njrat | 67307b83cec26a699a7f7247c5fbeafdaab8d41dca976bd0a9af061e08e78744

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b394fcd935ec6c2d143914987a0429a0N.exe
Size

337KB
MD5

b394fcd935ec6c2d143914987a0429a0
SHA1

8f74c1f84a9124159e4cd3d14aa50749b3dbb8bc
SHA256

67307b83cec26a699a7f7247c5fbeafdaab8d41dca976bd0a9af061e08e78744
SHA512

53f10ccf7baa321c9478655324952b2104f0955244e748c9f66fc3621813c42e4a9e68fd1f23e8d96334c89b49e3d69f2a223a9b9dff4b37104aad516ec4cc33
SSDEEP

3072:JNWs+g2l1cIkBgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:Jst1lkB1+fIyG5jZkCwi8r

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkaako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbiaapdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2148	Fomhdg32.exe
3828	Ffgqqaip.exe
3308	Fhemmlhc.exe
1356	Flqimk32.exe
2172	Fckajehi.exe
2564	Fbnafb32.exe
1348	Gbbkaako.exe
4228	Glhonj32.exe
1608	Gbdgfa32.exe
4828	Ghopckpi.exe
4580	Gbgdlq32.exe
4568	Gmlhii32.exe
4032	Gbiaapdf.exe
4992	Gicinj32.exe
2212	Gomakdcp.exe
1008	Gblngpbd.exe
1496	Hckjacjg.exe
548	Hfifmnij.exe
2052	Hcmgfbhd.exe
4444	Hflcbngh.exe
4996	Hkikkeeo.exe
3088	Heapdjlp.exe
768	Hofdacke.exe
2876	Hecmijim.exe
3080	Hcdmga32.exe
2600	Iiaephpc.exe
3888	Ipknlb32.exe
2236	Ifefimom.exe
4676	Ikbnacmd.exe
4428	Iejcji32.exe
1516	Ippggbck.exe
4248	Ibnccmbo.exe
1596	Ipbdmaah.exe
5056	Ibqpimpl.exe
1504	Ieolehop.exe
4104	Ipdqba32.exe
1640	Jfoiokfb.exe
4728	Jmhale32.exe
2264	Jcbihpel.exe
4352	Jioaqfcc.exe
5084	Jbhfjljd.exe
3028	Jianff32.exe
2268	Jehokgge.exe
1684	Jpnchp32.exe
2056	Jblpek32.exe
1260	Jifhaenk.exe
4020	Jmbdbd32.exe
3896	Jcllonma.exe
3104	Kpbmco32.exe
1980	Klimip32.exe
2248	Kdqejn32.exe
4888	Kimnbd32.exe
3672	Kdcbom32.exe
2164	Kmkfhc32.exe
2080	Kpjcdn32.exe
4208	Kplpjn32.exe
3004	Liddbc32.exe
4496	Llcpoo32.exe
3552	Lbmhlihl.exe
4188	Lfhdlh32.exe
4172	Lpqiemge.exe
3416	Ldleel32.exe
1928	Lenamdem.exe
896	Llgjjnlj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ipbdmaah.exe	Ibnccmbo.exe
File opened for modification	C:\Windows\SysWOW64\Ieolehop.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ffgqqaip.exe	Fomhdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Gbgdlq32.exe	Ghopckpi.exe
File created	C:\Windows\SysWOW64\Gbiaapdf.exe	Gmlhii32.exe
File created	C:\Windows\SysWOW64\Hnmacdaj.dll	Ipknlb32.exe
File created	C:\Windows\SysWOW64\Ieolehop.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Fhemmlhc.exe	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jbhfjljd.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Ipbdmaah.exe	Ibnccmbo.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ffgqqaip.exe	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jmnoof32.dll	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ciglpe32.dll	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ipdqba32.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6796	6596	WerFault.exe	279

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcbihpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmlhii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gicinj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifefimom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbkaako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiaephpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hckjacjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnccmbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipbdmaah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b394fcd935ec6c2d143914987a0429a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmacdaj.dll"	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfpbq32.dll"	Flqimk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Llcpoo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2148	1584	b394fcd935ec6c2d143914987a0429a0N.exe	83
PID 1584 wrote to memory of 2148	1584	b394fcd935ec6c2d143914987a0429a0N.exe	83
PID 1584 wrote to memory of 2148	1584	b394fcd935ec6c2d143914987a0429a0N.exe	83
PID 2148 wrote to memory of 3828	2148	Fomhdg32.exe	84
PID 2148 wrote to memory of 3828	2148	Fomhdg32.exe	84
PID 2148 wrote to memory of 3828	2148	Fomhdg32.exe	84
PID 3828 wrote to memory of 3308	3828	Ffgqqaip.exe	85
PID 3828 wrote to memory of 3308	3828	Ffgqqaip.exe	85
PID 3828 wrote to memory of 3308	3828	Ffgqqaip.exe	85
PID 3308 wrote to memory of 1356	3308	Fhemmlhc.exe	86
PID 3308 wrote to memory of 1356	3308	Fhemmlhc.exe	86
PID 3308 wrote to memory of 1356	3308	Fhemmlhc.exe	86
PID 1356 wrote to memory of 2172	1356	Flqimk32.exe	88
PID 1356 wrote to memory of 2172	1356	Flqimk32.exe	88
PID 1356 wrote to memory of 2172	1356	Flqimk32.exe	88
PID 2172 wrote to memory of 2564	2172	Fckajehi.exe	90
PID 2172 wrote to memory of 2564	2172	Fckajehi.exe	90
PID 2172 wrote to memory of 2564	2172	Fckajehi.exe	90
PID 2564 wrote to memory of 1348	2564	Fbnafb32.exe	91
PID 2564 wrote to memory of 1348	2564	Fbnafb32.exe	91
PID 2564 wrote to memory of 1348	2564	Fbnafb32.exe	91
PID 1348 wrote to memory of 4228	1348	Gbbkaako.exe	92
PID 1348 wrote to memory of 4228	1348	Gbbkaako.exe	92
PID 1348 wrote to memory of 4228	1348	Gbbkaako.exe	92
PID 4228 wrote to memory of 1608	4228	Glhonj32.exe	94
PID 4228 wrote to memory of 1608	4228	Glhonj32.exe	94
PID 4228 wrote to memory of 1608	4228	Glhonj32.exe	94
PID 1608 wrote to memory of 4828	1608	Gbdgfa32.exe	95
PID 1608 wrote to memory of 4828	1608	Gbdgfa32.exe	95
PID 1608 wrote to memory of 4828	1608	Gbdgfa32.exe	95
PID 4828 wrote to memory of 4580	4828	Ghopckpi.exe	96
PID 4828 wrote to memory of 4580	4828	Ghopckpi.exe	96
PID 4828 wrote to memory of 4580	4828	Ghopckpi.exe	96
PID 4580 wrote to memory of 4568	4580	Gbgdlq32.exe	97
PID 4580 wrote to memory of 4568	4580	Gbgdlq32.exe	97
PID 4580 wrote to memory of 4568	4580	Gbgdlq32.exe	97
PID 4568 wrote to memory of 4032	4568	Gmlhii32.exe	98
PID 4568 wrote to memory of 4032	4568	Gmlhii32.exe	98
PID 4568 wrote to memory of 4032	4568	Gmlhii32.exe	98
PID 4032 wrote to memory of 4992	4032	Gbiaapdf.exe	99
PID 4032 wrote to memory of 4992	4032	Gbiaapdf.exe	99
PID 4032 wrote to memory of 4992	4032	Gbiaapdf.exe	99
PID 4992 wrote to memory of 2212	4992	Gicinj32.exe	100
PID 4992 wrote to memory of 2212	4992	Gicinj32.exe	100
PID 4992 wrote to memory of 2212	4992	Gicinj32.exe	100
PID 2212 wrote to memory of 1008	2212	Gomakdcp.exe	101
PID 2212 wrote to memory of 1008	2212	Gomakdcp.exe	101
PID 2212 wrote to memory of 1008	2212	Gomakdcp.exe	101
PID 1008 wrote to memory of 1496	1008	Gblngpbd.exe	102
PID 1008 wrote to memory of 1496	1008	Gblngpbd.exe	102
PID 1008 wrote to memory of 1496	1008	Gblngpbd.exe	102
PID 1496 wrote to memory of 548	1496	Hckjacjg.exe	103
PID 1496 wrote to memory of 548	1496	Hckjacjg.exe	103
PID 1496 wrote to memory of 548	1496	Hckjacjg.exe	103
PID 548 wrote to memory of 2052	548	Hfifmnij.exe	104
PID 548 wrote to memory of 2052	548	Hfifmnij.exe	104
PID 548 wrote to memory of 2052	548	Hfifmnij.exe	104
PID 2052 wrote to memory of 4444	2052	Hcmgfbhd.exe	105
PID 2052 wrote to memory of 4444	2052	Hcmgfbhd.exe	105
PID 2052 wrote to memory of 4444	2052	Hcmgfbhd.exe	105
PID 4444 wrote to memory of 4996	4444	Hflcbngh.exe	106
PID 4444 wrote to memory of 4996	4444	Hflcbngh.exe	106
PID 4444 wrote to memory of 4996	4444	Hflcbngh.exe	106
PID 4996 wrote to memory of 3088	4996	Hkikkeeo.exe	107

C:\Users\Admin\AppData\Local\Temp\b394fcd935ec6c2d143914987a0429a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b394fcd935ec6c2d143914987a0429a0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\Fomhdg32.exe
  C:\Windows\system32\Fomhdg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Ffgqqaip.exe
    C:\Windows\system32\Ffgqqaip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\SysWOW64\Fhemmlhc.exe
      C:\Windows\system32\Fhemmlhc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        25⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        43⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        46⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        49⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        51⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        61⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        63⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        70⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        72⤵
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        74⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        76⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        77⤵
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        81⤵
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        82⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1968
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        89⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        94⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        96⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        98⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        100⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        102⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        106⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        110⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        114⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        118⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        119⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        120⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        122⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        123⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        127⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        138⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        140⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        141⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        145⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        146⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        150⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        151⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        153⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        158⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        161⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        164⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6900
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6988
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        168⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        169⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        170⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        171⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        172⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6268
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        176⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        177⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        179⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6776
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        181⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        183⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        185⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        187⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 396
        191⤵
        Program crash
        
        PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6596 -ip 6596
1⤵
PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
337KB

MD5
9f973fb4908c44ed7682a8fc45a0a3c2

SHA1
85612dc7402653a250da2dbade8b0ac1539c72bf

SHA256
74935f7a5e2b1f980c72fbf6258282962232c13f72a13ee41dd4c6c984ad9a4d

SHA512
8b6dc891677ec39625ac58beb6a3622116968818050be6e3f60832214d8721b0c26a9698506c633071bddb55f2a292144ddd658e46ade8d560bd91a821b602ba

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
337KB

MD5
6ecc5d5b2cbbb1a27899a688ca61c7af

SHA1
d322886b10a28df778256ef94bd51837361ddbbc

SHA256
8136dd1ca490d29ac4399620a69873abd1e81dcaae6d4d3b766327a21349e72b

SHA512
301a6fc35d5c63e8312e7095c74547ce15b63b5488b90b831701919cef79638dae4c322b5d55ce2f622be76002a5e44fc2bb20e8af7f98aeb8a4ce54cd9b646b

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
337KB

MD5
6a5003c669d45be96c3cda4ca5d505b9

SHA1
1ba36f5014d7ce4f1fbaa16857021319e4ffa05b

SHA256
9f91ed1892381a49cc46b1e24d7682eaf4a5ff3ef3e20e770dd8f33c7dd1901c

SHA512
32c6741740ccf52f75333c69e1ec0694e57a758d099c280baf0b90988ff65bd679556f5a452cb57d2b733a7d6d3fd3d2aba5ad42400451a9db32e7cedffdd9b8

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
337KB

MD5
824ce0d0c131d4835e0fecb3141e2789

SHA1
e0a8db5031364ae0d339e759a319f57981d8e13b

SHA256
cd0dcea7e872de1bb4efc2f4bca9263c1c3e3462c47fa365f304fc2311f57e1d

SHA512
1829470f80ea6507a76025f0e987167db273ccf25feb0d4e5a6b5220ba7a0745a3c5b40c24b74769e7dabc93600cf64db88780657bbe47882d652055fdf1ac8c

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
337KB

MD5
5d09c0b6fe5f0d48e1db8cae0367d013

SHA1
2994f8dbcaf6d2954b0b7d3087b6a73ff42ab353

SHA256
677927ad7117d5a443e3770ece48a4a5c2334c0a79de757241eaadf4b140ba84

SHA512
7c5ec715047dade114d6d3906020539ca82e6e28048a5b1bb09d56e033e0e659ced2530978ee33c464e1af8e3cf149b68d893a03618bf236dcd7e9d4e58be7b7

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
337KB

MD5
bfa87988aae4325b4dbea656196ee8f5

SHA1
950f516d21610b8b1b452cac7c079665d0620cb1

SHA256
b784fd2c94cd84595465329f76b6a083bb45ae00c0d0d3e877a57fe632163fdf

SHA512
818946d202ec1667fe3ae87085b15a117b8ff9aedf764136432d01beb5119ae14d387cae1ee0206b45a0f8a050ace8720889339ee85856d98a17ba4cc3753470

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
337KB

MD5
068cbb23d52bc2197059236d61916e18

SHA1
49695172782b10fa19f0c552615a4a1edbb3d0f8

SHA256
b8ab3e4a43636c568391581e59af40c49a2857479edc8a6f3b28a71cce21d780

SHA512
67d92c4c5b4723f967f9fae28300a85c8a30140af9f76179cc1c9913b7bbae4a1edc748a1e4556f20c395ab658134b0c12d25861d512449b569ef3d2230f8f22

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
337KB

MD5
135b24d72f5fdd67c7e8aa6006b46842

SHA1
bf8e286f15ab7354aeab0f61c827cb693dbae889

SHA256
cba14c79310b9a8422e7cd94e5f04e2cb2479f967e36db2c39886e8c6554c6c7

SHA512
734b59bb85fe1c9bfab3b265ea62c9383e2a09defeb0184cd0a635f1e4047b01d3e6955c289bb99867db153df943868e77668907daa885c388779625a6525a38

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
337KB

MD5
700c1c536d78b45cedb94a1e1df944c2

SHA1
2542e919fffded28539b965f6505a69f58287f22

SHA256
7c9ce926dac9a20c2493a69d8510cc8ecea1b08e31529f1764a16ce16c4caaf0

SHA512
bc32a47c4b7d1113d5140dd615cbed687b1ff668faf0df2abe6cf0d6ccd86e59aa629862ed8424d12193ff16d47f7d90a1491f1c43edc4b93886819aeda28f57

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
337KB

MD5
6b214dc4b72b0aae18dfef76bed45f96

SHA1
da4fb713af6e0a3208f07cffa6711803aa3725b0

SHA256
73dac19b8eb33d26e4d5f107b6e25c7537dd7851a1e4e2cd8c6215fe4922d7ab

SHA512
749537f2a5276e8be3c59aae8e4b2e4832657c74cf4f7c867e2ec6a6282bd2c57c27647cfda4f05e2f7c619a23499845e38bad36860161dde50fd8a420ae826d

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
337KB

MD5
38c22f857d2774471ebbbca7ed3468ac

SHA1
59713044e0dd17df8f0c64220d0c015f66395225

SHA256
b7f8b77e1ddd2b545c693bec5b500de85f74b33e3a9d781bdcf7b401f3ddb4c2

SHA512
378ded929b5cb9d8ec184dfd4572aff2db6d891a12d32b3c085a40d10675ecee845b8bda375d14cc6cb75f561a3ec358f5a8b6634427e9169facaff2d18e8be6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
337KB

MD5
1ab43b50cbea2f677bdc655a06d17d0d

SHA1
8618b1856d258e302c83dbb3d4fe8086133908f5

SHA256
ab83e367d03a6aa7ebfc48233348266f9176534aabeb226b7b857605d97ccc3f

SHA512
f2c41065d6f21cb9956bbe2223637e947e1defaa4ffa03ee4f3cea21777f1a2fc1a7b3300c126883b79f5450aec2c7f42333c08ac1b05fc9a0d969dd21d47f3c

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
337KB

MD5
82ff84061e88d9b7099a74fef896597f

SHA1
351af4e065c53ed21f1dacfbb2c98c4d2f36a5f8

SHA256
1b1dac5b2d2b650042fb906490ecd8436b19041e9a43a5aef958f848aa5a0230

SHA512
fb1745777b68cd1eaaaa70dc3c292d9ba617beedfdacb6e484b0cee409b746c2bc516325c60915649664eaeda6585f80a63a5d9d4ae0ca57869cf201b0cb9680

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
337KB

MD5
2a6822e29d0bf80c3f90f355d7d7bc8b

SHA1
22fbf2001b4cbc5e52b76dc390083f62c964e50e

SHA256
b93c8ba63c40dd4f8d474b9f6d768a32947f963e13715d7a82a8ec2590bd82bb

SHA512
fc8d6b68f7b5e383fb4d5f4e347415b56f5e575746cf582ad02c01aa5fa2c57a70181858a17f5ccf99a771b2cd0338ec17ff71bd452dcf88c76d97d23c9f8e74

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
337KB

MD5
81b366ec18689826acdd074d9ea7bfdf

SHA1
5752f1158f6c5a45c446692ba2473e95080917ee

SHA256
63ba38b5b85d413bda36a66e0da19ef3f0808cabe7a9ab1b0d1f1b816e10d03c

SHA512
9ca2f08f51e35d211a3b4166aec5d6d75e413c71ff8e5a55f08f66630f91b1aaff38bfd46d7f56393df06f5d93f75f2cfd8f0d664f07c6457c302f30456ca84d

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
337KB

MD5
307785d4192ec936ef17f4cfc36550ea

SHA1
5b576703dabc19de1c46f8f1f0903055714cd31f

SHA256
082f1d4e0a59e4d728ea331df6451325a543d1aa985f11deebfa6e5f64440e64

SHA512
9756e7e0f6b3d6e8092396c7fcbb53dc84079e1a57cf648940ad72eb7a98fc3d04e729a80663c531142c0b628f504f36d8576a3332f2c0cdb555b09ce1e631d2

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
337KB

MD5
a597adbc4bf3d561ec9e7bcdc78af00e

SHA1
9eaa3825459ed0165743dd54cbc12379b81edbb2

SHA256
19c34dbe955aca48f1e6f48698d1b111bd9b3016c71f92d56e65d580b5c69353

SHA512
e770e805710d18868f7b348f33abde105ba2117e597bf076a523e4b8cea1037c3ae62ab4538fb119c50c867fee50083afa7acade38c4a760d481007ec64c68f3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
4917179b20f4c232b0bdf250526172ab

SHA1
77803f45db2f6cc5ee39ae2bcb87b13e83430639

SHA256
9b7b48470f17cbd638d1357db563297444b331f4e5a5e9481c31468e992a8e23

SHA512
82168e14fc63da2375c895303be6003310e23183fe6ac72a1d0822628fbe539c35383a1d63f4cbe487551e1f4ee77240925a8d43bbceacfcd334f3e219dcb854

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
337KB

MD5
4cf366cda4fe251bc5d7fb4d7c30b8c6

SHA1
9d1b75ec2987dc86049c89e3dbbe3e1ded0a87e9

SHA256
74809d3d6d90b8f770e79b52fdc948202c7abff931f81a500f9a35c47660f397

SHA512
92c866ac050e73f318dda274c88abb84f1537a779d9f744032a8df3705338a5730d07b84ecb60da6cdf083cef3e91a42c2f68d7b6eb279d3ce8360333d0efc72

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
337KB

MD5
506b0c06bad8f9158540d582faa6fd19

SHA1
d3ea4a2f1ddf9b1c001578bf363b2cf11fe4c94d

SHA256
20b554c6f68d53bc70337634b82874f7754cf720425147cce68e2db8f944d645

SHA512
151226e6e57037fafb9eb005ef897521d443f90556b0376926583765e537c96ca602d528d3c66c71e274243f7b346517d32248ee6b734d5618d90f9d9116b510

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
337KB

MD5
b2ac19aa220f0850f54e8a669fcc889c

SHA1
d8f85255f709037ee7d8d2a7d9b3c46937589f05

SHA256
ccb08f4f03bbb93e8a4d3e03f6a4c9b1935bd829ec7833eee38a7abcb57ce6c2

SHA512
323a22eb5c6c31a035fb2ec6f0a6647f0df3308f6a73ce8b84265a8e961769558b12061f5a6bb6e2e59d4767ef85403482bb486207326aec2d707ba1a7523060

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
337KB

MD5
0c4389e76e0aba4c68f077e45a7af471

SHA1
5d67cf3f963a190143f59015fdabb0e06dd74305

SHA256
d88f0c21c4bd5dfcad497b9a9a4e1921ee12571ed6c8a71202cf2f66b8ef27ac

SHA512
cc950ce77810e1a4e714e8d1cf5743c91e0c54a5908475981f2102ad1e74bcaa5a8b6baaa36bc42de00fefef43c531822e72a72ed0bc866c5f11ed281584e2db

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
337KB

MD5
c4ab1f52a5f705c4af4980565397bca6

SHA1
062e11f022da53adaf9f51454e91a943ccaee384

SHA256
076e76ee6a8f02590f0307874cef1bd4cc408b9203ac4c5989712b9acf8b29ea

SHA512
4e4f1da1fc042fc31497db7a9ff47fed2e4581816142f8d24a9f863ac5b7f419f90d2ea0054ff2463a0c0a69ef91dededfad811f97b78215a3e2155e9ba3352a

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
337KB

MD5
4b672aa1fea5693ba52bdaa5bcdb6530

SHA1
57e78a49d8a80ead6e76e15edab883a21a810ac0

SHA256
c2693cb22904c21819fa7da4df8a6685acd499d6e7c5f66e2fac8a9685b81522

SHA512
3afa2b3b1264576ef22ccf5a59211a9fac7218a19aadbff97485f76ee8f040feff7bea2c193bbac3f98fe401f425ce5ed5d8f8603d97249db661ed414d7a244b

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
337KB

MD5
fd6dc38c2579ad26c9f015e8cfaf1162

SHA1
e89f5877e4bfce6fd02959cb28ab17324b7a3d9a

SHA256
c32caa08030a38c29de948825237b2b4b7fe2e41bfd8bb501e34c9bf76bf91fb

SHA512
c5b44d5f4d0d55224790ec7fb01e48bb67314b6a5c9da0fcf91f8be13ce8d1468f69fb7933e5dca242caa64ba25c2a336260dea360d7796dcb0dae9eb9118d0b

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
337KB

MD5
69725ab9b0891e8bd01015a72bd410b1

SHA1
7340857a38b544af48fdc647b2cd2bc24b964b42

SHA256
ad4cf42c6bd211696b58f3fa333c0566549f9f5e1316d7f997d3e0065f8f7da0

SHA512
23eaaec5e285d5f36133af065d74a52c7d8fb5543309aa55fb0dee5a265305e3aa5a49dddc98efb6a1429fbadbb92af2e65f56d5f99e99cdd5814932e28d32f2

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
337KB

MD5
55d5f9fbaac8df570a3f2eebbf5d8f45

SHA1
a0eec95843149ac3a7b2ee9bf4bc0be876f85f42

SHA256
b75e47069605b98f0c78dddf0c9c9960ff377ad23c4799fdd189dd48339afb56

SHA512
5f20d6548afc1b9a48a6fdde92e0dbe0d0cbc1bf2093ebd769c778f571fe92bd236a9817a42536e5c2edd5d11b3cc49cbc2fceea83ff7e19214b6f4027fbdd8c

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
337KB

MD5
ff49ea1110d06b4dbe3c49862e6eaa01

SHA1
bd40c888f8f601745b1ac003075b9e25f0417a2e

SHA256
22df832c97e3cec8b4ccdbad7d8f16cf387d04e29eb316d6975d43eb3ee3dddf

SHA512
2f21b19fdabf194aa9194574d0646f352b1162398b681cb86c4875e5c2eb48ba1782ca58d152000d919746fe884e3a18b3b519ed395f5ffee0ca467d3f35ef45

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
337KB

MD5
a3d84b739a75527b3da380e1268a8cf2

SHA1
22bb95c4527f368b1bebc78af4513e5dcb8a41e4

SHA256
720b645ac472081727a10f6952c026bbc8aa94e8727282e6b128df9c1f96440b

SHA512
6f7be30a960279de93b0832c102d29dd11660b1aa89a2bded0fe6cb254323cef4ad50da40caff7016b9aa1d17732d669514f717274d23a4cdb77f312a158cec6

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
337KB

MD5
702fdb9c66298349ce2ad5f854bc0d7e

SHA1
25970ed8d7d358d1c1d3f6e27e43354624d2cd35

SHA256
d4bba8e966a3efc8a14f0121bcfd935bbe90d1241e18bdf7608493488c4ff0e2

SHA512
6ff9af27f704e08f4d3352b773778fcfd83f85ece908b915912d214556ef839d217b782c01d35b25de16b848c2f36334438144b68ef99886b52f5bbb8815f6bd

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
337KB

MD5
bf57d2889e7d2e7b11d0aea77bca52c9

SHA1
e2efeabac0fc68e720a0d4f4b5dfac73b3d7fb94

SHA256
2c991ee7523410ad96246066b64e2ed5a30c0fcb575cfd7bd58244cbc6e0cea9

SHA512
1bbed47033580113ce7d44acbca2b57a8f2d8eac46173208dc43fd7c89b20286ebea98aa3d22b755cd055f484a2b15bcac9a052ba2424dc02bcefb112571859d

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
337KB

MD5
ab1113641c4d5ac03a012e251a3f8250

SHA1
a9cf5c0173040cf88b9ee03b5b4bff97018c588b

SHA256
2fca7287d167ea74965e1d01329f4ad9c5fd91f72cd2d18926cd6d754affed07

SHA512
38e8209c6356acc3b74faeaf81686c9d396884083aeba9584b47a441f60e26ebdfc88c0a350b134c47b26caca3b03a818662f8e402066fa815b613fd5a955111

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
337KB

MD5
d92318e3b3708a0e1a89ae28b7f7ffe5

SHA1
2135a0009755eda2205ffda0fe09cfefa1764a2f

SHA256
1a01d3325bd6fba21ba260227d5fb2ad6a029391fc041ca5cb3a4ae1ee93892d

SHA512
3b6f5fe30d424053199ce67337e01cb05ca31e3a57da5fb66d6daba083c38568d1c87a6f9c63b86a6535a1dd4bb750a07c37176d7b729a40f4824635926d3edb

Download Submit
C:\Windows\SysWOW64\Gmlhii32.exe

Filesize
337KB

MD5
7f1ad94ab0629ecbc600b8d2fc2dc482

SHA1
df3f3cbb660935a46394743b4be44be06f7c0bd2

SHA256
c80ae9336793318c58907072f5f6797b321a13cd7f81f938c5ec50db846ebe5a

SHA512
944e679b9bfe9679bd1c53be320afa0ba3163c465b80c819602cc7882bd55ca128c9eb10d68f924acdf3db3f5a66232c825700913079e0675bce20c74abad214

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
337KB

MD5
4064c34db863623da683f8aa47064be0

SHA1
17b5285a6b99db6ccfc4fda52e4c554f4328647c

SHA256
9b3d1f3b9df17f9c18ae0f1a9e857ef1f044d4a28fe18a071a64fac1e9bb9da3

SHA512
0113c86eea3990125d637e2b669d9c57e4431fb93aa0dbbc61ee7a001c6bdeefcf1e45d3be7e90fd748d94022de01e76546dfd2808ef33bbcf214a7d44b3e6d3

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
337KB

MD5
d74a812b7867d615b1753b741eed2818

SHA1
b45279fc3d0fe962c0cbf78bf56eb6b1d41205ad

SHA256
a2465b13f201d5a8d831a731937eaca8f79a8e76ad6bc0878305f85d5add42fe

SHA512
ab3cbdc7d3c7b038c9315bb5d9f5b2056c9acf07238927310c6b80bf235958b5fe83f63220fa5b2952438a0d048f254c4ddf884be3826060ebdf01d1eb286591

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
337KB

MD5
7e4bc92972027b3cafa974e33eb08fe6

SHA1
9bf087c0342b73b19a328645f30ff9e73fd46599

SHA256
67ed1c493bb447f227242e8cd42ca543a9f3cd3bda33957ebc86792ebbbbb1de

SHA512
d07b0b9346722ac47260a419d0f104d775fec350d180f87fc843f60434fcef2baa1076dd2eda919b763c89f6c9872cdd53a93cb1fb70fea4730bbf27075a3b4f

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
337KB

MD5
f3d9646a3c439b29bdd1753d1e0f23d0

SHA1
621bad013728ca86f85b9c9ff1915e9b046197fd

SHA256
ecd4f481c25946611d610b1b58cc00bc67d480a9cb0aea27373a17b493c13579

SHA512
06694767ecfafbb4f819ba591d021de92c1419289be509247b8cb0fe2c700f1fcbe4837cdb64a3bd8352db7e28de089d856b7f55f03f3443d4fd172f72512301

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
337KB

MD5
22932c5ef0d6d54a41958d789fe14d05

SHA1
02635aa998f93da4e7550e5e456f547a3acdc4bb

SHA256
b089a9d0bb86031eb6d0ae4d8b1bc9e677a99607782b9a6f359b739b587e6849

SHA512
5231439534ff92048e2479bd8a4243e52a625907d4803d47d69a28f7f8089282e46fdedbf7d64911b37985e40416bfd8068286be0f6e5467a30f94716fc2f0ce

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
337KB

MD5
9f51b41feeac88c0bfafdcce9cbba5cc

SHA1
6db9b6aa9582e8909df86dc9c78e34e4dd160552

SHA256
7aeedf84a6e5e764e4dc680eef432d3d489748762b9b20f972fd311080fe7fd9

SHA512
be54cdd0f4ffcc55146c2fb98214e66752f0426bc6e0648bcc932a2b5ca9730f3d8f1371374b482232680ae04e18939fec2b18b0d21a16dc7c87718f9e7e5557

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
337KB

MD5
575053fc7a352df54c04f5e098032516

SHA1
fd5f75849c6132bd7d81cbdad85f810b4ee9b4b6

SHA256
f4054478a0294410af091fd4ddbe8d121a4f3ee88c8cfc14588d7bd3540a6ca1

SHA512
9c8cd2397616c165e583b10ad45203309f6cbf89773b89380f775f33f2768ed0629b1246349bd68504a6545bfdde3a2e4f49b18b14dbb280add44377e736b7c9

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
337KB

MD5
b41ebd38f2a8c644eaf4e0287fc97907

SHA1
4cb2ecfd69b37e1b2a4d6edcc1a9ed74754561a8

SHA256
4176b590fc6c8cf3256a4b094a73714044966757621891d497d0bc9c80905271

SHA512
5986b1deecc1142638b493fe7441a45a98f61d94d0146613ee52360b02a3219936cfc8102034fa072a8738dde5b5c2eb5ed84952999127053b3b9556b3c0c76e

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
337KB

MD5
5365aa75bdf247d6327895aa9f261c5b

SHA1
16eadcef807da2af897bb63853d445cec9953d7a

SHA256
6d33292fc88407176d44589af845f5af308208c1707ccb4f6d52a8839cece521

SHA512
913276abd5031d699a4e1efb15f153bba8b3cc43b79b522da5c2abf5324afd4f946ab9e36173ff0b27fbb50b50f58b5b918473e82fcb29ec83d8644f294fc053

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
337KB

MD5
1ac7dde8f49698d1b70588d2a9bc1684

SHA1
e006dedd590295ff7328644c553aa4a7cc264c29

SHA256
5c1ba311b454533dca8a443696d680277dd517a27b49397529c318ff27a92d30

SHA512
6d8fb756a8e612e7539ea17b2882bef3dc2a38290784b014b485ceeabc12a25fe2ece7c18e363adb538c4abbbee3b70dde1b470e5045c9b71147e125e34487a2

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
337KB

MD5
0c7fbd31c2fdbf6fa51808693ac12687

SHA1
5627a83b833a19f021277ad0633c3506fb70f195

SHA256
d07a1e9abdd62e3c753e2be1bd523acb0b7e5e2b433c7c5c37b0b2f5140afcf7

SHA512
8c6f9df1f264b17ade044b4c1a77ad23c5fa06e144eb7bb895b0277125a0773a11ee4027002cb4af8ba1f447bd3a64df87287177f487222826b642da2b96cc7c

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
337KB

MD5
932e6a11a8f6564353824bd3455876e5

SHA1
f83586f12e73040f2b067eebe29d0bf11bbb70e5

SHA256
3222e5c1393f1c911eeb11b19dd81799e6ba02685048cb27cbb6421b8823fa3e

SHA512
34000cfcd7caea910c46f566174f9ec7c8d389585162a43d0e5d7feaee236ef9bad1351edc0eecf60b6b724080ee0ff8620613814f48f4fc4c3401b5c62d449e

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
337KB

MD5
d1cb732935facca7b4be0d8ec0914422

SHA1
8e5043dc18f1efe651f3c03abf980068524ef5cf

SHA256
e22ebbb28bf17bf1f3905d6e528bb7f0ae8b84eba7ddb0f17f08605f64f83b5b

SHA512
81b612a0a03382b4fc3cca3a504a11b576edcc62e3a63f0c2cc0e11dee967ff2d2ce0c6ab66be0db00e9584ee1ec2090aba6d4d002d1644f7a34892bc9584d98

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
337KB

MD5
509d78f8cca4e7fc096082ff14e394f4

SHA1
66f22d1c66ea554033718bc9fb75e04905139b9b

SHA256
412f56937527264ea43a9a4d86459a3da6076b96e51a220014380c58334c1aa3

SHA512
5c95720af421eaa1e6e2758afed3e58f843332c1f63ff860ad12bd5b638b889873dbfddcceab778aaa4ed0090342bd5958e08b8f3ace520b6b457bd5f0d1d144

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
337KB

MD5
174ef8de18dbe612fc531a12f293afb3

SHA1
5c6699a498f1b246baa63153132aec30cd906c84

SHA256
dabaebdb66b667b67e3acac5ceaf3ea7316cf3ccae6d41b7ff807cfc33650b12

SHA512
94985a81602578a9bd32ccc78302aebc29d9d0351c60a3b17d9890ae1812cff63611f8bed110a02dc39d80933eb30a06178ab044aa2d27d2985a1d144ff388ca

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
337KB

MD5
b35c36d31d13b3cf4e10d8f447336cb0

SHA1
eaf027ab9986e30f95d8fb6ba7c07d2b35738568

SHA256
0d66d027729a081aa6bc1c4fcb6723583ed1ee4c7db9b34735f876c825adcdd9

SHA512
c9fbbb08c0d7f316a1eb526d1232ba4f9700d748d787b9f55c14fb3096f3174b11d2d6398c619a2e0cfe95099fbfd1ddafa257d9569e5859062a48f4fc039536

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
337KB

MD5
cffc81c47f1ecacd1adc52d128acddbf

SHA1
8de2e5e2fdef132c85373b184fe936f1a2544f66

SHA256
0c8eab8bfef1e0cd45e7224729b190a2d9813d1f5b4034046216e6b33b02486b

SHA512
aa0e52d80a6065b934b0c64bd9874cb2db6078895070635533b68c0e22fd6bda1e5950906336714ca1c0fca6551a6ecaa301da455df65d1fe2ab560ed61a7a5d

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
337KB

MD5
5c2d1e3d32935873aa687032f5dfa1cd

SHA1
cbcbdb9b5b0d181f02d433fd8a693e3be55badbc

SHA256
5d13d4c3357574e13dba4bd1ea80b8dcb6a4285761a2a6d0e890016603aff242

SHA512
a127b8cd1d7d0cba4dbea9fb8e048ae69fed7ccdf34860084d04e984cd67e9333fdfe62a32cd9364b44c28ed902195e8a0fedbd25cae072833e25a39a4048d18

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
337KB

MD5
620fa9c45230aa4e0ec45999dcaa3843

SHA1
ffa3649cc56dcd3bb5f3491e7db1cf3d707f8ce5

SHA256
21d9edecd985e25327b49e228feda4458d80d2ce7f00df7200e9d790b57c15c0

SHA512
88817a3f0e44fb2dc1650bda94eaa991e9e1da3f8c9fc96c1aec05c11fd02ce8ea00c7fe7378bed8103ee5d59077811805ccf80755189493fe1fab4f004002e7

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
337KB

MD5
d29f2ad0ed2aec1f6586dc3db6fce8f9

SHA1
eb8968ebf3db9ec9aee80676e7d1375245318261

SHA256
9bdbc036888399a2338bc7a3d27657b321db9a05e08a7772585a266196ff2f98

SHA512
e177a6fb18214197ca8fdec129b3b23cc346cc56e984a7a02dc2e519da0c047e8029804240cc4c485439eb4b2f025f1c4f14b2106f1c7a49eaaf5810af9ad024

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
337KB

MD5
268dbb1e5433d9f877e87275b49b1595

SHA1
1ccc805cef88d27ca309c66e8800d3ad7aa5603b

SHA256
2372484f8a9f94add493898135f15d38f3b0d1b565ed8c95438d510391f3f86f

SHA512
4ea1d3b45bcac3cee89131f7390bd1d53e804e45883015b87e1187b6bec2d7bf2b078bf6b9096e228d91be60aa80e52620dedfa82fe60e5cca05ceefb86669ae

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
337KB

MD5
05bb5704b366fb686e6c197a659ca4fa

SHA1
5b7040780a9ceb2ce630efef667c0fc8e40cd678

SHA256
330a9d24673cbf793cd3a60953ab805daac9b02ca49e54eaa1fb0539da280076

SHA512
d8660869e36bcb47aebb0ec6ff36eb7b8629ed1a6828aaea5b1a239b43ee2334b1f72fab590a8cc3ce6b49bd089cca51318a855d3843914d08b70fdacd1e6210

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
256KB

MD5
f752190e9f4f8a85285e049f25c7d2ba

SHA1
6c1ce57ae71c75c15ad06d3a9614db18ec3326dc

SHA256
59c1714053f1b4f3d7d2f0fc05ec6654c89ccf89ca9217761ff21b34326bb704

SHA512
99e1eb3c8837add69905b301cd155c5c61021889356e25eb4c03d9489af9e512e6f76c9c0ef8a7afd3831821e2fdf673cc3a8169542b39ac2d30f441e7176c89

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
337KB

MD5
ae68b354929c9687a3c563770141eeb5

SHA1
d3b47d3bc2f8193d330ba8fad2781a95cf6a002b

SHA256
c15a936d47159d2728c63efcc96cfd90beab45ac3fe163641b47d5b3521415f3

SHA512
e0ceff5b7060fd1ac6b00c0640729fbfe90ea72d0eb145c15b2e30ee13dca0188a2a931967d659026dbc31c15d9a21a613e0d084b7e0fb363ee4abdd7e338730

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
337KB

MD5
36613888b4a57d206a9fa14bbc459297

SHA1
be5d42c1cf67f024ce73170e105a5e0c29602d61

SHA256
9d6684712c5deb325f85b1558cb3afc9124932eebea9260a9aae2ae6734c3515

SHA512
a477b00228e791d17211eede06e3081b8dea1a49e597da77e6d4632cb255e476d1562f233acb1cb6238a97fb7a34b899a15ecc66a54143774b151257895d8496

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
337KB

MD5
bff6d01b9123fed9b524496621ae8127

SHA1
a76f096225f89cd823d9276424b080437d90113a

SHA256
f14ddf96cfe7d93d77612a8344339df701128d1b1e13f28ed8cd5aedfc0afc6c

SHA512
dbe020a76816e33f3e3e4b362245bbde4629bedb711788d81940cc903fb832d05f04614918a7148e0d00d66a35585f5fb565e3de5e10d27f3ce960e83e7fe4ec

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
337KB

MD5
805d32ec0e057097e148ff8ffafca129

SHA1
741e84f23f1eac7dae61141fdc9ff9f7b0d78c00

SHA256
7392c1cd3a563fd2d8c3b2e8953a08f2fa4550e96cfd688ba46bf1e1cff241a9

SHA512
fdf5ea4edceb5138840edd24f1e84febab8511e4365d472a25d30d93e3b092152b2de84e652e76b021191c1049b69c3c95d53de30315ae6d6f336f26d6793ed2

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
337KB

MD5
9456c67cdb9fd7b6dcd10754fa8d0e63

SHA1
d5f77ed6840372bd2190fce67a5134eaca039924

SHA256
f6ee54683f02215bf33c77f469c8230bbebf8e9638ffbe7920e913bde19ccb77

SHA512
3064356eb98ecdee990271446720e88ce05103e9e4927f83a74a2e14ef2310ad12f664c6f5d25a4e8686d8a92e54e5885553397bef4fda2108cd5e5b291d2ab1

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
337KB

MD5
4e2426d4130691b34ed4dedfeacffc54

SHA1
0a3aaac9b3f911e514d2663d2ae2b919db99daa7

SHA256
22d932549edb79bf91d9b6a5bbda341c5cf70e206e100827a38c99d4385c6829

SHA512
1dc3ccfad7298358dadc4bf79ead14baad74fb0686336d4909cd49418f5941929127076df8a2122b572acc0409eef568e333d2318885e9190128ffae5fa51ddc

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
337KB

MD5
e63428a1eea89a36646472dbc63e162c

SHA1
6f6229aa31dcd6df61e206a0a962c5603cb49249

SHA256
9419a55354b5ab7f5633896ee21984cb9f276c3b18f2c2a45e4505f33e889494

SHA512
cde2eaef21473d8a12e1a14a70319b7d5ddd7219c9e6d8f40d3b337c6f9a501ab82a786aa30b529ff9dca386027266d561ed3350d5e678fbf771563569f4122d

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
337KB

MD5
9d5469eb3d63d81439dd4e964c9b6692

SHA1
0ecd8f109636c648b4464c28b7e140933ba2a8f0

SHA256
6fdcfeba0d98dc5cd044426a5ed5625f71a8bc9e175a6531b62a5986508fd059

SHA512
b29a7fe839c6d17d61d8568248efe47df11d92c77f15d268d1a77c43721293848b2b01f1511dc44c66d0552e3553e9722be0e4697031f23b9f870148b96bcbbb

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
337KB

MD5
a4898bbfd7851de7bcd1337ea927bec0

SHA1
ca253122e620e31fbfbc2eac09509c992e6569fc

SHA256
98192ae98024fad28e8becefb547fc940943b59254361f50f03591f3f6e257ec

SHA512
58df3140efaadedf8c9f1069980449cf7205310b2a1985b49de06895a48cca7156fa4b43f3364178efe930703a229f8d277f78cf1f94e09d3e814232ce53205d

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
337KB

MD5
f4531a20bcca28f90c5962ec6fa2dd04

SHA1
5882ab04c7d195134b99bf30b157f41f67d8f74e

SHA256
41166a8d8e40177cebe75d97f3410870f7dd41de68516d37e3f0887632c2b20b

SHA512
c86af189f292135596d1f3a25f111bb730d64b45061008fe56de87432752baf2323938aa87908c202fdfd481f608900d5bd6bfe3462e1e25b28b1781beddf806

Download Submit
memory/548-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1596-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-1398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6192-1337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6556-1363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6688-1323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6696-1358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads