b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe
Size

384KB
MD5

fc4f29e894b52c745f28e2f1219398e0
SHA1

f029500df8f0bd78ca1fd93a5519fbf19c94bbee
SHA256

b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9
SHA512

1c5d4682060752124a6c757f4c2964016f9f7fd7856023f0c23e2f9239281f9011f9107e807cf535e24c3953a9bc865def4cb31f18ad81e5fe547b5d6b52340c
SSDEEP

6144:PGqbPunQbRspui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUra:PGqbGO6pV6yYPI3cpV6yYPZ0PVdvcY9T

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhddgofo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adpogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abflfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqdlmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaiffii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odaiodbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okpkgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oalpigkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkgaglpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eejcki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnboma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdlflki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohaokbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkgaglpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajaqjfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlhlleeh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaokbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pafcofcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pknghk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cigcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akjgdjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adbkmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odhppclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbiabq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkedbmab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdflaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdgehobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deqqek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nipffmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oileakbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elaobdmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mankaked.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahinbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miklkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ophjdehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pahpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqkigp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabhomea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkedbmab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qhbhapha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohobebig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjlnhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elaobdmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpfbahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnnoip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qggebl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgaiffii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckmmpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhlleeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngklppei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdbbfadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdflaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjoknhbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkqdnkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dijppjfd.exe

Executes dropped EXE 64 IoCs

pid	Process
3652	Mankaked.exe
2304	Mmdlflki.exe
1748	Miklkm32.exe
4720	Mabdlk32.exe
3744	Mjkiephp.exe
5104	Nipffmmg.exe
828	Ndejcemn.exe
2072	Nkpbpp32.exe
4360	Nalgbi32.exe
3692	Niglfl32.exe
4324	Ngklppei.exe
1068	Naqqmieo.exe
4248	Oileakbj.exe
2728	Oacmchcl.exe
1864	Odaiodbp.exe
4468	Ogpfko32.exe
3140	Oaejhh32.exe
1872	Ophjdehd.exe
3632	Ohobebig.exe
4404	Oknnanhj.exe
2864	Oiqomj32.exe
4044	Oahgnh32.exe
4304	Odfcjc32.exe
1684	Ohaokbfd.exe
1352	Okpkgm32.exe
2688	Onngci32.exe
3460	Odhppclh.exe
3616	Oalpigkb.exe
2640	Pdklebje.exe
1048	Phfhfa32.exe
4008	Pkedbmab.exe
4864	Pjgemi32.exe
1736	Paomog32.exe
1228	Ppamjcpj.exe
1480	Pdmikb32.exe
3736	Pkgaglpp.exe
4588	Pjjaci32.exe
5008	Pnenchoc.exe
3480	Ppdjpcng.exe
3684	Pdofpb32.exe
2716	Pgnblm32.exe
3504	Pjlnhi32.exe
4012	Pacfjfej.exe
4016	Ppffec32.exe
2460	Pdbbfadn.exe
2288	Pgpobmca.exe
4656	Pklkbl32.exe
4892	Pjoknhbe.exe
3780	Pafcofcg.exe
2516	Pddokabk.exe
1848	Phpklp32.exe
4632	Pgbkgmao.exe
1204	Pknghk32.exe
1464	Pnlcdg32.exe
5128	Pahpee32.exe
5160	Qdflaa32.exe
5200	Qhbhapha.exe
5232	Qgehml32.exe
5272	Qkqdnkge.exe
5304	Qnopjfgi.exe
5344	Qajlje32.exe
5380	Qpmmfbfl.exe
5412	Qhddgofo.exe
5452	Qggebl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cbiabq32.exe	Cnmebblf.exe
File created	C:\Windows\SysWOW64\Neknbkci.dll	Djmima32.exe
File created	C:\Windows\SysWOW64\Pkedbmab.exe	Phfhfa32.exe
File created	C:\Windows\SysWOW64\Jcbhjg32.dll	Qgehml32.exe
File created	C:\Windows\SysWOW64\Eaohkjak.dll	Adpogp32.exe
File created	C:\Windows\SysWOW64\Lelncp32.dll	Pafcofcg.exe
File created	C:\Windows\SysWOW64\Ckcbaf32.exe	Ciefek32.exe
File created	C:\Windows\SysWOW64\Ffpfcf32.dll	Mabdlk32.exe
File created	C:\Windows\SysWOW64\Aidjgo32.dll	Nalgbi32.exe
File created	C:\Windows\SysWOW64\Ahpdcn32.exe	Addhbo32.exe
File opened for modification	C:\Windows\SysWOW64\Cgejkh32.exe	Cegnol32.exe
File opened for modification	C:\Windows\SysWOW64\Qnopjfgi.exe	Qkqdnkge.exe
File created	C:\Windows\SysWOW64\Dalkek32.exe	Dnnoip32.exe
File created	C:\Windows\SysWOW64\Okpkgm32.exe	Ohaokbfd.exe
File created	C:\Windows\SysWOW64\Lfloio32.dll	Odhppclh.exe
File created	C:\Windows\SysWOW64\Qnopjfgi.exe	Qkqdnkge.exe
File opened for modification	C:\Windows\SysWOW64\Bbhhlccb.exe	Ajaqjfbp.exe
File opened for modification	C:\Windows\SysWOW64\Ckoifgmb.exe	Ciqmjkno.exe
File created	C:\Windows\SysWOW64\Deqqek32.exe	Dbbdip32.exe
File created	C:\Windows\SysWOW64\Oileakbj.exe	Naqqmieo.exe
File opened for modification	C:\Windows\SysWOW64\Naqqmieo.exe	Ngklppei.exe
File opened for modification	C:\Windows\SysWOW64\Oiqomj32.exe	Oknnanhj.exe
File opened for modification	C:\Windows\SysWOW64\Agqhik32.exe	Ahngmnnd.exe
File created	C:\Windows\SysWOW64\Haapme32.dll	Aklciimh.exe
File created	C:\Windows\SysWOW64\Oaejhh32.exe	Ogpfko32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmikb32.exe	Ppamjcpj.exe
File created	C:\Windows\SysWOW64\Pbfepjng.dll	Pknghk32.exe
File created	C:\Windows\SysWOW64\Odhppclh.exe	Onngci32.exe
File created	C:\Windows\SysWOW64\Qkcackeb.exe	Qggebl32.exe
File created	C:\Windows\SysWOW64\Boepfh32.dll	Aamipe32.exe
File created	C:\Windows\SysWOW64\Ohobebig.exe	Ophjdehd.exe
File created	C:\Windows\SysWOW64\Qjeaog32.exe	Qkcackeb.exe
File opened for modification	C:\Windows\SysWOW64\Addhbo32.exe	Abflfc32.exe
File created	C:\Windows\SysWOW64\Adbkmo32.exe	Abdoqd32.exe
File created	C:\Windows\SysWOW64\Agcdnjcl.exe	Ahpdcn32.exe
File opened for modification	C:\Windows\SysWOW64\Pkgaglpp.exe	Pdmikb32.exe
File opened for modification	C:\Windows\SysWOW64\Qhddgofo.exe	Qpmmfbfl.exe
File created	C:\Windows\SysWOW64\Bjqfnh32.dll	Deqqek32.exe
File opened for modification	C:\Windows\SysWOW64\Aglnnkid.exe	Ahinbo32.exe
File opened for modification	C:\Windows\SysWOW64\Pklkbl32.exe	Pgpobmca.exe
File created	C:\Windows\SysWOW64\Mhmaee32.dll	Miklkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmebblf.exe	Ckoifgmb.exe
File created	C:\Windows\SysWOW64\Ljiochji.dll	Capkim32.exe
File created	C:\Windows\SysWOW64\Dmmbbodp.dll	Ajjjjghg.exe
File created	C:\Windows\SysWOW64\Ciefek32.exe	Cejjdlap.exe
File created	C:\Windows\SysWOW64\Miklkm32.exe	Mmdlflki.exe
File opened for modification	C:\Windows\SysWOW64\Ppffec32.exe	Pacfjfej.exe
File created	C:\Windows\SysWOW64\Eneilj32.dll	Oaejhh32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgehobe.exe	Bqkigp32.exe
File created	C:\Windows\SysWOW64\Cakofc32.dll	Pjoknhbe.exe
File opened for modification	C:\Windows\SysWOW64\Abdoqd32.exe	Anhcpeon.exe
File opened for modification	C:\Windows\SysWOW64\Mabdlk32.exe	Miklkm32.exe
File opened for modification	C:\Windows\SysWOW64\Niglfl32.exe	Nalgbi32.exe
File opened for modification	C:\Windows\SysWOW64\Cejjdlap.exe	Cbknhqbl.exe
File opened for modification	C:\Windows\SysWOW64\Ppamjcpj.exe	Paomog32.exe
File created	C:\Windows\SysWOW64\Qkqdnkge.exe	Qgehml32.exe
File opened for modification	C:\Windows\SysWOW64\Adbkmo32.exe	Abdoqd32.exe
File created	C:\Windows\SysWOW64\Odaiodbp.exe	Oacmchcl.exe
File created	C:\Windows\SysWOW64\Jegdoipe.dll	Okpkgm32.exe
File created	C:\Windows\SysWOW64\Pkgaglpp.exe	Pdmikb32.exe
File created	C:\Windows\SysWOW64\Cbiabq32.exe	Cnmebblf.exe
File opened for modification	C:\Windows\SysWOW64\Agcdnjcl.exe	Ahpdcn32.exe
File created	C:\Windows\SysWOW64\Jabajbcd.dll	Bqkigp32.exe
File opened for modification	C:\Windows\SysWOW64\Ababkdij.exe	Anffje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5608	5768	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdklebje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjaci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgaiffii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahngmnnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngklppei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkedbmab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgehml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlnhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgehobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eldlhckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cejjdlap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmmpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlobmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophjdehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohaokbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdjpcng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkgaglpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhddgofo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anffje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abflfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfoac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naqqmieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpfko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oahgnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akjgdjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbbdip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oileakbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacmchcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbbfadn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlcdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkqdnkge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahinbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mankaked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfhfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbkgmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnblm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhbhapha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjgemi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoifgmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabdlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndejcemn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaejhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okpkgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnnoip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpdcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciefek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pddokabk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pknghk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qajlje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpogp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahkkhnpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegnol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dijppjfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdofpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpmmfbfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjeaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppffec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhhlccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anjpeelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agcdnjcl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmkhcj.dll"	Qdflaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bqdlmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pafcofcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdflaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donklfgn.dll"	Anjpeelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohobebig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oahgnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndejcemn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qggebl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djeopjhd.dll"	Ckmmpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlobmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mabdlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfloio32.dll"	Odhppclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pafcofcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olanmmjm.dll"	Mmdlflki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cigcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbbjg32.dll"	Addhbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgaiffii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djpfbahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbhjg32.dll"	Qgehml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dabhomea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cejjdlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogpfko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhcjldl.dll"	Qhbhapha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjkiephp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknhkonb.dll"	Cnmebblf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onngci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqmmlpm.dll"	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oacmchcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbknhqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakofc32.dll"	Pjoknhbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qhbhapha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkqdnkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqogkic.dll"	Ckoifgmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngklppei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Diafqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogpfko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bqdlmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgaiffii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnkbcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Capkim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegdoipe.dll"	Okpkgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pddokabk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anhcpeon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abdoqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcdcbcl.dll"	Cnboma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdibqp32.dll"	Ogpfko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfcf32.dll"	Mabdlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onngci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmdlflki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgdahgp.dll"	Pacfjfej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knemellp.dll"	Ppffec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjicplp.dll"	Phpklp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qpmmfbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dlhlleeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmdlflki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnnoip32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3652	4948	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe	93
PID 4948 wrote to memory of 3652	4948	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe	93
PID 4948 wrote to memory of 3652	4948	b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe	93
PID 3652 wrote to memory of 2304	3652	Mankaked.exe	94
PID 3652 wrote to memory of 2304	3652	Mankaked.exe	94
PID 3652 wrote to memory of 2304	3652	Mankaked.exe	94
PID 2304 wrote to memory of 1748	2304	Mmdlflki.exe	95
PID 2304 wrote to memory of 1748	2304	Mmdlflki.exe	95
PID 2304 wrote to memory of 1748	2304	Mmdlflki.exe	95
PID 1748 wrote to memory of 4720	1748	Miklkm32.exe	96
PID 1748 wrote to memory of 4720	1748	Miklkm32.exe	96
PID 1748 wrote to memory of 4720	1748	Miklkm32.exe	96
PID 4720 wrote to memory of 3744	4720	Mabdlk32.exe	97
PID 4720 wrote to memory of 3744	4720	Mabdlk32.exe	97
PID 4720 wrote to memory of 3744	4720	Mabdlk32.exe	97
PID 3744 wrote to memory of 5104	3744	Mjkiephp.exe	98
PID 3744 wrote to memory of 5104	3744	Mjkiephp.exe	98
PID 3744 wrote to memory of 5104	3744	Mjkiephp.exe	98
PID 5104 wrote to memory of 828	5104	Nipffmmg.exe	99
PID 5104 wrote to memory of 828	5104	Nipffmmg.exe	99
PID 5104 wrote to memory of 828	5104	Nipffmmg.exe	99
PID 828 wrote to memory of 2072	828	Ndejcemn.exe	100
PID 828 wrote to memory of 2072	828	Ndejcemn.exe	100
PID 828 wrote to memory of 2072	828	Ndejcemn.exe	100
PID 2072 wrote to memory of 4360	2072	Nkpbpp32.exe	101
PID 2072 wrote to memory of 4360	2072	Nkpbpp32.exe	101
PID 2072 wrote to memory of 4360	2072	Nkpbpp32.exe	101
PID 4360 wrote to memory of 3692	4360	Nalgbi32.exe	102
PID 4360 wrote to memory of 3692	4360	Nalgbi32.exe	102
PID 4360 wrote to memory of 3692	4360	Nalgbi32.exe	102
PID 3692 wrote to memory of 4324	3692	Niglfl32.exe	103
PID 3692 wrote to memory of 4324	3692	Niglfl32.exe	103
PID 3692 wrote to memory of 4324	3692	Niglfl32.exe	103
PID 4324 wrote to memory of 1068	4324	Ngklppei.exe	104
PID 4324 wrote to memory of 1068	4324	Ngklppei.exe	104
PID 4324 wrote to memory of 1068	4324	Ngklppei.exe	104
PID 1068 wrote to memory of 4248	1068	Naqqmieo.exe	105
PID 1068 wrote to memory of 4248	1068	Naqqmieo.exe	105
PID 1068 wrote to memory of 4248	1068	Naqqmieo.exe	105
PID 4248 wrote to memory of 2728	4248	Oileakbj.exe	106
PID 4248 wrote to memory of 2728	4248	Oileakbj.exe	106
PID 4248 wrote to memory of 2728	4248	Oileakbj.exe	106
PID 2728 wrote to memory of 1864	2728	Oacmchcl.exe	107
PID 2728 wrote to memory of 1864	2728	Oacmchcl.exe	107
PID 2728 wrote to memory of 1864	2728	Oacmchcl.exe	107
PID 1864 wrote to memory of 4468	1864	Odaiodbp.exe	108
PID 1864 wrote to memory of 4468	1864	Odaiodbp.exe	108
PID 1864 wrote to memory of 4468	1864	Odaiodbp.exe	108
PID 4468 wrote to memory of 3140	4468	Ogpfko32.exe	109
PID 4468 wrote to memory of 3140	4468	Ogpfko32.exe	109
PID 4468 wrote to memory of 3140	4468	Ogpfko32.exe	109
PID 3140 wrote to memory of 1872	3140	Oaejhh32.exe	110
PID 3140 wrote to memory of 1872	3140	Oaejhh32.exe	110
PID 3140 wrote to memory of 1872	3140	Oaejhh32.exe	110
PID 1872 wrote to memory of 3632	1872	Ophjdehd.exe	111
PID 1872 wrote to memory of 3632	1872	Ophjdehd.exe	111
PID 1872 wrote to memory of 3632	1872	Ophjdehd.exe	111
PID 3632 wrote to memory of 4404	3632	Ohobebig.exe	112
PID 3632 wrote to memory of 4404	3632	Ohobebig.exe	112
PID 3632 wrote to memory of 4404	3632	Ohobebig.exe	112
PID 4404 wrote to memory of 2864	4404	Oknnanhj.exe	113
PID 4404 wrote to memory of 2864	4404	Oknnanhj.exe	113
PID 4404 wrote to memory of 2864	4404	Oknnanhj.exe	113
PID 2864 wrote to memory of 4044	2864	Oiqomj32.exe	114

C:\Users\Admin\AppData\Local\Temp\b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe
"C:\Users\Admin\AppData\Local\Temp\b4193784e11432049b9a9bb1d7976b60e4d4a5d1b91df1a3f3a6ea504c9485b9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\Mankaked.exe
  C:\Windows\system32\Mankaked.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\Mmdlflki.exe
    C:\Windows\system32\Mmdlflki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\Miklkm32.exe
      C:\Windows\system32\Miklkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\Mabdlk32.exe
        
        C:\Windows\system32\Mabdlk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\SysWOW64\Mjkiephp.exe
        
        C:\Windows\system32\Mjkiephp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Nipffmmg.exe
        
        C:\Windows\system32\Nipffmmg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Ndejcemn.exe
        
        C:\Windows\system32\Ndejcemn.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Nkpbpp32.exe
        
        C:\Windows\system32\Nkpbpp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Nalgbi32.exe
        
        C:\Windows\system32\Nalgbi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ngklppei.exe
        
        C:\Windows\system32\Ngklppei.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ogpfko32.exe
        
        C:\Windows\system32\Ogpfko32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Oahgnh32.exe
        
        C:\Windows\system32\Oahgnh32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Odfcjc32.exe
        
        C:\Windows\system32\Odfcjc32.exe
        24⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Onngci32.exe
        
        C:\Windows\system32\Onngci32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Odhppclh.exe
        
        C:\Windows\system32\Odhppclh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Oalpigkb.exe
        
        C:\Windows\system32\Oalpigkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Phfhfa32.exe
        
        C:\Windows\system32\Phfhfa32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Pkedbmab.exe
        
        C:\Windows\system32\Pkedbmab.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Pdmikb32.exe
        
        C:\Windows\system32\Pdmikb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Pkgaglpp.exe
        
        C:\Windows\system32\Pkgaglpp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        39⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Pacfjfej.exe
        
        C:\Windows\system32\Pacfjfej.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Pjoknhbe.exe
        
        C:\Windows\system32\Pjoknhbe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Pafcofcg.exe
        
        C:\Windows\system32\Pafcofcg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Pddokabk.exe
        
        C:\Windows\system32\Pddokabk.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Pknghk32.exe
        
        C:\Windows\system32\Pknghk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Pnlcdg32.exe
        
        C:\Windows\system32\Pnlcdg32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Pahpee32.exe
        
        C:\Windows\system32\Pahpee32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\SysWOW64\Qdflaa32.exe
        
        C:\Windows\system32\Qdflaa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Qhbhapha.exe
        
        C:\Windows\system32\Qhbhapha.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Qgehml32.exe
        
        C:\Windows\system32\Qgehml32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        61⤵
        Executes dropped EXE
        
        PID:5304
        
        C:\Windows\SysWOW64\Qajlje32.exe
        
        C:\Windows\system32\Qajlje32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Qhddgofo.exe
        
        C:\Windows\system32\Qhddgofo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Qggebl32.exe
        
        C:\Windows\system32\Qggebl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        66⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Aqpika32.exe
        
        C:\Windows\system32\Aqpika32.exe
        69⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ahinbo32.exe
        
        C:\Windows\system32\Ahinbo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Aglnnkid.exe
        
        C:\Windows\system32\Aglnnkid.exe
        71⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        72⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Anffje32.exe
        
        C:\Windows\system32\Anffje32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Ababkdij.exe
        
        C:\Windows\system32\Ababkdij.exe
        74⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Adpogp32.exe
        
        C:\Windows\system32\Adpogp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        77⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Akjgdjoj.exe
        
        C:\Windows\system32\Akjgdjoj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Anhcpeon.exe
        
        C:\Windows\system32\Anhcpeon.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Abdoqd32.exe
        
        C:\Windows\system32\Abdoqd32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Adbkmo32.exe
        
        C:\Windows\system32\Adbkmo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Ahngmnnd.exe
        
        C:\Windows\system32\Ahngmnnd.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        83⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Aklciimh.exe
        
        C:\Windows\system32\Aklciimh.exe
        84⤵
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Anjpeelk.exe
        
        C:\Windows\system32\Anjpeelk.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Abflfc32.exe
        
        C:\Windows\system32\Abflfc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Addhbo32.exe
        
        C:\Windows\system32\Addhbo32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Ahpdcn32.exe
        
        C:\Windows\system32\Ahpdcn32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        90⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ajaqjfbp.exe
        
        C:\Windows\system32\Ajaqjfbp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Bqkigp32.exe
        
        C:\Windows\system32\Bqkigp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Bgeadjai.exe
        
        C:\Windows\system32\Bgeadjai.exe
        95⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        98⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        99⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Ckmmpg32.exe
        
        C:\Windows\system32\Ckmmpg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Ciqmjkno.exe
        
        C:\Windows\system32\Ciqmjkno.exe
        102⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Cnmebblf.exe
        
        C:\Windows\system32\Cnmebblf.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Cbiabq32.exe
        
        C:\Windows\system32\Cbiabq32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Cnboma32.exe
        
        C:\Windows\system32\Cnboma32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        115⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Dabhomea.exe
        
        C:\Windows\system32\Dabhomea.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        124⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        125⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        128⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 416
        132⤵
        Program crash
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5768 -ip 5768
1⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
1⤵
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgejkh32.exe

Filesize
384KB

MD5
8b7592d0292d68d91e8af8c4c0dbe993

SHA1
cf7fcad4e96b7428eff141351c26ab8ac89b6e47

SHA256
545abd6b45602acb8960c040758b24a7fe9c982ca4664b7e4acb9066838b199b

SHA512
66244df18f845965858d7fb65e171b28131f93583b7a0193411961f4c6624120bd73a4d0713f6485408bd592ef9c01917026429a526d3bccbd99ffd470083047

Download Submit
C:\Windows\SysWOW64\Ckmmpg32.exe

Filesize
384KB

MD5
db6c7dbe80fb2a7d67055317145570a4

SHA1
9017bca2af9f33f2ae3f896948988adb3ff31e50

SHA256
f82015c7e702c37e83d503ae4a00d87890d6091568f5038be16c6234d4551914

SHA512
26f1846a6c2ec632655c782113d3659734cb096cd8dcf5527153d2508c425e59c9fec82d967adf2f13b75ef1c03160e588543b4420449b313869fb492d558e28

Download Submit
C:\Windows\SysWOW64\Dabhomea.exe

Filesize
384KB

MD5
714dc4652349c1e191766b77f521fb12

SHA1
e3810a6aa422926d31e9151bfc52812c6b12529f

SHA256
48f8659958d0f0ff4a61e0b8395a4957593b7aa3e129363820e56ac7d392f5ae

SHA512
fd912d68b1e36a46c140075995f82e363fc90eaee9db80636c718594e0f5bca9ed0d7795888afbc38148557955f25a93bf0b141e6a11a564ae7e9f61b03b3208

Download Submit
C:\Windows\SysWOW64\Dalkek32.exe

Filesize
384KB

MD5
e6530daf435760e8e68bf7efcd224adf

SHA1
7cde95e3723862f662d6ea1b9c0752c3aeae07c8

SHA256
6b1316a71d3da1e841fc52f7536260ed84cf2db674d9d3d24014e9c53144ba12

SHA512
01dc26c4ddcf58af290004d96323a22661711ae118ffd0636fd51018ad650e1d0c4555005f424d84b5f7e21bb5bc097763be5dd173bfc31da2fb6f72ea59ba59

Download Submit
C:\Windows\SysWOW64\Dbbdip32.exe

Filesize
384KB

MD5
c0f2ed31109090a536a6d6166afe4888

SHA1
c550fa22b59ee0d7f6e4382e223c40eabf99b2c1

SHA256
3ed0ca2a670f6c9947b2173112ddff5e85e09d7e1236d60338102813a55d8325

SHA512
b447a534b97d979dd5eeb1c1a7ad06a94b8ec23146e6706563fa49da92eeebc5198a7e52f361c63e57c6e67d0cddf09e766f94e17915b49209784824614c9381

Download Submit
C:\Windows\SysWOW64\Deqqek32.exe

Filesize
384KB

MD5
ce12da9c709befc7818388a2a6eb381b

SHA1
214e68d8dc405976e7b80af6c48cdf173ae82c36

SHA256
fa2274e6c93b12763530beed42249a0280f6b8aebd0bb823bfffe223959610ee

SHA512
91a9e6eb44a0ab1e27dd9f433544f9afbcac751bbf131beb95bd3933c1530c1c7da83404b4112f224ab1f48692c980a187026835ab3dbccc233ec0101e6fabab

Download Submit
C:\Windows\SysWOW64\Dnkbcp32.exe

Filesize
384KB

MD5
40d58c219e3cf2501bde3028e53b6d73

SHA1
5d0e2b818688fbe3c33821f8b8665d88b1202c79

SHA256
aef66406c3dbd6f059078768ef17da49a63d656303ae4133fc165dcba968bd50

SHA512
43fd75f752ee4c33584bf82fd0595113eac50be473dfe3d89e522463fc41e041b5db2236b7f6753f71f644cde493e52e299ff142681a963a6b1608b8f41bf816

Download Submit
C:\Windows\SysWOW64\Ffpfcf32.dll

Filesize
7KB

MD5
0ad2fec9a15979974902d537e3d93862

SHA1
c695ddbcb098204890127fec38a5dd6ef2eab12c

SHA256
d43ad2ac678fce9823e2c943a5ffa29b64749e2b8a4f7a8b7ba251af31e10fd6

SHA512
00ee27887709f463e05a758a031f1a0773720473596010bad8ed5f332bf932bc42c1e3ca69bcafce295ebf5952e97f9b07ab3c413597d727ebf3d0e5b33dde79

Download Submit
C:\Windows\SysWOW64\Mabdlk32.exe

Filesize
384KB

MD5
e6ff47493c5ce1cac39a80d4db376065

SHA1
1f20eab0dd92399bbb68b51067eec3312ea96cfb

SHA256
5c26a46613d5511453ed6e9d4edfd3344b702c1d624b703a79a3846d8ed2212d

SHA512
05614b3f84c937caa07febd434550db8ebf92c1cec5b81ec5d0129bb9bf34fd65c9903506372d8b540dfe61208ab84a25d88757fc9473908d05fed0774b510f6

Download Submit
C:\Windows\SysWOW64\Mankaked.exe

Filesize
384KB

MD5
bbba64c07c45dc4d34ecf9ba14ef9364

SHA1
11ce1531973972df3455c4f83ba323683c76a17f

SHA256
1f4f0cb812fdcb8e78d28be53ed4479319f44fad9ba14ad2b88415ce0cd9a595

SHA512
6fabfbac3bcdeeb30ef97385270ed66da9bf41399869e9cde798bd16f9f5391bb4c0a75764c81eeee22df8a3f500fdc087aba85d2e789bc15ebf090766843273

Download Submit
C:\Windows\SysWOW64\Miklkm32.exe

Filesize
384KB

MD5
39e737ee62e6518d51541762e412c330

SHA1
7c569a10eb727e99ac87c6f778cf8f345c14e626

SHA256
eb5c6b46abc2928beefd616f8b0704f6ecdc7b3df49462ff063e650bbe822c50

SHA512
ce6cb64b5bd433b6696a8854eab597e4fba519a1f30b1e07c506fefaa23899c6f9fb2c4d66ea5589f1063b210919c51c2994bfd43d889d72f65907283f39ff2c

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
384KB

MD5
7acae8bb79f6cec0ce9b3db5e49cca77

SHA1
283fe6f952e8526b6d1eb0e304fefe06faf53dfe

SHA256
874d5cc421e3c99c0e845614c5ad19007c88b18234f2bd3ce7e6e7b5846401e9

SHA512
07a29788882301e2eedce119e2135d05a2388966ad04acacefb4e25dc97fce77aa4a899e85b67e01615c43fa589e7d7abde0a70412cd95019bede0ff49335d91

Download Submit
C:\Windows\SysWOW64\Mmdlflki.exe

Filesize
384KB

MD5
b2df929f826fc2471697b77f4c8969da

SHA1
f9e417e18bdd45106f67341564f4586323f9b4e4

SHA256
8a276d7b01380aea5e11ce5e46650bd575c21b0c7328dd87d94d52a62a691110

SHA512
363a6b71fbac8f428f4b883ed3e1fda66ad23b5cf75c0eb7615514406efb2ce586da4d6babc53849178ff0c088d2ba22e42405c1ce6dcc8944379c606b39e87f

Download Submit
C:\Windows\SysWOW64\Nalgbi32.exe

Filesize
384KB

MD5
50708bfcb113c7d1faf3c96d5ea465d9

SHA1
f5a40875cad882a6cc89744d2e66c623f3fbf985

SHA256
d54227e9d29600f3c010588e88af5d93daebda3df2bccdd8b8e989f3d7bd90e8

SHA512
97529418cfe216e6df0acb39cc35a1f82f84ee2d310b22375312701a5a799a43fd846067bcfdd1f840a30d9dbe0431f871e426ca3a9045c19363841885962aef

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
384KB

MD5
35d674ef81275ecf821ea7315c25279a

SHA1
24dbd6f2fef5915d6ab459b0f00e744651036e67

SHA256
2e14da7306751cf402a22cb0f1bcf2c2fbd494a41269f76ee0a9617672a669a5

SHA512
9f090039ee1e64ae96c7f8c76b78eaca071b046ea7bb14a6f13c4e031fed196399d6786bb9497f8cdc8d1edc66ebec7bac5add9cfe4bff398e1d35f21940ea4c

Download Submit
C:\Windows\SysWOW64\Ndejcemn.exe

Filesize
384KB

MD5
f52e586505c3aebde04931449d1f56ff

SHA1
dd298122d20c230492fe00b4a6ff09335286cc7b

SHA256
375fc28836f06d1dccc67e174618cd79514ec16df11344a00ec4e7bd2e065e29

SHA512
5e341a1fd67345b93aa8be49add8302e73444f93941fc4a0d9b320ab64620944865dc7b10807caa2fa1f8e57e14119b6c0dcb74c7f9531f10ee843258bd46940

Download Submit
C:\Windows\SysWOW64\Ngklppei.exe

Filesize
384KB

MD5
dc1eac1cd9cf24b2d052512498f25802

SHA1
1e7a241162920d19f5578f9d81abc8136ca49a0d

SHA256
42dab76b9863a135f938f9c1a1f1ba0d2f05e3074e9b8f192fa122c8842bf8dd

SHA512
6a860c1642c87cef53eac947ebe0a0c7cb10985e808ff7da59553b54384177a1130c7d4a973e0b3170604a956cd3def2ba18e2e04ad9e2380425870e803d68c6

Download Submit
C:\Windows\SysWOW64\Niglfl32.exe

Filesize
384KB

MD5
156bc2bb3aee13eeaa57eb3150da297c

SHA1
65ba8d5052e4f6815a0179fff6c4a275736ec183

SHA256
182abdbab9ee126721261bc766fb6d54f80a8b3fd5c93cee4f2130f70938a4b7

SHA512
d46ba6992bc621cb79ac98c3129a4d61b26e5b0f8dde28539af498444696647d670cb92f830a09dd64d2cf6e180d36a6b6c8e81b9b32f469799ca123fedfa865

Download Submit
C:\Windows\SysWOW64\Nipffmmg.exe

Filesize
384KB

MD5
969ed103a88a3e50063e8b641170b020

SHA1
ae5244b2dff8f6dd3313dac7f34b5763fb95e169

SHA256
3b89dd38330a296b720dfff93fb4f9847ef7dfe4cbc1a60626d3197ba7a8e857

SHA512
5a91855dbd1e8451f198c5fb1c500937bf6ed219907403c928068a2e7a3ee0b48cc06f10e2bd4d810ca6b6212540bd2290eb9b5e1a972b585d2a0600da850975

Download Submit
C:\Windows\SysWOW64\Nkpbpp32.exe

Filesize
384KB

MD5
0fac375cc21073dcbeb21d57e4fe05ba

SHA1
e2e10d1a2f6bf5aa1954ef73c9c92eedfc72a32f

SHA256
2cfed3beb5b01905557e67f642205af2fb781303df457505e918d259eb4523a1

SHA512
a90c175d11a7c49ec2fe3613af49e012f0508927a9a46f10cf97ff765b95cba7b33c036ba4f4496144c813d8d6d356ade3c9bd2f339509a9d21e607ab37bcb33

Download Submit
C:\Windows\SysWOW64\Nkpbpp32.exe

Filesize
384KB

MD5
da13df72a35d4d911572e775aa34c9ef

SHA1
699a227d7c2de0ad9593f683b4cead297b6553f2

SHA256
3d12ee7d9a8359ee5759b8dab89b59562dac3aa70e2ccc3e82b0f3f2f11fc4c2

SHA512
bf6b0f078a7ac4a1851b9001c24640c655cd606dd9c6ed7d6c84aac3d22b09b389bc381b20f30d008e11a337d0333d1ff502ef2e41b1f1d1a1615f90a6a1a963

Download Submit
C:\Windows\SysWOW64\Oacmchcl.exe

Filesize
384KB

MD5
abd08acfe9235e2ea855665bb6a1f8d7

SHA1
871f2595b16fc9b97cd9b53fa952f6e421f177a7

SHA256
bc2cb09e3a6e2d6b33e38849c4a6a2a6def1787cbb0e9d572fd18833ecac2055

SHA512
81d76035212240c1f2c6fdcaa3bf511d074511ab66c2fe90d8bc04512a6fcbed948a0330a8892f53f970a02308f33a688804be531dbea19adc8753b152c2e28f

Download Submit
C:\Windows\SysWOW64\Oaejhh32.exe

Filesize
384KB

MD5
6c957656f30ab009931ae76886658309

SHA1
0d634a74a5eb7fe67421da09aca7dab6f644eaf7

SHA256
a058674a9157d3e067ed68c1e893edbfe49fba7fe0956d9665a58a9bca814d33

SHA512
e357eb14299d270c8004b3a5b204ebd574bee5d198d64995e9083c503e9120540b525e203c940a0ab23d8d2aa7f991ce50b716a32d370eb6a2a6318fc92e685b

Download Submit
C:\Windows\SysWOW64\Oahgnh32.exe

Filesize
384KB

MD5
08fda8a4f6094de5e81507d03a62e8a5

SHA1
b91973a53a5f4206574fc57d6afd92a21eb27734

SHA256
ba98310a91eb2ee7b030037a3644bdbd5694235a971be1657d26b61436ed4f4a

SHA512
ad5270ac2e9b073fa56a59c9b1d3789895a6dd2bbfbd56d5424a5cb10e36d4fdeea4ba70977d6119fd5dc367e541f0d0f707e1114ede235db5e45aa2b7cd3a54

Download Submit
C:\Windows\SysWOW64\Oalpigkb.exe

Filesize
384KB

MD5
dbb795c187d365da3b16733646d6435b

SHA1
48c83da0132a82b9b4075b7009573ea637e692dc

SHA256
b7de16ce390924a65e49d8101d5d3bd55404b9ea5f903b7ddb744b17a96ae4ff

SHA512
aaadfad9ae031b9a500473e14704b0401792c8fd2c8d9baa38ffadc4a1059b2c02b1c941120be174067d3477cdb4a0b43088c7f3b8e264f13159147b5e3612c8

Download Submit
C:\Windows\SysWOW64\Odaiodbp.exe

Filesize
384KB

MD5
3d52e2fa5706eaef19e90b7528ab6f84

SHA1
c30f36113992b0766cef55488b66f7fdcf7abb8e

SHA256
874bc77bb88db731f42dd2778344e26b6fcf2ae50927f67bc1b52d001a45034e

SHA512
ea0d854878b62e76dea4a9742ae655debd605b025c48e2cc595c8c1238996af3637383fd385c96789f80701e377e18a23512beac1f41f9816b76268d476d42be

Download Submit
C:\Windows\SysWOW64\Odfcjc32.exe

Filesize
384KB

MD5
78e8e3d212f1b0a1270d4fd7a793cc64

SHA1
b2e55e5bc74cc1818624e39256d357fda9153bc3

SHA256
689d73710cb8dacb441abb6ae3de453c879eaaf77e3072d9f50fdc2b9ba5354b

SHA512
5f453d0773f749094ad72bbcf5b609d6a6b6c314c5224fbbd92fb2ca8f77327d839ce3cc2fccc111f74afacb913886e2c59e3cc62285a98286ad7a92157b26d9

Download Submit
C:\Windows\SysWOW64\Odhppclh.exe

Filesize
384KB

MD5
9a8c371e32e01f4f4f592cfefeab744d

SHA1
19723812c897483d0c66383c9f96d2c3afb8c025

SHA256
ffad72a5cac26d23905edf26833d8a4b0efbaae113a76836b9042a84d719cb92

SHA512
942cbc876ab8ff04270853776c4616489d477cfb9a8075cd4875aac0666b3c305817c6e89c8c2b4927c2b8c94231dee312d74ab8760aa41a7fe92d099d4162d8

Download Submit
C:\Windows\SysWOW64\Ogpfko32.exe

Filesize
384KB

MD5
4d8b02b0cc8813c58b32bfaccbcfc2a6

SHA1
22e954263918c8b56a27aceedd8fcc9d243c7bee

SHA256
0c8123764bf9d0e0c4cc1d5b4b232a59d644fb969284af66bdd43011f780ddd4

SHA512
3bb6f7946ec45a21c31ef4b461c10ca280278e26b060835f5c394057bd086b0f367260dcb29a11b9a32700679b6a5e2209bbae1b0b35de0f4ae32fd406333b5e

Download Submit
C:\Windows\SysWOW64\Ohaokbfd.exe

Filesize
384KB

MD5
5bacce0c903681012203cefcad53fdf4

SHA1
727949e59e0bc1ef9b59a3d334baa71e256e7205

SHA256
d739e51bf945754347561ea83588dcd22bf9becf6c33d7206f82a733dba69d6b

SHA512
0eca33b6b7440cfc1c2d409e8fd04b3127916cab44ebda26fbd4792c365bf7e5025a7b21f818108124a68e6abe16f3f9825b9d655057d97f8e06cb36d55af33d

Download Submit
C:\Windows\SysWOW64\Ohobebig.exe

Filesize
384KB

MD5
a6d8f856a35d0ec2ff314dfd04d47c30

SHA1
865c6dc5b2203fa7235c5c40edf2bf5857f541fa

SHA256
cc89377179c92bf0d5ce87d2a17703ee5eef3f4de4d1fe6d9b709ddd0e4b668f

SHA512
829230eae972404c8ad324e42733fdf7c02ba892ec69c5cd4b64598c0d982c44c75279e495f7621103228863c97da85cde7238408a14ab64288063e7e7b2dea1

Download Submit
C:\Windows\SysWOW64\Oileakbj.exe

Filesize
384KB

MD5
e5a56740d752232f04167a454f8f11dc

SHA1
796806b9bc5a1800bbb861cd97d0c870c3228f76

SHA256
11ab150395873b7be3e64e2970cf7000320b4727deadb63a6a63c561250fb22a

SHA512
6ea585044c4c5a4ec9a3c1447595d5500cac4ded202603f13fa53dc024f61cbd84f0a143143370b71b2f3e28b902817caa4c63ea4eeff8ec1d00fe950dcefe2a

Download Submit
C:\Windows\SysWOW64\Oiqomj32.exe

Filesize
384KB

MD5
0b11bd0844436d9e31ed6dee88fe27c1

SHA1
d563a41ebec128ebd8e1fb3e72a6b39d09e54af7

SHA256
c37f966a70f0951cdd2b2b98c6d0aa3a3741ba59bc480905b5ee483508e41f0a

SHA512
66b72131cf216ead9c0e7aa71ceeebcda10dcee78d67ba3d1455e360d8216a9c15d2d6d4e60cecc7e4b05bcd33b3b71a88bc778000e24b4db133762c3e3eb0d9

Download Submit
C:\Windows\SysWOW64\Oknnanhj.exe

Filesize
384KB

MD5
f797f1cf1d54dfb64ebc4c9a0dc07f94

SHA1
d0956e36d90ebe0b353b988fef29ee5ea96c40e9

SHA256
3f7ab627559b1887bef246c13a14741d6fcda109fb2dfc6e3c04d9841a6f1625

SHA512
51855229c6774489996724a9584ec93b59aed6dcbe794e48b949d2b50c548e10296f1480ac2a47118f39b796c12862a06c0d0983e1fd4374aa168f740c809e58

Download Submit
C:\Windows\SysWOW64\Okpkgm32.exe

Filesize
384KB

MD5
fa43162d07e08d7f224dfbedb781ecf1

SHA1
6414a05f681af0a9e1acef2039446dc278f4a04d

SHA256
f4c8a9d602554a07c664ed6b8dfc6e49329968c0df89cc998071851080021772

SHA512
f8e08fcf0e352490f2f5a49980ecb4e8be9426fb1b5766f3ea27651f0bada1994c010f10d74b0f688fc696867ea9bc1021026ac7ce3f3cd5b025431fb25440b1

Download Submit
C:\Windows\SysWOW64\Onngci32.exe

Filesize
384KB

MD5
60f1a19a44e0757749f7fd664ce54471

SHA1
47a5af0af8fb07efb0a1b7df20588c4391993437

SHA256
7fc23dd5f56712848b1f83b277fdf5e086368876bd83b81289e069b3f446f6d0

SHA512
f9dc299fb106d1a2190a91dbc58a8279d5b8cff1c313c83b717dc007d6d38cc1e2c92596208ca82bdd7b46991224db8b7955d3691d26d383372629221beb019d

Download Submit
C:\Windows\SysWOW64\Ophjdehd.exe

Filesize
384KB

MD5
4d1ef7b00cafd7772b048d97322da96a

SHA1
5654e22dbd600d0e8da523ef5edc68d7a04cb8b6

SHA256
9640ba4c99c576727696eb86ec89beca1a352ea0b4ec2afdc821a89ac1eff0c9

SHA512
5ac4e6f6c2284d969fa5efea796774fe21b410c50aeb402ea81c896a78f9ea6ac6da3888efae39e367bc485539ee36c6e3492674ee51e9e1e9bafb2407aabd99

Download Submit
C:\Windows\SysWOW64\Pdklebje.exe

Filesize
384KB

MD5
3a0abc4650cfd66553f5ce66b2dc27a8

SHA1
d982db06264a8e40d426a8b962c40cb044c3d202

SHA256
5840744b154d0dde6ba02021439eebef87ade880593cfc6ca0262351ffd6377c

SHA512
b143d5a123b9b95445956534b323979f2da4cd5bfb9f88c453dda75f28cc31dc3c3b94a938f48b3f317043360d82be3afe49d3b82a715489df434c70085fca5e

Download Submit
C:\Windows\SysWOW64\Phfhfa32.exe

Filesize
384KB

MD5
9392354d6603b09fa4d1fa5921e81603

SHA1
40089cbd110f5c75cfc0c79b6c760853bd5472f4

SHA256
8c927a1e466dbe4a7bfd94c32cde010dad31b538b03789fe1e41ab383790c8d5

SHA512
57cd4b126dbbcf9a4bf4fbdc2e28f45da9bc1b5ca77aa7a43738b5d119fc1075f2c97d2a2bdc45e5c82277f07af4bfc02119c74e0e5c9302d97e4fe9ccc3b4ab

Download Submit
C:\Windows\SysWOW64\Pjgemi32.exe

Filesize
384KB

MD5
30e93bdbd427a2b77e612784316fb030

SHA1
fee1e3245839452403402830a90abcbc816add13

SHA256
9be304eafcde9a74b56923faba031351fcf6aa83c0a910fd4d5e2a6c71cbf1fd

SHA512
f4a90c54b2f6ff4f18f475e445f299da6a0c29c69a6452506ee9c3a44bb4e21bc205e292eb999a9d39a25b46297b2022ba4676b0317694c6a8b32144816d7d6f

Download Submit
C:\Windows\SysWOW64\Pkedbmab.exe

Filesize
384KB

MD5
311c596892a69141ec0614ca78204992

SHA1
e2fbea6662a6c6960701686e9893843b8173b5b7

SHA256
52c16000c57cdbe3550df548836700a7f51b1237918d9bf4c8a2a6c3acf99089

SHA512
bcf2a74d23dbe73442b142ab0a82cfe8e9c99615e4f27d1c27ef037a5a7c551100834ea42dd7331af9887925d165e00e8a42de2155c051fcfaa8ca79983a79f8

Download Submit
memory/828-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-618-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-619-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-612-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-617-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-615-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-625-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5208-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-622-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5336-623-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5396-624-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5412-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5452-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5472-626-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5488-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5516-627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5520-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5560-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5624-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5796-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5800-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5868-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5908-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5940-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6016-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6024-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6048-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6088-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6120-611-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads