PID 1164 wrote to memory of 1020	1164	Dfiildio.exe	96
PID 1164 wrote to memory of 1020	1164	Dfiildio.exe	96
PID 1164 wrote to memory of 1020	1164	Dfiildio.exe	96
PID 1020 wrote to memory of 4104	1020	Dkfadkgf.exe	97
PID 1020 wrote to memory of 4104	1020	Dkfadkgf.exe	97
PID 1020 wrote to memory of 4104	1020	Dkfadkgf.exe	97
PID 4104 wrote to memory of 4856	4104	Dflfac32.exe	98
PID 4104 wrote to memory of 4856	4104	Dflfac32.exe	98
PID 4104 wrote to memory of 4856	4104	Dflfac32.exe	98
PID 4856 wrote to memory of 772	4856	Dkhnjk32.exe	99
PID 4856 wrote to memory of 772	4856	Dkhnjk32.exe	99
PID 4856 wrote to memory of 772	4856	Dkhnjk32.exe	99
PID 772 wrote to memory of 1156	772	Eiloco32.exe	100
PID 772 wrote to memory of 1156	772	Eiloco32.exe	100
PID 772 wrote to memory of 1156	772	Eiloco32.exe	100
PID 1156 wrote to memory of 4232	1156	Enigke32.exe	101
PID 1156 wrote to memory of 4232	1156	Enigke32.exe	101
PID 1156 wrote to memory of 4232	1156	Enigke32.exe	101
PID 4232 wrote to memory of 2612	4232	Eiokinbk.exe	102
PID 4232 wrote to memory of 2612	4232	Eiokinbk.exe	102
PID 4232 wrote to memory of 2612	4232	Eiokinbk.exe	102
PID 2612 wrote to memory of 4920	2612	Eoideh32.exe	103
PID 2612 wrote to memory of 4920	2612	Eoideh32.exe	103
PID 2612 wrote to memory of 4920	2612	Eoideh32.exe	103
PID 4920 wrote to memory of 3216	4920	Eeelnp32.exe	104
PID 4920 wrote to memory of 3216	4920	Eeelnp32.exe	104
PID 4920 wrote to memory of 3216	4920	Eeelnp32.exe	104
PID 3216 wrote to memory of 3752	3216	Epmmqheb.exe	105
PID 3216 wrote to memory of 3752	3216	Epmmqheb.exe	105
PID 3216 wrote to memory of 3752	3216	Epmmqheb.exe	105
PID 3752 wrote to memory of 1896	3752	Eifaim32.exe	106
PID 3752 wrote to memory of 1896	3752	Eifaim32.exe	106
PID 3752 wrote to memory of 1896	3752	Eifaim32.exe	106
PID 1896 wrote to memory of 816	1896	Eppjfgcp.exe	107

C:\Users\Admin\AppData\Local\Temp\dd23d47effc55a92b4fb5a6e030a18d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dd23d47effc55a92b4fb5a6e030a18d0_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\Chglab32.exe
  C:\Windows\system32\Chglab32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\Cbpajgmf.exe
    C:\Windows\system32\Cbpajgmf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\Cleegp32.exe
      C:\Windows\system32\Cleegp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        25⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        34⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        40⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        43⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        56⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        66⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        71⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        79⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        80⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        81⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        84⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        85⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        88⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        90⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        94⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        95⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        101⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        107⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        108⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        110⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        119⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        120⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 408
        121⤵
        Program crash
        
        PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1280 -ip 1280
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
59KB

MD5
6be9e242d4d925be247ba38d661950bf

SHA1
d516379e0032992b6b39327d10e9d5e91d15b92c

SHA256
3c3876b91c228e968cd1b2fa73635e494fe6fe3ad8bcf10a4aa674487cc9e10a

SHA512
84fcc52797789eb414c2aa403adad911af34b6a126347de31b21aa6f91538474b1ab72ea6a057fcef9354554297c79aa5a3a9f93c8bda90dfb9cf81d4a18f5fd

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
59KB

MD5
6be9e242d4d925be247ba38d661950bf

SHA1
d516379e0032992b6b39327d10e9d5e91d15b92c

SHA256
3c3876b91c228e968cd1b2fa73635e494fe6fe3ad8bcf10a4aa674487cc9e10a

SHA512
84fcc52797789eb414c2aa403adad911af34b6a126347de31b21aa6f91538474b1ab72ea6a057fcef9354554297c79aa5a3a9f93c8bda90dfb9cf81d4a18f5fd

Download Submit
C:\Windows\SysWOW64\Cbpajgmf.exe

Filesize
59KB

MD5
e9695c6bd680df209f89edd6137cd736

SHA1
567a4bdcfd70d4f0cfbf03140e77aee3532202b0

SHA256
eca34332cda3a678fd060ca6b44c1c02ad88c909c00ebe50f0437daf3f303000

SHA512
e10e0bf7364b45c9568889a8c488e97647abba83ff60238135be1432011d4560567a8d5c37df65bfb6415fd9ebdbf863b91dd9dcbf5a55dbb882a68b828273b2

Download Submit
C:\Windows\SysWOW64\Cbpajgmf.exe

Filesize
59KB

MD5
e9695c6bd680df209f89edd6137cd736

SHA1
567a4bdcfd70d4f0cfbf03140e77aee3532202b0

SHA256
eca34332cda3a678fd060ca6b44c1c02ad88c909c00ebe50f0437daf3f303000

SHA512
e10e0bf7364b45c9568889a8c488e97647abba83ff60238135be1432011d4560567a8d5c37df65bfb6415fd9ebdbf863b91dd9dcbf5a55dbb882a68b828273b2

Download Submit
C:\Windows\SysWOW64\Chglab32.exe

Filesize
59KB

MD5
54e5072c93a560a4a268d22619c2330e

SHA1
76671315f0de8ef921748bf60b47a7bc9ec1994e

SHA256
1542a6503ab27f7e394c1e14173e1fd5ae3f81bc494fba1024f6d08b825cf12c

SHA512
a7cd4099d69730a60e5d811f777920e3bede22e453b18b00f6fd8224d3b33a644e691455876fda590f42c3b8c930b5d61390c657705b1993283b62ad130d7a79

Download Submit
C:\Windows\SysWOW64\Chglab32.exe

Filesize
59KB

MD5
54e5072c93a560a4a268d22619c2330e

SHA1
76671315f0de8ef921748bf60b47a7bc9ec1994e

SHA256
1542a6503ab27f7e394c1e14173e1fd5ae3f81bc494fba1024f6d08b825cf12c

SHA512
a7cd4099d69730a60e5d811f777920e3bede22e453b18b00f6fd8224d3b33a644e691455876fda590f42c3b8c930b5d61390c657705b1993283b62ad130d7a79

Download Submit
C:\Windows\SysWOW64\Ckjbhmad.exe

Filesize
59KB

MD5
fa0f99df58e81eaa2e9569af10bcfeef

SHA1
72791607338aad5c137226a120b56888bacc7452

SHA256
e85de014dbe652d19b8d4b4978d2974ba4f8d5a9329a5e5c17b95fee753ef969

SHA512
35919314da9075ce462b74b465923f4e3fbfb81862ba9fbaf0658a90ffdb5ce2838efb22c213d8d92c2e83fecb108e4ea56c88a7f3abf09d6185afab168c9b68

Download Submit
C:\Windows\SysWOW64\Ckjbhmad.exe

Filesize
59KB

MD5
fa0f99df58e81eaa2e9569af10bcfeef

SHA1
72791607338aad5c137226a120b56888bacc7452

SHA256
e85de014dbe652d19b8d4b4978d2974ba4f8d5a9329a5e5c17b95fee753ef969

SHA512
35919314da9075ce462b74b465923f4e3fbfb81862ba9fbaf0658a90ffdb5ce2838efb22c213d8d92c2e83fecb108e4ea56c88a7f3abf09d6185afab168c9b68

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
59KB

MD5
79d8ffb1d95229d83bfda57a55741eba

SHA1
9e3279bff722fd516fa7357c0d9a9312d6c598c7

SHA256
2ceb7a506969197948760b0f3aab1d038ff7311aac25533c3346a67917a24d5f

SHA512
7343e2fa36033919cc897b6572944425f9053adfa918e423fa731dad49dfdd2c516a411bb5511fa5974b54244d353696b9894fa8931bc99629d58aa675c2d00c

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
59KB

MD5
79d8ffb1d95229d83bfda57a55741eba

SHA1
9e3279bff722fd516fa7357c0d9a9312d6c598c7

SHA256
2ceb7a506969197948760b0f3aab1d038ff7311aac25533c3346a67917a24d5f

SHA512
7343e2fa36033919cc897b6572944425f9053adfa918e423fa731dad49dfdd2c516a411bb5511fa5974b54244d353696b9894fa8931bc99629d58aa675c2d00c

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
59KB

MD5
9bbcdb6ac9c8a8a3b546d2b46c7a5685

SHA1
6071406c487f554022dcf6dfbf88313f7ea7e5f2

SHA256
3fbe06c765c913fe9ab550aa1b4c791e5a2cf94c57e033348256d6c17870579b

SHA512
c53fdeb8da8f6fe473254c198c4916c5508fb3d7ba8b7a1dfe3786333e70fb8ce6c0835ed26e97ea0189dc2b5c36f79f6b547b3173d9ddf1eda265bb98595cbc

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
59KB

MD5
9bbcdb6ac9c8a8a3b546d2b46c7a5685

SHA1
6071406c487f554022dcf6dfbf88313f7ea7e5f2

SHA256
3fbe06c765c913fe9ab550aa1b4c791e5a2cf94c57e033348256d6c17870579b

SHA512
c53fdeb8da8f6fe473254c198c4916c5508fb3d7ba8b7a1dfe3786333e70fb8ce6c0835ed26e97ea0189dc2b5c36f79f6b547b3173d9ddf1eda265bb98595cbc

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
59KB

MD5
4f945852b45684a3e895c3b172d3d059

SHA1
fa43b572f40d8fc6c0b332b8ca1b50d9bc222557

SHA256
2c3878664c2bcede86c6fdd4f7bc70707fa3fca5f088a830c89db33d4403c4c6

SHA512
37aef55a7d6ab3ab935472aba62d80590eb8d822d84275762766c6bd5887c8f450d7f0744e0703998fbed8d8cbc5fa5144ebad5c5ca86273c9dbdf078b2b02cb

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
59KB

MD5
4f945852b45684a3e895c3b172d3d059

SHA1
fa43b572f40d8fc6c0b332b8ca1b50d9bc222557

SHA256
2c3878664c2bcede86c6fdd4f7bc70707fa3fca5f088a830c89db33d4403c4c6

SHA512
37aef55a7d6ab3ab935472aba62d80590eb8d822d84275762766c6bd5887c8f450d7f0744e0703998fbed8d8cbc5fa5144ebad5c5ca86273c9dbdf078b2b02cb

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
59KB

MD5
d3dc7dd413a71c293deb766d56401675

SHA1
d9c1934d6c20a56a823ad54a5a457f13253cbc17

SHA256
ca540e77ab7d04b80216f77216b64cfe9d99b9699d201d6fb16d6ae7bbda146e

SHA512
b6791dd6a496d46370b4df5308c1382f1f9e9269079bdd9ebac3844adbe02023462760972db68676a8bdec13f7150a22ac3931162967233a04fafe38f8e334bb

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
59KB

MD5
d3dc7dd413a71c293deb766d56401675

SHA1
d9c1934d6c20a56a823ad54a5a457f13253cbc17

SHA256
ca540e77ab7d04b80216f77216b64cfe9d99b9699d201d6fb16d6ae7bbda146e

SHA512
b6791dd6a496d46370b4df5308c1382f1f9e9269079bdd9ebac3844adbe02023462760972db68676a8bdec13f7150a22ac3931162967233a04fafe38f8e334bb

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
59KB

MD5
e3dac8e896f10b777c053480513a6d94

SHA1
cc8bab215dfe80db20f40d52e041c006742ccde8

SHA256
0db596ed244c6f32124a91584deaa8448f52c4876f33f8f6892052c094e33a3c

SHA512
446e4ccbc94bfcc7d17d22ec510381def2a140e679f2bbe777e44947b2a5ba0b2345af53a8c02e7060f96f28def67ece05bc7686331673e4645c332164f26a0d

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
59KB

MD5
e3dac8e896f10b777c053480513a6d94

SHA1
cc8bab215dfe80db20f40d52e041c006742ccde8

SHA256
0db596ed244c6f32124a91584deaa8448f52c4876f33f8f6892052c094e33a3c

SHA512
446e4ccbc94bfcc7d17d22ec510381def2a140e679f2bbe777e44947b2a5ba0b2345af53a8c02e7060f96f28def67ece05bc7686331673e4645c332164f26a0d

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
59KB

MD5
2ae6f7a9f035b4089a4fbdae81d773c9

SHA1
30808a2444f31de42f3b125cb650b1ef712c01fe

SHA256
c539b911980fbe089cadde196131ad6de50dae5197b4a03def68295374ea053c

SHA512
cb1abdc3b47dc6cd888a2ed7cf8de0c77d38801a1686f74c7b18e1ff2b7d11ac6eecd93bbb01026d5618160cea4f0fa230f42244c9d41e4ff78d45481621d8e1

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
59KB

MD5
2ae6f7a9f035b4089a4fbdae81d773c9

SHA1
30808a2444f31de42f3b125cb650b1ef712c01fe

SHA256
c539b911980fbe089cadde196131ad6de50dae5197b4a03def68295374ea053c

SHA512
cb1abdc3b47dc6cd888a2ed7cf8de0c77d38801a1686f74c7b18e1ff2b7d11ac6eecd93bbb01026d5618160cea4f0fa230f42244c9d41e4ff78d45481621d8e1

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
59KB

MD5
cb0e39d746ad45665b3ee60a78b0493f

SHA1
f740fec79ca68cc04a1a06abf5ab93ba35ce41b5

SHA256
c63f4c2f9a6a54763d03463c0051554e082195b501999988b5435e5c89a0cb53

SHA512
c4376b72f78bc4e0bfcf14f13a8b350be2137e27f66ba1add8f1435797d9e41259bc6e136df45cdaf5289012e76ad11ced174c3b05a9d55ab1dc3042eeb663c1

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
59KB

MD5
cb0e39d746ad45665b3ee60a78b0493f

SHA1
f740fec79ca68cc04a1a06abf5ab93ba35ce41b5

SHA256
c63f4c2f9a6a54763d03463c0051554e082195b501999988b5435e5c89a0cb53

SHA512
c4376b72f78bc4e0bfcf14f13a8b350be2137e27f66ba1add8f1435797d9e41259bc6e136df45cdaf5289012e76ad11ced174c3b05a9d55ab1dc3042eeb663c1

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
59KB

MD5
0d6a7ea7a849c23e38c3c1aa32be312a

SHA1
4590464f4f46f2614d9da96941f3d6eadeb491e4

SHA256
1145b74c62fdcb4890fcde15fbc349b0ae53a31b03569d73c31c98f2e808d947

SHA512
23098313892f57963e923d4dc4b8a3a66487a20a837ef7bd94a1563c1f26a8b7c2f60fdc585a5ee4c6070ffbc3281a4e6b5f52efb91d808b0888950fd609ea46

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
59KB

MD5
0d6a7ea7a849c23e38c3c1aa32be312a

SHA1
4590464f4f46f2614d9da96941f3d6eadeb491e4

SHA256
1145b74c62fdcb4890fcde15fbc349b0ae53a31b03569d73c31c98f2e808d947

SHA512
23098313892f57963e923d4dc4b8a3a66487a20a837ef7bd94a1563c1f26a8b7c2f60fdc585a5ee4c6070ffbc3281a4e6b5f52efb91d808b0888950fd609ea46

Download Submit
C:\Windows\SysWOW64\Dooaoj32.exe

Filesize
59KB

MD5
3b0d1af76860d8c20c0ac0357db38932

SHA1
dbdbb5883e6625e10c1c4f40e4fd503fc39ed36b

SHA256
5e0263c9574ecb18753743dc4bc9dc691e3c2b2f8c981353f1a1c83b3038eecb

SHA512
e9dbf8a3ccd4f338fcbf34ff3c054edd7834b9ada86f74f3ffc8c722ac279026bdd023e14414394060dbf43def25172bac6effda9b9dac4ed569a410927fa5f1

Download Submit
C:\Windows\SysWOW64\Dooaoj32.exe

Filesize
59KB

MD5
3b0d1af76860d8c20c0ac0357db38932

SHA1
dbdbb5883e6625e10c1c4f40e4fd503fc39ed36b

SHA256
5e0263c9574ecb18753743dc4bc9dc691e3c2b2f8c981353f1a1c83b3038eecb

SHA512
e9dbf8a3ccd4f338fcbf34ff3c054edd7834b9ada86f74f3ffc8c722ac279026bdd023e14414394060dbf43def25172bac6effda9b9dac4ed569a410927fa5f1

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
59KB

MD5
a14bb4bc2ae536bb898fbd18d314ae31

SHA1
7d9e7d442470fddc9bb9803fb7f53583b7fbb605

SHA256
f77505ef08ede439d00f293a154f336a36c59f06732f513a0a9664ce9c4e7dc0

SHA512
3e9cc98e2077370b8dcfbf8c5e0420019f88179c192970f37f3c05998bf6ecef34050a516e08d95dcf6917a1c612a8e16a0ff9b44b7d189ec21aa0c7dbdec54c

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
59KB

MD5
a14bb4bc2ae536bb898fbd18d314ae31

SHA1
7d9e7d442470fddc9bb9803fb7f53583b7fbb605

SHA256
f77505ef08ede439d00f293a154f336a36c59f06732f513a0a9664ce9c4e7dc0

SHA512
3e9cc98e2077370b8dcfbf8c5e0420019f88179c192970f37f3c05998bf6ecef34050a516e08d95dcf6917a1c612a8e16a0ff9b44b7d189ec21aa0c7dbdec54c

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
59KB

MD5
147b302066f713e6c71f61333e590976

SHA1
cb22cd3d7ab78b50a6b538e1a43be187fd86d8b3

SHA256
3263a3adf9c4df74cc4a9709e55665cbfb24fc267c0a35262677fbae5da85446

SHA512
e7e329e09bbbb7eb739e57c1635ca44036b0d77e60bbc946cdf3471abf98a9868e51098aa29b0f8643aedf1f86e52ca7b74030d1f93c08d83d4faf6c68603fbf

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
59KB

MD5
147b302066f713e6c71f61333e590976

SHA1
cb22cd3d7ab78b50a6b538e1a43be187fd86d8b3

SHA256
3263a3adf9c4df74cc4a9709e55665cbfb24fc267c0a35262677fbae5da85446

SHA512
e7e329e09bbbb7eb739e57c1635ca44036b0d77e60bbc946cdf3471abf98a9868e51098aa29b0f8643aedf1f86e52ca7b74030d1f93c08d83d4faf6c68603fbf

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
59KB

MD5
147b302066f713e6c71f61333e590976

SHA1
cb22cd3d7ab78b50a6b538e1a43be187fd86d8b3

SHA256
3263a3adf9c4df74cc4a9709e55665cbfb24fc267c0a35262677fbae5da85446

SHA512
e7e329e09bbbb7eb739e57c1635ca44036b0d77e60bbc946cdf3471abf98a9868e51098aa29b0f8643aedf1f86e52ca7b74030d1f93c08d83d4faf6c68603fbf

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
59KB

MD5
da08072569acbba2ec42bded8a8afa61

SHA1
c1052f48cf7e1268ca0ada512f5071b369108a03

SHA256
853ce8bb302ea4ab3f3b4502a6b75afe5cd9505046e93fb30a1efd2a7206bdcc

SHA512
9ed991a2fc3dabd77e85f4c62b627c6e7f56614f7da9f1034d2df4e2bd83babdead80bb4fb4f0f5abeade22aca9f20aac0c9417128a18a5c6473bfddb6ce8dbd

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
59KB

MD5
da08072569acbba2ec42bded8a8afa61

SHA1
c1052f48cf7e1268ca0ada512f5071b369108a03

SHA256
853ce8bb302ea4ab3f3b4502a6b75afe5cd9505046e93fb30a1efd2a7206bdcc

SHA512
9ed991a2fc3dabd77e85f4c62b627c6e7f56614f7da9f1034d2df4e2bd83babdead80bb4fb4f0f5abeade22aca9f20aac0c9417128a18a5c6473bfddb6ce8dbd

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
59KB

MD5
dd48af26acce4aed3630c5e22a6a3b21

SHA1
6874395a6dcc74fa7d002513cc637bfb2bd54479

SHA256
e3b310740dfdf73974e76699952113d9cbf1dabd9d70d1ad1141fa6f3c1e7a56

SHA512
ecc01c41f6a85c01f3c31941cffad62a8a3b9c8ac80af4575f5b0857a2bd0b5f93e30495de32e43394b4ef1a26e1e65be98305e1e117eeb5e97315b0cf175d85

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
59KB

MD5
dd48af26acce4aed3630c5e22a6a3b21

SHA1
6874395a6dcc74fa7d002513cc637bfb2bd54479

SHA256
e3b310740dfdf73974e76699952113d9cbf1dabd9d70d1ad1141fa6f3c1e7a56

SHA512
ecc01c41f6a85c01f3c31941cffad62a8a3b9c8ac80af4575f5b0857a2bd0b5f93e30495de32e43394b4ef1a26e1e65be98305e1e117eeb5e97315b0cf175d85

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
59KB

MD5
a1006aeb7de767c46224cfcafd987236

SHA1
63981432e389e8bdfe7479a3d3133539287d8278

SHA256
3ce2f1bbecd253d86a48802dcd8ebf10a623557829b0927d170632953d547879

SHA512
2ad1ff926061e6b6ea8002c39ea517e740488ad25f228b7b8c45c455aff4574631f7c36f2d72cb90e481f8ac4e5a42a6a605085f8fea9e1577c63009c450114d

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
59KB

MD5
a1006aeb7de767c46224cfcafd987236

SHA1
63981432e389e8bdfe7479a3d3133539287d8278

SHA256
3ce2f1bbecd253d86a48802dcd8ebf10a623557829b0927d170632953d547879

SHA512
2ad1ff926061e6b6ea8002c39ea517e740488ad25f228b7b8c45c455aff4574631f7c36f2d72cb90e481f8ac4e5a42a6a605085f8fea9e1577c63009c450114d

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
59KB

MD5
2455f35fa6ab28b75f922461369fdb3e

SHA1
7062b36e2d58bcdd9c3dcd8be721d0036d1cc7b1

SHA256
f9b4d614e73c50a528f7433ac0bc1ec7835d4a3c8269fac78e41cc92990e5316

SHA512
08422d9c55cb19ad41b3392db08b24a91306eba5e42c854958aadbde8d1c5b9a6f426da4b13f79107888deed0577bfbfc55605577adc302681f87636b593c1e9

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
59KB

MD5
2455f35fa6ab28b75f922461369fdb3e

SHA1
7062b36e2d58bcdd9c3dcd8be721d0036d1cc7b1

SHA256
f9b4d614e73c50a528f7433ac0bc1ec7835d4a3c8269fac78e41cc92990e5316

SHA512
08422d9c55cb19ad41b3392db08b24a91306eba5e42c854958aadbde8d1c5b9a6f426da4b13f79107888deed0577bfbfc55605577adc302681f87636b593c1e9

Download Submit
C:\Windows\SysWOW64\Eoideh32.exe

Filesize
59KB

MD5
74a81ca0473496dfb3ed8f3147bf25ec

SHA1
ce07c4ed7133375cb0a0ab228c465ba50260075f

SHA256
5d255d1e9b42e5c065527a66fca2a651e047500c43298b96a7e8967e351ac8fc

SHA512
cf37abd57ab3f8b6ce1960e01ec464a9cbbb8cf279e0a12dc2217d1a9ea381a00f01d11a277ca584406b94e739aa89fb3c7dc798326e0fb7de806e65a4fe3d2e

Download Submit
C:\Windows\SysWOW64\Eoideh32.exe

Filesize
59KB

MD5
74a81ca0473496dfb3ed8f3147bf25ec

SHA1
ce07c4ed7133375cb0a0ab228c465ba50260075f

SHA256
5d255d1e9b42e5c065527a66fca2a651e047500c43298b96a7e8967e351ac8fc

SHA512
cf37abd57ab3f8b6ce1960e01ec464a9cbbb8cf279e0a12dc2217d1a9ea381a00f01d11a277ca584406b94e739aa89fb3c7dc798326e0fb7de806e65a4fe3d2e

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
59KB

MD5
0cfc5b23af4412eea6269c003925b18b

SHA1
5f0291b333c6ceceeb201d868994c8b693fba2c8

SHA256
6bbbad16a6a911582abaaf5445570f4157107c2994060d97d4dd996dd2b1d3b2

SHA512
1eccbd9570fc5568fd5689074bc5a097dcf95346d80e376ef7644c79bffc2e7dcbfd1cf6369de5985c8aa9f12372a295b6a9efa8cdb885bc98e29dcd42c35bfd

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
59KB

MD5
0cfc5b23af4412eea6269c003925b18b

SHA1
5f0291b333c6ceceeb201d868994c8b693fba2c8

SHA256
6bbbad16a6a911582abaaf5445570f4157107c2994060d97d4dd996dd2b1d3b2

SHA512
1eccbd9570fc5568fd5689074bc5a097dcf95346d80e376ef7644c79bffc2e7dcbfd1cf6369de5985c8aa9f12372a295b6a9efa8cdb885bc98e29dcd42c35bfd

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
59KB

MD5
8896e3fe59096c1129c4aba9f0e47902

SHA1
11be38200ec3b8dbb3e51d00f2d1175e4e279afc

SHA256
b0ce4f83e2427ca012e3e10ff2ce4d0343e1b9e067f7f011288ea00f02a2e226

SHA512
fcbced92117f6f85acdd125717b4d01c2073f31e9f2f324eec2f49608f2c7b3ab2fb0ca06912f7a16d54c550dfbc063a31473b1df0329e165ffd8a2c23f0ba85

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
59KB

MD5
8896e3fe59096c1129c4aba9f0e47902

SHA1
11be38200ec3b8dbb3e51d00f2d1175e4e279afc

SHA256
b0ce4f83e2427ca012e3e10ff2ce4d0343e1b9e067f7f011288ea00f02a2e226

SHA512
fcbced92117f6f85acdd125717b4d01c2073f31e9f2f324eec2f49608f2c7b3ab2fb0ca06912f7a16d54c550dfbc063a31473b1df0329e165ffd8a2c23f0ba85

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
59KB

MD5
df4a150d2acd218373c5478000b62d9c

SHA1
230ddeba1be7d222bac9da155a3b764c9586f0e3

SHA256
cb4ffbd56f55c171d7832d3fa708f11bc8a073851f6fe1733480160b60d473bc

SHA512
48d56fac8e4d256017b653167efa35639197a30a2739aa203a3a642fa4ecb9d17929aac403b3b44e4d373d6d9fde4e92ab699040beaf4e262e567f5b987e67c6

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
59KB

MD5
df4a150d2acd218373c5478000b62d9c

SHA1
230ddeba1be7d222bac9da155a3b764c9586f0e3

SHA256
cb4ffbd56f55c171d7832d3fa708f11bc8a073851f6fe1733480160b60d473bc

SHA512
48d56fac8e4d256017b653167efa35639197a30a2739aa203a3a642fa4ecb9d17929aac403b3b44e4d373d6d9fde4e92ab699040beaf4e262e567f5b987e67c6

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
59KB

MD5
0a14ec64ae758ec010ab3ceb5e4e3cfa

SHA1
c28744015720f70fdcee948dd9b577f9b735fa97

SHA256
ddfc55decbe3868235be5c2743e3adef7041d85a2647c169e7eea6122cff1635

SHA512
158361f748ae8d531918b3cd0c4a7c7536095887f48ccc9811e215939d3115695cc00ecfac6402273f223807b0be0900fc9c2a83b5c39e5f70d9ff3ea412bb82

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
59KB

MD5
0a14ec64ae758ec010ab3ceb5e4e3cfa

SHA1
c28744015720f70fdcee948dd9b577f9b735fa97

SHA256
ddfc55decbe3868235be5c2743e3adef7041d85a2647c169e7eea6122cff1635

SHA512
158361f748ae8d531918b3cd0c4a7c7536095887f48ccc9811e215939d3115695cc00ecfac6402273f223807b0be0900fc9c2a83b5c39e5f70d9ff3ea412bb82

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
59KB

MD5
72f40277c40e036d102cf3fc7232d268

SHA1
9ece2fd4635e511ea63a968766426e1fa4993703

SHA256
7df733a0892f7541eac274e08c165d5b39d76c3ca5e05b0a855e090ea06595d5

SHA512
93279ba1925435206fa5e05dca881876a49c50349e02ad09e27083c173a63891787a0c574e60c2d1865e0692c79c2b6ac4ae4ebd51b412d659a0037d83e92e7e

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
59KB

MD5
72f40277c40e036d102cf3fc7232d268

SHA1
9ece2fd4635e511ea63a968766426e1fa4993703

SHA256
7df733a0892f7541eac274e08c165d5b39d76c3ca5e05b0a855e090ea06595d5

SHA512
93279ba1925435206fa5e05dca881876a49c50349e02ad09e27083c173a63891787a0c574e60c2d1865e0692c79c2b6ac4ae4ebd51b412d659a0037d83e92e7e

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
59KB

MD5
30772ae89c40ea8453fd601f654b43f8

SHA1
0a7f72e4100a6422cdf44009aee27cad2a8a5847

SHA256
56bd8ad640613f7adba1c4f9a9aa428f6921ddbefd5dfada4ae4d1fdc3e8887a

SHA512
0e83153202ea7e0656a1e1071b3857ed5974f3b7b622a38cbaddfb601866bb2bf6a37ffd03df1744fc4ed248d8d6505b90918ff5f3feb375413e00a53c866d96

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
59KB

MD5
30772ae89c40ea8453fd601f654b43f8

SHA1
0a7f72e4100a6422cdf44009aee27cad2a8a5847

SHA256
56bd8ad640613f7adba1c4f9a9aa428f6921ddbefd5dfada4ae4d1fdc3e8887a

SHA512
0e83153202ea7e0656a1e1071b3857ed5974f3b7b622a38cbaddfb601866bb2bf6a37ffd03df1744fc4ed248d8d6505b90918ff5f3feb375413e00a53c866d96

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
59KB

MD5
84b8231beaf2ce749623426f88fe6601

SHA1
c3cc6666bbd89b88bb430aca044263449d6ed76d

SHA256
74eda520acaad1e1cbcffe28388f8eca35583861e86375ae4692fac82ae00964

SHA512
b65c8d5ffbcbbaac6c98c2ed6fa6d4915201de72e60bec37b7b75b50f54c7fc38e39901dc6f553877f6d81a87112fef5dade35098be2adcb96f94d76556cd3d4

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
59KB

MD5
84b8231beaf2ce749623426f88fe6601

SHA1
c3cc6666bbd89b88bb430aca044263449d6ed76d

SHA256
74eda520acaad1e1cbcffe28388f8eca35583861e86375ae4692fac82ae00964

SHA512
b65c8d5ffbcbbaac6c98c2ed6fa6d4915201de72e60bec37b7b75b50f54c7fc38e39901dc6f553877f6d81a87112fef5dade35098be2adcb96f94d76556cd3d4

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
59KB

MD5
dc9416fff1cb79d6ec223adf37b33883

SHA1
a8897ac96f7404d1920dca52e3062b206199f749

SHA256
13bc733c309760dfc8e22bd80bfad1c18165980338e495c07ed669a6c6a3d0f7

SHA512
a0b9fc74505b39aae96cc65558fc0ab16744ed8dac044d6ca55422cfcd3ec9f9490927f233a94302aa15aeecea3f74a26039313ceb57978cfcc6008d5364ace2

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
59KB

MD5
dc9416fff1cb79d6ec223adf37b33883

SHA1
a8897ac96f7404d1920dca52e3062b206199f749

SHA256
13bc733c309760dfc8e22bd80bfad1c18165980338e495c07ed669a6c6a3d0f7

SHA512
a0b9fc74505b39aae96cc65558fc0ab16744ed8dac044d6ca55422cfcd3ec9f9490927f233a94302aa15aeecea3f74a26039313ceb57978cfcc6008d5364ace2

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
59KB

MD5
58d3c4f9e1b1c02d00180c24fe3e46f5

SHA1
0da9a1ec3bae0d4ad19d9f647296ed5d9139483f

SHA256
d5229da4ee7d5cd0591fd45be376d222b2dc815a88732375d0ff907c230003ed

SHA512
957beab0f2ca16f42b56cff344188e64de97697aa005d4c8466387f844ff307c92469d4a5a0498375495fb2cc7b888290f346d1679c9b46f6e932b5bad295e4d

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
59KB

MD5
58d3c4f9e1b1c02d00180c24fe3e46f5

SHA1
0da9a1ec3bae0d4ad19d9f647296ed5d9139483f

SHA256
d5229da4ee7d5cd0591fd45be376d222b2dc815a88732375d0ff907c230003ed

SHA512
957beab0f2ca16f42b56cff344188e64de97697aa005d4c8466387f844ff307c92469d4a5a0498375495fb2cc7b888290f346d1679c9b46f6e932b5bad295e4d

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
59KB

MD5
4e8ec346bdd1f1b498d16ae4890bf0fa

SHA1
32609c8cc268abad849bcea70ccaa359ee565307

SHA256
33cdd8ea2489a459c71431b92313eeb68d86c264d6818abfb24fb84ac720da87

SHA512
5eeb655ae7e2b706eff8ab2bbef93daaaa6222c0d6f4a9a7a6c316a460aba2db7ae90c1473f4093cef546630616e1a32c21037aac7e0348e5ef25fae84027b34

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
59KB

MD5
4e8ec346bdd1f1b498d16ae4890bf0fa

SHA1
32609c8cc268abad849bcea70ccaa359ee565307

SHA256
33cdd8ea2489a459c71431b92313eeb68d86c264d6818abfb24fb84ac720da87

SHA512
5eeb655ae7e2b706eff8ab2bbef93daaaa6222c0d6f4a9a7a6c316a460aba2db7ae90c1473f4093cef546630616e1a32c21037aac7e0348e5ef25fae84027b34

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
59KB

MD5
e046311d695c6fbb63e0837a92119a47

SHA1
01adaf20644705d9a2a64fa932f3ff79e4c0eb61

SHA256
7ab840a9baf6bcaea5313d7d671736e6c3a2b6b875c9641e6b4a137d14cc36bd

SHA512
19946402ec39e5f72cc623c6c33199e0fa1e7e8f3ecf3becee6196ac5ba3ad867b11206093badd21289b8130c4a77470d71054df4953a5ed013387ad7030afd0

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
59KB

MD5
e046311d695c6fbb63e0837a92119a47

SHA1
01adaf20644705d9a2a64fa932f3ff79e4c0eb61

SHA256
7ab840a9baf6bcaea5313d7d671736e6c3a2b6b875c9641e6b4a137d14cc36bd

SHA512
19946402ec39e5f72cc623c6c33199e0fa1e7e8f3ecf3becee6196ac5ba3ad867b11206093badd21289b8130c4a77470d71054df4953a5ed013387ad7030afd0

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
59KB

MD5
36c0713860c4c9233c087a3972bf38ff

SHA1
34a146d4d1ca4ea475e7ab74c90c545218ed80c9

SHA256
7c46662b411bfbfae675ae6eb1f6b94c343fe85be98c95cca35aa34a8bb0444d

SHA512
d1fae8a3e44f4f4361ca7139ba83634862c005ba3bce336b5705ea29eb6639604cedf6e3c6dff0f52333b727cf0b56143ac3c51d5e2035a56349c1ff1f68f138

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
59KB

MD5
36c0713860c4c9233c087a3972bf38ff

SHA1
34a146d4d1ca4ea475e7ab74c90c545218ed80c9

SHA256
7c46662b411bfbfae675ae6eb1f6b94c343fe85be98c95cca35aa34a8bb0444d

SHA512
d1fae8a3e44f4f4361ca7139ba83634862c005ba3bce336b5705ea29eb6639604cedf6e3c6dff0f52333b727cf0b56143ac3c51d5e2035a56349c1ff1f68f138

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
59KB

MD5
777352bc66c5996b110dc9bda079a7ad

SHA1
1a5956d6e0677c78b6261602953cc69a1efe3099

SHA256
27d8d00d6cc672de155bbc00b5e85cc13277aa779c282617c9b513dbda45a22d

SHA512
067ead87fd14306529bb37c3a006c592666fc08d1904cdddbab029a8697f4401aa3272b3e9a039dca1f62c6bf242c28e9082e74d5582fa77664c972743fc5371

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
59KB

MD5
ef4ab4036dac1b8f4c9ea82c8832b884

SHA1
387a8710a0e7fa245e449961b6fcd73a38cc2b96

SHA256
657895f633fc3be03b9b36807219016e437cb8c8e66642532ab5d1500b2a3ff2

SHA512
b615092e3685f4a585946fabb5091a3badbcbc640e31496a7fb17bcc8624b1afc45b670c842402916b4b0a705327a7c304e36d0b1d53baf30e5872ea462f625a

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
59KB

MD5
ac3f02199bcc19c7d50893c38cf59cdd

SHA1
729a4ba8917163e43013d0fd9c4f55c899718a92

SHA256
59e4115ef2b0a8b1a732264dd4ccc4148bf30e17cbd5bd60a4a718939957eac4

SHA512
12745507c582061826c86d04020ecba65070e608870e3d9b418b8f4d57ebe80be59686fa2010ff0cbf288f590dfac8cc877aa7ff8194cb978b7fcbd0681e7ad4

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
59KB

MD5
b1751c05386648e0aecc59b7c4c1a622

SHA1
1922e764c2f930094d42ffd5d63ca20e0adde38e

SHA256
13acef0329b907c6c2d7b6634e4948ee5b198f05990ce6647dd869cb7db2815a

SHA512
97c5096df2641f376ee2cb7454dde705d714939055d3a55e56968167ba6864f7ab31e29752995438af7f557fbfaf12a93ce4f5085ef09e411e2e322f0d51af8f

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
59KB

MD5
2d7fd3bc629ac67238ca2f25d90e8165

SHA1
a65ae57b4eaafe9265a1082434bcd0febe39691b

SHA256
169d269c10d73742629723c3a7f0536a28586a892b1aa15f7468736d333b01de

SHA512
5fdaececbc3a080b5adc375ca36399c11353282509ead2cdc29eab2d060483dbfff7cda82ae1f59c7a099728a0141ffe0c15b7a09fc5f929cee6f86aa9ac28cf

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
59KB

MD5
f1b567bf9248fe7ac26627f437a0e9c8

SHA1
806b19fd6d1237d875ec7cfc4f065ea803c33df0

SHA256
3285741aafb935719fdd218a7035cc4a1f370cbdd7893e3e04249916605c22e1

SHA512
415b0a3ce892d0b109bffb5732b5b18487de6ddb1bd580d84c3e7cdd9ccbe05b0e9a109e4567192e9ae99dd5a06932cb71a4399e4c277afa4610e7a26cdf276b

Download Submit
memory/60-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/312-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads