e6ae6e4b41ec6f4d905e2dd8cf7f3211d711ce1e9642d8750d4b1c5790959696

Analysis

max time kernel
115s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f4bd1debed5e92d7837c95d7de91bb0N.exe
Size

96KB
MD5

2f4bd1debed5e92d7837c95d7de91bb0
SHA1

e83d870f82615992db9057a08b9a0167cdd572cc
SHA256

e6ae6e4b41ec6f4d905e2dd8cf7f3211d711ce1e9642d8750d4b1c5790959696
SHA512

580a847b8c8f860d645ad04a122c04a340b4edd9a467f32d07327ae9597cf83da9f2e9d2b2520aa00fd8586a2ddf2de89097d7577d3242d7028f7f27c801b1b7
SSDEEP

1536:JG6mbf2dSm0Y1rVMbVK+Hxh6MTl2Lk1U2PXuhiTMuZXGTIVefVDkryyAyqX:JNmbf2dUgVM574MaaVPXuhuXGQmVDeCv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgqennl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkdibjp.exe

Executes dropped EXE 45 IoCs

pid	Process
3856	Ccppmc32.exe
4312	Caqpkjcl.exe
3576	Cdolgfbp.exe
1620	Cildom32.exe
4064	Cdaile32.exe
2624	Dgpeha32.exe
3008	Dmjmekgn.exe
4272	Dcffnbee.exe
2716	Dnljkk32.exe
3980	Dpjfgf32.exe
536	Dcibca32.exe
2344	Dnngpj32.exe
4356	Dckoia32.exe
3996	Dalofi32.exe
4956	Dgihop32.exe
2740	Djgdkk32.exe
3344	Daollh32.exe
2828	Ekgqennl.exe
4632	Eaaiahei.exe
1996	Ecbeip32.exe
5076	Ejlnfjbd.exe
2440	Enhifi32.exe
4420	Egpnooan.exe
2352	Ejojljqa.exe
2224	Eddnic32.exe
2008	Ejagaj32.exe
4428	Eahobg32.exe
572	Ecikjoep.exe
5072	Eqmlccdi.exe
1060	Fclhpo32.exe
880	Fnalmh32.exe
2044	Fdkdibjp.exe
3512	Fjhmbihg.exe
4224	Fqbeoc32.exe
3052	Fdmaoahm.exe
3988	Fglnkm32.exe
2572	Fnffhgon.exe
4888	Fbaahf32.exe
4572	Fgnjqm32.exe
2276	Fjmfmh32.exe
2860	Fbdnne32.exe
4504	Fcekfnkb.exe
3584	Fklcgk32.exe
636	Fnjocf32.exe
1520	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Dpjfgf32.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Egpnooan.exe	Enhifi32.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmbihg.exe	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Dpjfgf32.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Enhifi32.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Ekgqennl.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	2f4bd1debed5e92d7837c95d7de91bb0N.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dckoia32.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Lnedgk32.dll	Enhifi32.exe
File created	C:\Windows\SysWOW64\Eaecci32.dll	Egpnooan.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fjhmbihg.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Daollh32.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Fdkdibjp.exe	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Eemeqinf.dll	Dcibca32.exe
File created	C:\Windows\SysWOW64\Daollh32.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Daollh32.exe
File opened for modification	C:\Windows\SysWOW64\Enhifi32.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Eaaiahei.exe
File opened for modification	C:\Windows\SysWOW64\Fnalmh32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Ejojljqa.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Eahobg32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Dnngpj32.exe	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Djgdkk32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Ejlnfjbd.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Ekgqennl.exe	Daollh32.exe
File opened for modification	C:\Windows\SysWOW64\Ejojljqa.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Fglnkm32.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdnne32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dcffnbee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	1520	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcibca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejojljqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjfgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikifc32.dll"	Ekgqennl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3856	4536	2f4bd1debed5e92d7837c95d7de91bb0N.exe	90
PID 4536 wrote to memory of 3856	4536	2f4bd1debed5e92d7837c95d7de91bb0N.exe	90
PID 4536 wrote to memory of 3856	4536	2f4bd1debed5e92d7837c95d7de91bb0N.exe	90
PID 3856 wrote to memory of 4312	3856	Ccppmc32.exe	91
PID 3856 wrote to memory of 4312	3856	Ccppmc32.exe	91
PID 3856 wrote to memory of 4312	3856	Ccppmc32.exe	91
PID 4312 wrote to memory of 3576	4312	Caqpkjcl.exe	92
PID 4312 wrote to memory of 3576	4312	Caqpkjcl.exe	92
PID 4312 wrote to memory of 3576	4312	Caqpkjcl.exe	92
PID 3576 wrote to memory of 1620	3576	Cdolgfbp.exe	93
PID 3576 wrote to memory of 1620	3576	Cdolgfbp.exe	93
PID 3576 wrote to memory of 1620	3576	Cdolgfbp.exe	93
PID 1620 wrote to memory of 4064	1620	Cildom32.exe	94
PID 1620 wrote to memory of 4064	1620	Cildom32.exe	94
PID 1620 wrote to memory of 4064	1620	Cildom32.exe	94
PID 4064 wrote to memory of 2624	4064	Cdaile32.exe	95
PID 4064 wrote to memory of 2624	4064	Cdaile32.exe	95
PID 4064 wrote to memory of 2624	4064	Cdaile32.exe	95
PID 2624 wrote to memory of 3008	2624	Dgpeha32.exe	96
PID 2624 wrote to memory of 3008	2624	Dgpeha32.exe	96
PID 2624 wrote to memory of 3008	2624	Dgpeha32.exe	96
PID 3008 wrote to memory of 4272	3008	Dmjmekgn.exe	98
PID 3008 wrote to memory of 4272	3008	Dmjmekgn.exe	98
PID 3008 wrote to memory of 4272	3008	Dmjmekgn.exe	98
PID 4272 wrote to memory of 2716	4272	Dcffnbee.exe	99
PID 4272 wrote to memory of 2716	4272	Dcffnbee.exe	99
PID 4272 wrote to memory of 2716	4272	Dcffnbee.exe	99
PID 2716 wrote to memory of 3980	2716	Dnljkk32.exe	101
PID 2716 wrote to memory of 3980	2716	Dnljkk32.exe	101
PID 2716 wrote to memory of 3980	2716	Dnljkk32.exe	101
PID 3980 wrote to memory of 536	3980	Dpjfgf32.exe	102
PID 3980 wrote to memory of 536	3980	Dpjfgf32.exe	102
PID 3980 wrote to memory of 536	3980	Dpjfgf32.exe	102
PID 536 wrote to memory of 2344	536	Dcibca32.exe	103
PID 536 wrote to memory of 2344	536	Dcibca32.exe	103
PID 536 wrote to memory of 2344	536	Dcibca32.exe	103
PID 2344 wrote to memory of 4356	2344	Dnngpj32.exe	104
PID 2344 wrote to memory of 4356	2344	Dnngpj32.exe	104
PID 2344 wrote to memory of 4356	2344	Dnngpj32.exe	104
PID 4356 wrote to memory of 3996	4356	Dckoia32.exe	105
PID 4356 wrote to memory of 3996	4356	Dckoia32.exe	105
PID 4356 wrote to memory of 3996	4356	Dckoia32.exe	105
PID 3996 wrote to memory of 4956	3996	Dalofi32.exe	106
PID 3996 wrote to memory of 4956	3996	Dalofi32.exe	106
PID 3996 wrote to memory of 4956	3996	Dalofi32.exe	106
PID 4956 wrote to memory of 2740	4956	Dgihop32.exe	108
PID 4956 wrote to memory of 2740	4956	Dgihop32.exe	108
PID 4956 wrote to memory of 2740	4956	Dgihop32.exe	108
PID 2740 wrote to memory of 3344	2740	Djgdkk32.exe	109
PID 2740 wrote to memory of 3344	2740	Djgdkk32.exe	109
PID 2740 wrote to memory of 3344	2740	Djgdkk32.exe	109
PID 3344 wrote to memory of 2828	3344	Daollh32.exe	110
PID 3344 wrote to memory of 2828	3344	Daollh32.exe	110
PID 3344 wrote to memory of 2828	3344	Daollh32.exe	110
PID 2828 wrote to memory of 4632	2828	Ekgqennl.exe	111
PID 2828 wrote to memory of 4632	2828	Ekgqennl.exe	111
PID 2828 wrote to memory of 4632	2828	Ekgqennl.exe	111
PID 4632 wrote to memory of 1996	4632	Eaaiahei.exe	112
PID 4632 wrote to memory of 1996	4632	Eaaiahei.exe	112
PID 4632 wrote to memory of 1996	4632	Eaaiahei.exe	112
PID 1996 wrote to memory of 5076	1996	Ecbeip32.exe	113
PID 1996 wrote to memory of 5076	1996	Ecbeip32.exe	113
PID 1996 wrote to memory of 5076	1996	Ecbeip32.exe	113
PID 5076 wrote to memory of 2440	5076	Ejlnfjbd.exe	114

C:\Users\Admin\AppData\Local\Temp\2f4bd1debed5e92d7837c95d7de91bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\2f4bd1debed5e92d7837c95d7de91bb0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\Ccppmc32.exe
  C:\Windows\system32\Ccppmc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\Caqpkjcl.exe
    C:\Windows\system32\Caqpkjcl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Cdolgfbp.exe
      C:\Windows\system32\Cdolgfbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 400
        47⤵
        Program crash
        
        PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1520 -ip 1520
1⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
96KB

MD5
bb55bfcd255adc5397cd4bf02ad6bebb

SHA1
42bb33f5f2b0554e8dbf2a07e79b64d4f6a220a1

SHA256
41d34f75900214000f441d3aac1ffa786edce6b87ebb2d074c08ace5b85c9b09

SHA512
1bf5f98418ebf32994e80126678ea8bb4e4fcfa79bc68d73d3d06a7b567c674b2fcbae7ec9ebd91a08c40e708284ec675e53c37047616470512aab699c9603cb

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
96KB

MD5
d0fc0b6ab5c08ead13ab601193773d7d

SHA1
9ef6002f7fee625e7c30b57b12feb7cecf5097cb

SHA256
37082e512f2f918f27636470629327ad4043e0036eff63d6370143b804d50408

SHA512
02be647840544352b87888603069152377f66ee04396e1ae176168b74b2d42c53e389be7554d5e2e35a59c3ed421baae2bd528a545b4936cef4e98e02a64b276

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
96KB

MD5
095b7eaf341a1c3a9c34680a39b2f0b8

SHA1
ec91daccb12b7a1ccf4fff3ed8840f61b1a06352

SHA256
6e9a90f9e2a52fafc9eb755e6d9a3a4f6651670dd77895f6f6f42131563fd07a

SHA512
5169c988d7bcb9eaec435fccea07db21d50506cf24c40ff5952bc1cffcbdc2f19601fd044f050bf318d5a100c0d2290b85398da9c58ffec67538236bcc3c3c9d

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
96KB

MD5
45fb1fc216e281285292c962a968f850

SHA1
a6c0ab7c199779a9b913e1b47ecf8895344a4ce4

SHA256
f31f927ecf9bc7c3bf9827665e663c5955edca335cbcf12215522ea4d453677a

SHA512
bf78764ee2d466a98b667add7dfdf4b6b29e0c731cb3790b5129665fb73c91583a6b795f7eb4f9683ac1a1cfa14b083d781606407c23be27fb1a8e250bc2a2a2

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
96KB

MD5
1ee154e80246d2b6c351a90079454949

SHA1
b5e93ab66282b65df8829aff55738f218d74c5f1

SHA256
7d4abac588df37b24956ce7d20dfb95b8476169cca7411c332a94b3864f919f7

SHA512
aade17a9f7f3ddd6d4a68e8f84ffe1784cccfe571b4dc3b950b47ff8412de1ead7400c988b86003985844d3979cc2bc31cc09ca6afb8746f122477c9bc9d7c8d

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
96KB

MD5
f23edd95c86303184b13fc11d028c23f

SHA1
757037147e3dd345b61b0eeb38d1faca89fd99a2

SHA256
1a3b251068d9e36a9f765388e3709e4db9075a7400645e64ca238497835c19c7

SHA512
d2d25e8deeb62ffa1d7ea7ca561141ec20b5eababf016a0244aebc82f8c9bec3b6a33e78f9d12b59208235ba5aa6e6509f358537348d50e1298e42204b8430d4

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
96KB

MD5
797f01aaf55c116ad76e6ac23bdaa87f

SHA1
6d05192702bd644facf90a1d1868fb8587344093

SHA256
e6a1eb22bf0dd43e81d55123859715a2fdd253df91eb45fb21e042306345043c

SHA512
c19ad9b927ebab148b4d7a89ae217c97df8fc4fdbfbe0e1cf1362ee3177d62e9b276a3d9ab36297fdefb8089bc7913a67f732b1bb458f9b1fb9a672cd7fc8ee0

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
96KB

MD5
7ed4f11d636ab31e7e3909cb4a8618a6

SHA1
33c7e721b6af7e08e9bf578a520d42d32ab7274f

SHA256
290ead4611fc150fcc95dd846951125120da69b0474d98b2562bce721d70c2cd

SHA512
08a499a5d8d0763ca1389d91e5c92421fc2b7f65def808152b1152efc191655265c5222fd0126244a7474403d99cd9e25a575906063ee6a610810f355fb61643

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
96KB

MD5
8a3558c5e5bd62e45f9c0df2d4a2f916

SHA1
3e10bea3abd33c024e9d7b96addee38250574876

SHA256
f8400e124ce5211e48ab341cbe41303c8933a68595e4bcd3e8f29f5ff003b3d8

SHA512
47c065e1a44c2a92ac7673096d91fb2ef593ed520e15a76832ceff4220756783a5933a7aa50fb52a187e21689ac7bd8f85521178317f871e48910f0aa392dde1

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
96KB

MD5
e1cb02365ed9ceb416770363e9bfe89f

SHA1
8db5f34e9f7b42c168f4c0e29644137f2b9cb775

SHA256
9ae626991ea2ce5ec3e99c06a626937030468872e3b004524aa653d2aa6d3e2f

SHA512
a0068e76f5a7a2a4769e3d41c4dac6e48a97dae5997d1fcca980a70280ef81c06439340d17c86cbd46d2d9ddb3575bf5d9367ba5d38b4a83491a9e65a8005c69

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
96KB

MD5
99f9b6e22f02c80297db3f9cd9cfbbdc

SHA1
7f20971b5538f7c2e1f1005bd96a800d843e7891

SHA256
c9a722574de4202ed1654171d87be3d65aed37f00c4c1bfbdc896311044a7c1b

SHA512
07bf7e0a68b0b0b520a07712671ecf8bf0cebdc83fb262e4d4b618d526c2b1baf928c34251fb7293604e8051806d2d06f6f3bbf92000b17e1503322ceb8a85c1

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
96KB

MD5
6aa93e72d05aac6529783f71710c5df4

SHA1
1ddc018e17eda8eb710ef5516fd7cbc09e49dbaa

SHA256
3b580efb997dbbdb31b2654fc452dfb0da6cd586a57a3e4f016f48b6504bdfcd

SHA512
4f4161c35902b3203e1a9d923f536bb459c0d77fabf2991dec00d1f73f58e6deff212d77a4ad0f1db4f073d5da7eb4833a8e09c734d5abf34b0e63095563ba88

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
96KB

MD5
1d89b7cd441146987aed4f53d9205162

SHA1
328d63c1bde3b749cf770703feb4c4316003e1ab

SHA256
3211f8256bbef4550f488200a2a1b06458905f94ef9e2b2277ce0f5f6260027e

SHA512
9ed1b5289db7fdf838f916c047e20ac74f28a827dda2dceca9d64becb34a24aa203a1983646736572eb8352b51e4e0ceeed254b3f3278d104aabd6c2635acbeb

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
96KB

MD5
86601be2fd9be00b1b31d26c283a6dca

SHA1
9b1bece64becc3309272fd4f25e3a4df83bcfd00

SHA256
fb677b90bd68a35fda8788eb0d09e9e2d022da6a24f2206590f2ac8105a3b599

SHA512
5e80c550df5e75da9e058c8841e13f7da084bfd69459d7712d10cf2b4a1eb5cb40f82829ea748af9b54a3f5c7fcd1fe775593824c37f764e0ba87acfe347388a

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
96KB

MD5
1c8723832f0b2041a1ad666c479380d1

SHA1
2bff358ff0b9ce1613c004500fa04e97c348854f

SHA256
dfa761addc9a408f38d791bcbfdf8f1bc444ebcbb18d5f14383f0a31d9518da5

SHA512
d1e0f08a19cfaac430c656ab52deaf53e9ae47e0acabd6f5041940d3e53bc5185d6ca6af1a272249afac9f8e488e5da35ceec0ab1be866fc8e63a2d736de8a4d

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
96KB

MD5
9bdce0c1991e5bb115b7ca38eac44fc8

SHA1
0abfff8b7fa7af4d044d477fd8dcdc259c237895

SHA256
855f20cc5b2d01f83b7faa0f3930142a94c5aab871d26edcef5866d8303e6dba

SHA512
d1118eb86758ee0525b97590bc327e621912bf808dfb425290adbee55a8657937ff6927051e934c88dc6731cf9ca0a68c74bad28a7069b8f30bfaa8a106d763f

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
96KB

MD5
1399e0b5fc87373a1de7724c84d5f6e0

SHA1
bad8f2718d57e2afd4b5c9fa0a62f39c6c83de8c

SHA256
6522a97f94577de625543a87970945b41f0115fa39566c7b847924024a4017bc

SHA512
4578133706ba91f47b82e6b2e521a824789a5496f14be10957015db47ca3e7616724490ac013e2764947bc326ea56c54589db8c4e62c215bc7cb469e2d778149

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
96KB

MD5
4038e19ebe55092bfe976a09af40faeb

SHA1
6d3674429585899bfba0a014f9c6f910b932c0d3

SHA256
71ec968f962d55e27cd425c01feee67870feeec3da17ad59fc94dcba04c378ca

SHA512
edd645685904ea006e4332bfae9582ba0d0f8b046e7f2833d3dc9fef23232798c8ecfb94f3eab5e86ac14416db91df7333512f1c877ea3716fa774e799ad8d37

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
96KB

MD5
f4bb13c50c8f1e6e09a75bae24670d18

SHA1
4bbdadd9bc7d0311281056250edb4c391ce47c74

SHA256
3990dfc8c868495b5f7cb8adfd335496b5d407bb95c1d8c85bcf5c83fb55682a

SHA512
5deeda856d96fbaf333bead498d23f8c773b879d35c8d40aef8190a1922a6207d4dc6dbcf446c3752b857fd88d4bd68a7eab6c035ee9e23aa9142bb9becb01fb

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
96KB

MD5
531e536bce99522539d908a2a390221e

SHA1
0159847256d2f950c758073e1e01e1151a63a6d8

SHA256
7ef69322c60b7408640c6e0ff76b5588d02f96da1797d3909eb38294f60d5fd0

SHA512
2163824878cfeb534eee9e70869734807f2199f3aaf9550d8abb4747f3b4ca169ae515664029361357ae9d32089b3f8fe63640c72c1f81ba30e6f60a1122d11e

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
96KB

MD5
fce844e8ca7b36e9010f6282e6cccdf8

SHA1
00b35a5d92ed28c9d27f9461e1e77467721b1d7b

SHA256
b5bad11f850ca247fcb919f1cf47b919fecbf3c5a446486dd4bde510a611cd7b

SHA512
bf4fc576dce0cd6c6fb059c634d912b8592cf035e6550b17a532b9fce4ccb9f13f3b55d25dbbe8441e4aeaeb70dc1f169f0586e28b6d8bdca828d3f5e442ac7a

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
96KB

MD5
3178a63a2f44950cfc3b542c3c7d3272

SHA1
69fe19312674ea56199e932a4bd0a2fd3c122514

SHA256
793e0a160b813a371093e68885cd8e18a5dc9b08317453f8b7e232c716ecaabf

SHA512
a44a259bbb9b975b32eb7a07a5988cdeda80c8d5a98f4b523bc33da33d2914fb5257e9e30fb4adeb9a420f87f844e0cd5ca6501dc85156393207d5452e4ead31

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
96KB

MD5
216b604740010469a94c27b73ba93389

SHA1
185f649c97b07ce830a59de58fb18b6441f59352

SHA256
93bb2ecd94c300d0fdb214b9e32124f845869b67893d01c564c0b205a98de72a

SHA512
104901efd8b103a1b77d22e77db1797a920fb3c38403894d0276d6ad1dfd91a09fe6e3883ac4661ccf49577b88d679190be5cda621a2433e3653e0ce19d2c037

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
96KB

MD5
c0f556b2fe7c8e7a201dbb04f0e146d9

SHA1
49a079526d9e6a842e024c114c0cc9afe703c38b

SHA256
0fe89ff06b9a7f077f2eb2bfd88afca3237fa669b077483bb0e08be365110e2a

SHA512
a64cfdd31c1ffa3b74c0f850763ebced6ace617e9697655c1e66b87b5cbc2609e78fc4edfef4787ca53bced3a64b18754ec1a5a4f0d8c10bc144745655b799b3

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
96KB

MD5
67ddfbd825d19c5a7a77ac63dda4bbbd

SHA1
c311a1b179d111dd2602d354ddffabddf694a454

SHA256
c879132608f06ba0b55dc3897b4aa666f72e21ac8fc00ab57be871c79a44d32c

SHA512
0f011404688d56a2c4c3d4a4a24d0d96e1ab89933adeae68043fe63406b66cfc2452dcac7a8efba1f781a3aeb3f996ca0c8653606c0ac7a7c2ce90a1da6732da

Download Submit
C:\Windows\SysWOW64\Ejojljqa.exe

Filesize
96KB

MD5
d27e4984d1edef96d25dbac030e26209

SHA1
d77fd38a72075ffb0528e4ad5305bdd9f8a87c94

SHA256
2084b1a908453e1dac2948eda29b95304a3bb6c08590e8d5251fd446327ff284

SHA512
d79d60e1aa6590f6320f8abb40a4837266a22cb09e98e1851f381f0a5f15fe39969e34354a8d1598fec0fc90408c0ea1483416a92dbcc6133b6a1c0ca736248a

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
96KB

MD5
7302fb86f3ed4fa61cd0ef9168186099

SHA1
bb432017730f62f34b62c4f8ec9135c919aad75b

SHA256
57d26e04696492aa90ceefc6bd1323eb0472fe50bd4e2469e330663f1d572c0f

SHA512
663d607701dde580a62b892eb51b8cdfe8a7f90c456cfd9d009bd56f010b9690344332edf6c020526b9c613d5a25fc93134150a249f04a5f2c3b9f2c32c1e1e7

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
96KB

MD5
69efe3645391d9db86c2b339ad1cee89

SHA1
ff6bcd4c99d67c399453c218ad0ec256d6d01016

SHA256
cf9939673363fa969e2823fb43905cfc75b85771b142cbece40978b425541369

SHA512
d48a3b89a1ec18c48f084b26cdca8e7531bfb1c4a6eb18dda3cd053c8f979f417891b0b99234e439d090987ebb9f4a70711cdfdebf9b4d36a177f2d9537cabdc

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
96KB

MD5
b3398c4903e6aeb1044b3c21ceb3a5f5

SHA1
e3621959c5280f4b1a909159e3e33bc7323edf05

SHA256
456b545f2fdf83bb1a2968c4ed8599213a6ee5375ce7d5d8a9c0903f64f2e1c9

SHA512
a20627314a77c268182a19ca60c922a22587153f4897f21db189ea6673bcdce5b5bedeb8a556cad1dbdaf75d75f9024a7f44145f50a2ff361600824e7643bd34

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
96KB

MD5
93572e9d0f22989003841ef5921c13a0

SHA1
d228efa202ce2a8a15784b868faa03ff471cbfa4

SHA256
332d9269696a613fe8bbc1759b159f3626e0b6092c33984188a79df1335b2f9f

SHA512
07704c118558396135c111512851ad2d22ffa91832d8b63825a91c88755e3640ed6fba21cc90bd696468e21379f239707252b06819e4b18432fb3dcb452811bf

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
96KB

MD5
e53b58cda685ea79108cb2a7afa09f9e

SHA1
a27d214f0236ad698bfca82a5de761cd3c060c30

SHA256
a38379ef9a882846f07209fb4988d74dafed94046a7ab2df0ba9ceaaedddaae9

SHA512
370f54e3e1efc45ebaf67c3c6cda582fd9e1fc994c6b77830401027d42b378efe86e2da36fef0438e424f94e64ccedf21a61898372361339bc2d0a05fc8f848d

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
96KB

MD5
620c509e00af128367c729ca3da55749

SHA1
c8f0b714ea8ed9e9fd1dc846173ec3f5dfa85de2

SHA256
025d1d9eddd24e0130f1221d5c624c566dd5de036a4b680a7285b760c59afb22

SHA512
7c51fd0b7da1e502e57bfd060179e76de223dbd0107a99999c3f24f6cc483850282f3c2e062ee38dde960a25cb34d7a2b4a4706196759c2bf0df0c8e5ed04c96

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
96KB

MD5
343fa6eb307ed90a96616505dfa7abe6

SHA1
072bae4f7ab36ad6f876b7c394b3d66a0bf82976

SHA256
522916c343fe98ee1434c8a13a2a71a4be77a1edc426e216fae3edca4f42a0fc

SHA512
ea5f25b93cefbfcdb6403a8b5be310d1605fb6115a9718c10ce8e11fc9e7920cc16deb81ab302ade835a2243672bb54ae263f129ea17af0552eb759751cc0a64

Download Submit
memory/536-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/572-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/572-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4536-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads