berbew | f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
Size

63KB
MD5

4e83b878347b9efe795377b02ed24a8d
SHA1

90f80c25d7b42878bd7b5a410e5d5adce29eb5ab
SHA256

f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087
SHA512

fe099ed4be0a250857409bd35c9feda701e8e979438fd46deaee4583b883437774765279bb5b676183d0a9efd1a1ef94d565928c382958d230622a9c9995da16
SSDEEP

768:X3NZHUqbGg0a44sMWTVLdjOnCT/ibPRUL8i11a2Ovl4xj3ij5k5xHdSHgjt/1H58:Xdwa4dQDN4SQbjnnH1juIZo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okdkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oalfhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oalfhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohendqhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2936	Nadpgggp.exe
2892	Nilhhdga.exe
2576	Nhohda32.exe
2616	Ocdmaj32.exe
344	Odeiibdq.exe
2672	Ocfigjlp.exe
1260	Oeeecekc.exe
2552	Ohcaoajg.exe
308	Oomjlk32.exe
836	Oalfhf32.exe
2184	Ohendqhd.exe
1420	Okdkal32.exe
1768	Oancnfoe.exe
1792	Odlojanh.exe
2328	Ogkkfmml.exe
1808	Onecbg32.exe
908	Oqcpob32.exe
2532	Ocalkn32.exe
992	Ogmhkmki.exe
1960	Pngphgbf.exe
1552	Pqemdbaj.exe
2356	Pdaheq32.exe
2512	Pcdipnqn.exe
2096	Pnimnfpc.exe
3056	Pmlmic32.exe
2572	Pcfefmnk.exe
2788	Pmojocel.exe
3020	Pqjfoa32.exe
772	Pcibkm32.exe
1040	Pjbjhgde.exe
1852	Pbnoliap.exe
2120	Pfikmh32.exe
2908	Poapfn32.exe
1248	Qbplbi32.exe
2856	Qeohnd32.exe
2904	Qkhpkoen.exe
1240	Qodlkm32.exe
1144	Qqeicede.exe
2148	Qgoapp32.exe
2368	Qjnmlk32.exe
1488	Abeemhkh.exe
904	Acfaeq32.exe
2504	Ajpjakhc.exe
1616	Amnfnfgg.exe
1780	Aeenochi.exe
796	Agdjkogm.exe
1244	Afgkfl32.exe
2360	Aaloddnn.exe
2840	Apoooa32.exe
2448	Agfgqo32.exe
2636	Ajecmj32.exe
2024	Aigchgkh.exe
2772	Amcpie32.exe
828	Apalea32.exe
1708	Abphal32.exe
2116	Afkdakjb.exe
2924	Aijpnfif.exe
2000	Alhmjbhj.exe
2060	Apdhjq32.exe
2392	Abbeflpf.exe
1812	Aeqabgoj.exe
2376	Bilmcf32.exe
1540	Blkioa32.exe
1932	Bnielm32.exe

Loads dropped DLL 64 IoCs

pid	Process
2728	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
2728	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
2936	Nadpgggp.exe
2936	Nadpgggp.exe
2892	Nilhhdga.exe
2892	Nilhhdga.exe
2576	Nhohda32.exe
2576	Nhohda32.exe
2616	Ocdmaj32.exe
2616	Ocdmaj32.exe
344	Odeiibdq.exe
344	Odeiibdq.exe
2672	Ocfigjlp.exe
2672	Ocfigjlp.exe
1260	Oeeecekc.exe
1260	Oeeecekc.exe
2552	Ohcaoajg.exe
2552	Ohcaoajg.exe
308	Oomjlk32.exe
308	Oomjlk32.exe
836	Oalfhf32.exe
836	Oalfhf32.exe
2184	Ohendqhd.exe
2184	Ohendqhd.exe
1420	Okdkal32.exe
1420	Okdkal32.exe
1768	Oancnfoe.exe
1768	Oancnfoe.exe
1792	Odlojanh.exe
1792	Odlojanh.exe
2328	Ogkkfmml.exe
2328	Ogkkfmml.exe
1808	Onecbg32.exe
1808	Onecbg32.exe
908	Oqcpob32.exe
908	Oqcpob32.exe
2532	Ocalkn32.exe
2532	Ocalkn32.exe
992	Ogmhkmki.exe
992	Ogmhkmki.exe
1960	Pngphgbf.exe
1960	Pngphgbf.exe
1552	Pqemdbaj.exe
1552	Pqemdbaj.exe
2356	Pdaheq32.exe
2356	Pdaheq32.exe
2512	Pcdipnqn.exe
2512	Pcdipnqn.exe
2096	Pnimnfpc.exe
2096	Pnimnfpc.exe
3056	Pmlmic32.exe
3056	Pmlmic32.exe
2572	Pcfefmnk.exe
2572	Pcfefmnk.exe
2788	Pmojocel.exe
2788	Pmojocel.exe
3020	Pqjfoa32.exe
3020	Pqjfoa32.exe
772	Pcibkm32.exe
772	Pcibkm32.exe
1040	Pjbjhgde.exe
1040	Pjbjhgde.exe
1852	Pbnoliap.exe
1852	Pbnoliap.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kedakjgc.dll	Odlojanh.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Odlojanh.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Oalfhf32.exe	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	Nhohda32.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Ogmhkmki.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Onecbg32.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Nhohda32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Pnimnfpc.exe	Pcdipnqn.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Blkepk32.dll	Nhohda32.exe
File created	C:\Windows\SysWOW64\Edobgb32.dll	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Ocfigjlp.exe	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Nadpgggp.exe	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Onecbg32.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Ihlfga32.dll	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	Nadpgggp.exe
File opened for modification	C:\Windows\SysWOW64\Ogmhkmki.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Onecbg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pcfefmnk.exe
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1032	840	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhohda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onecbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okdkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odeiibdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalfhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcaoajg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll"	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmihnd32.dll"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll"	Oeeecekc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll"	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Bilmcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2936	2728	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe	30
PID 2728 wrote to memory of 2936	2728	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe	30
PID 2728 wrote to memory of 2936	2728	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe	30
PID 2728 wrote to memory of 2936	2728	f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe	30
PID 2936 wrote to memory of 2892	2936	Nadpgggp.exe	31
PID 2936 wrote to memory of 2892	2936	Nadpgggp.exe	31
PID 2936 wrote to memory of 2892	2936	Nadpgggp.exe	31
PID 2936 wrote to memory of 2892	2936	Nadpgggp.exe	31
PID 2892 wrote to memory of 2576	2892	Nilhhdga.exe	32
PID 2892 wrote to memory of 2576	2892	Nilhhdga.exe	32
PID 2892 wrote to memory of 2576	2892	Nilhhdga.exe	32
PID 2892 wrote to memory of 2576	2892	Nilhhdga.exe	32
PID 2576 wrote to memory of 2616	2576	Nhohda32.exe	33
PID 2576 wrote to memory of 2616	2576	Nhohda32.exe	33
PID 2576 wrote to memory of 2616	2576	Nhohda32.exe	33
PID 2576 wrote to memory of 2616	2576	Nhohda32.exe	33
PID 2616 wrote to memory of 344	2616	Ocdmaj32.exe	34
PID 2616 wrote to memory of 344	2616	Ocdmaj32.exe	34
PID 2616 wrote to memory of 344	2616	Ocdmaj32.exe	34
PID 2616 wrote to memory of 344	2616	Ocdmaj32.exe	34
PID 344 wrote to memory of 2672	344	Odeiibdq.exe	35
PID 344 wrote to memory of 2672	344	Odeiibdq.exe	35
PID 344 wrote to memory of 2672	344	Odeiibdq.exe	35
PID 344 wrote to memory of 2672	344	Odeiibdq.exe	35
PID 2672 wrote to memory of 1260	2672	Ocfigjlp.exe	36
PID 2672 wrote to memory of 1260	2672	Ocfigjlp.exe	36
PID 2672 wrote to memory of 1260	2672	Ocfigjlp.exe	36
PID 2672 wrote to memory of 1260	2672	Ocfigjlp.exe	36
PID 1260 wrote to memory of 2552	1260	Oeeecekc.exe	37
PID 1260 wrote to memory of 2552	1260	Oeeecekc.exe	37
PID 1260 wrote to memory of 2552	1260	Oeeecekc.exe	37
PID 1260 wrote to memory of 2552	1260	Oeeecekc.exe	37
PID 2552 wrote to memory of 308	2552	Ohcaoajg.exe	38
PID 2552 wrote to memory of 308	2552	Ohcaoajg.exe	38
PID 2552 wrote to memory of 308	2552	Ohcaoajg.exe	38
PID 2552 wrote to memory of 308	2552	Ohcaoajg.exe	38
PID 308 wrote to memory of 836	308	Oomjlk32.exe	39
PID 308 wrote to memory of 836	308	Oomjlk32.exe	39
PID 308 wrote to memory of 836	308	Oomjlk32.exe	39
PID 308 wrote to memory of 836	308	Oomjlk32.exe	39
PID 836 wrote to memory of 2184	836	Oalfhf32.exe	40
PID 836 wrote to memory of 2184	836	Oalfhf32.exe	40
PID 836 wrote to memory of 2184	836	Oalfhf32.exe	40
PID 836 wrote to memory of 2184	836	Oalfhf32.exe	40
PID 2184 wrote to memory of 1420	2184	Ohendqhd.exe	41
PID 2184 wrote to memory of 1420	2184	Ohendqhd.exe	41
PID 2184 wrote to memory of 1420	2184	Ohendqhd.exe	41
PID 2184 wrote to memory of 1420	2184	Ohendqhd.exe	41
PID 1420 wrote to memory of 1768	1420	Okdkal32.exe	42
PID 1420 wrote to memory of 1768	1420	Okdkal32.exe	42
PID 1420 wrote to memory of 1768	1420	Okdkal32.exe	42
PID 1420 wrote to memory of 1768	1420	Okdkal32.exe	42
PID 1768 wrote to memory of 1792	1768	Oancnfoe.exe	43
PID 1768 wrote to memory of 1792	1768	Oancnfoe.exe	43
PID 1768 wrote to memory of 1792	1768	Oancnfoe.exe	43
PID 1768 wrote to memory of 1792	1768	Oancnfoe.exe	43
PID 1792 wrote to memory of 2328	1792	Odlojanh.exe	44
PID 1792 wrote to memory of 2328	1792	Odlojanh.exe	44
PID 1792 wrote to memory of 2328	1792	Odlojanh.exe	44
PID 1792 wrote to memory of 2328	1792	Odlojanh.exe	44
PID 2328 wrote to memory of 1808	2328	Ogkkfmml.exe	45
PID 2328 wrote to memory of 1808	2328	Ogkkfmml.exe	45
PID 2328 wrote to memory of 1808	2328	Ogkkfmml.exe	45
PID 2328 wrote to memory of 1808	2328	Ogkkfmml.exe	45

C:\Users\Admin\AppData\Local\Temp\f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe
"C:\Users\Admin\AppData\Local\Temp\f19321c33da179b71c6bcdb2ffe4dcdea4c9904d3f5d968689be4f8014d53087.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Nadpgggp.exe
  C:\Windows\system32\Nadpgggp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Nilhhdga.exe
    C:\Windows\system32\Nilhhdga.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Nhohda32.exe
      C:\Windows\system32\Nhohda32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Oeeecekc.exe
        
        C:\Windows\system32\Oeeecekc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Oomjlk32.exe
        
        C:\Windows\system32\Oomjlk32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Oalfhf32.exe
        
        C:\Windows\system32\Oalfhf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Ohendqhd.exe
        
        C:\Windows\system32\Ohendqhd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Okdkal32.exe
        
        C:\Windows\system32\Okdkal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:908
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1552
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        69⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        78⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        85⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        92⤵
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 148
        93⤵
        Program crash
        
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
63KB

MD5
f227de50c1344ce16a080b840a45a197

SHA1
1dabc67913e1d0a8d66645211743438382190c63

SHA256
094e4ff60207f2e50a0e190d96f5cae2633600b3705a462d4ff848e7b28e9d0c

SHA512
fa45aff32aff11294a291f34923aefb3bac178d041d44d8db6880eb7ea27f550dbb4a3f4227c386114ad2d8e87a9bd99410cad48fda428283de86652bf60abfe

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
63KB

MD5
3aa9845c02c239c6f2de29df5ac2e055

SHA1
e701d51ef6be1c0351b3fea965b13aa44d2ddabb

SHA256
d90513bd7f81afecfbbba3eccb9318773a14db167c39d18e2699b4d3c23046b9

SHA512
cd8c89dde924fbe503f00ebc6e1e919e9d288008cf97278c7c6ab18dc30d2b0df469f8c1847a9f0fbf301320de736c58bb9d71a544a464dc992206cf3dbe432f

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
63KB

MD5
cd44f487dc05082ab950a0bd793be745

SHA1
6f22f9ae28788ed62540f34687d5ff898e66f7d9

SHA256
383d15da31161a19f4a0b52b2749794d89a105f577e931a82b564ceec2ea9483

SHA512
1e255a9f9a84264b5f5bff1f429823ccac80a916f863892208acd830ce807e747ccf00e2eaaa54591f1962d3a28a148b661ff7588346906e359dc272107998d5

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
63KB

MD5
4f9f08dd92d7394b1bd2ff66ef984de0

SHA1
f4942cb0568e901137c0f6526538ae6ccc508146

SHA256
1683f7d785daf3effee18fbe2284b957fb58d3fcffbae742e59e17d3f783ef31

SHA512
49c88e3a381207d183a7c2f18ff3435abd44b9e67cd533d592cb9595a547f07f161aeb2bb19d175542ce79e091a9de6afe00c94ade449804a8f0796c1d3c8cf9

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
63KB

MD5
d1539d9a57baf0821bba4eeaef9c14f6

SHA1
135902075cea2e91a5c521781cc86654475df43a

SHA256
d13ffaba42bb1bbae71eb89e9291c3eaa98efa2f7a1cab79622632c866118535

SHA512
22bbdf0e788b4be8bbcaaf34dc0c15fc8001ce88af75400c17903930e4573276970ca77a86ded838d252b91dabcf4fc537f7b7bdd4ba69375c97d326103da48f

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
63KB

MD5
4f46e4238ad7a103414b12b891d8cf23

SHA1
2bcfbfeb4f12d47eb62dc060e703f94cb111001a

SHA256
67bc8f84901573bdb7a12341d9e943c2cc341b1bdc93c223c462462f6237f0d3

SHA512
0047b6cde767312e87bd1df15f4aa357c7eb7de90229ab41b806d982873f714a8a1442f81c64a3c6f7c79bad3afda453dcae87532119c6bd024e8b6df9b57f69

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
63KB

MD5
0a004ad6225325b1b63efa7e4b87364c

SHA1
22f4f4ce854351950352f4de2a5631065ca7c13b

SHA256
18722dd499685203ee001170f8a2600d1bccde0b5ca088f0eb30f96508fde089

SHA512
a6203c40035c0d7b677cc0809ad76bea935e1c2d4dfd5c2b9be1c83a2cc88e6594a787b12c80a8228bf5584f20deca7fdefec47e2246bb7cec98ded968c39a36

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
63KB

MD5
6c5b2b018f0afd5443a644d4e7ac8669

SHA1
631f12ab85e67d45b2f303d5b9d3a1845bb7f305

SHA256
c003dd1607349a06c02de1e4b5b2c01b655a10b6ae874a35d78d822a429ec205

SHA512
e02ee77b75663b6a384dcab1a40ea76d62ecb43ac7b17d9bf593779489827b694012a1f8163911a1f196919494bcb036e0402819d1c446e85273f3a60cca5679

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
63KB

MD5
ee1fa3d33d2f6beb9180aea0713df532

SHA1
849553108400f4b2ac8a98733bf0ff40f7d2e3a5

SHA256
554ce05d933669881cb0bffaad236cb549c9c2da08388e8b0a965a08047abdd2

SHA512
a9d3694d73240a389a41c740b27d49671bf8a33a9e3c6116fef2783d874c4dbfc109293334e464b143b90f9afc15a8451bb39a681b4b08970c863bd285dd7c9a

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
63KB

MD5
2291906ea6f92b2cd37a077e958af5a4

SHA1
4e9738bc9272fa65a2140ee4df28939a31aa4f57

SHA256
6e4f93680ed3f428e66268a4dfacf876b34c55fd6d23fe1c59934794f632fa9a

SHA512
9078d4cf93807a998f038d8c8cdb728238f55f14edf633eaf9a191a3aa79087ef5510d9762b8d881e290c9b5e3d45758a420cc275d635d3d35d74452c9125570

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
63KB

MD5
d81a7057bdc5beb8200f2a85889a09ab

SHA1
b5751da9faf31f5d43fc0e85b9abb8445c4976ce

SHA256
cbdd5f1cb1b9295d469208104fe88cc638f8742b174273946c1631b46058fffd

SHA512
6d998a35b78025235319dfe9538de3fcd5dd7aeb2e744cf3abb939f892b6947f8a7998f8b5a3fe71d2bf34f5f0bb16ce1d82cce6fbc2216bc2c5daf24ae58d4d

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
63KB

MD5
c5278805f59406cf0fb08f26ddf0348d

SHA1
e6eea568cd5137353044957c5f87ee1eac3844fd

SHA256
63dc2ccf16de24320a927058d171d020f3a9e44f11c36f96428b277d90e02858

SHA512
7f4558b5083dd3879f2ce1e5d241cab42aaa1b344020e64b34bce8ccaa436bcb890bbb995c30718b737c1f05643fc54fa1a016690ef992838fd4f309b6e95511

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
63KB

MD5
3b3069b1e543a5e4bc06a0a0ba4d4921

SHA1
15b199cdd3a224d3669170822295ce3d401aeae8

SHA256
534fd9134e640a4a173df61654fde36fe842bc9dbd61aed90e867535d8c749f0

SHA512
16ed609afb919edc780179466fd7d5e0d9b38b409cc92ff9d72b6dafecb50e7608b0c4aed46634381d766de99e3881797734b23147729cf82cc4fa5d7b9ae3da

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
63KB

MD5
606c27b63f2991d82c384564f1c71995

SHA1
ae0b34d704a15f8e27958da75fe073a9b1bdd7d2

SHA256
2611bfdcd32c32abb8843c97eefb62b699d464d93492080767cb979c7fc8e894

SHA512
d386b1d6d649a5ff8f1ec88a918f8c89ef0f51c79e13928e12e2e1343f556fb769f017e2deb156757c51798a5f0f5a67d00e36c12dba466d562f108f555feb90

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
63KB

MD5
713426c984a5df5651b4369df60184a3

SHA1
72429c2868639dbeae9d48099dd0b3ee4d16e350

SHA256
e339fa5fc49da9b7221a8baca24198b6e357a2faca3a6adf9b477ecea5a2f79d

SHA512
a9655d8d3b9ae3b5ae0069bea314ba47239e8f4b5d86520adab2a0a8dacb2a101d761688c168e7a229fd2d4d0f9a3284fe139b2aa19f1c5d12edb1ca40fe1ffa

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
63KB

MD5
d6e29facd77481ef6f12b5a5677e1a5e

SHA1
740bf8325d049c2aa4a0c47787002d637665188d

SHA256
9c3653c810137c824fc1d6b1197ad8b5870c0b953be03de83d329d0cc8091921

SHA512
41f40333be7e6e7028b0957f214c0903c86d8d7ff140d03674d0d07a552799390393ea926435fcd287c746e9d1840f13d294ce4008211239b046475804238d3e

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
63KB

MD5
26cb52a61cddedc48097015da419e7c6

SHA1
5e8f313d814eda0fe2c25d030359c74533b270d3

SHA256
186b89669aa9796d02d38aa9735476a5d66d47120e4580e65c75b3886cd01e0f

SHA512
a94aeb9df793e88ad8ed1465d9c59b0cd83da22f0bba95647dd1b04e08a5d738dc730ef3989883eb253bb10cb02087696e1766ae8d2f59394b7a6c613c629228

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
63KB

MD5
d76bb5d0321d2b870c64c445f59759ad

SHA1
ca9385ceb8982c399b2447007fb9de382e1af3aa

SHA256
3f9b6ea5c11925b020e94a40f9fd93e1dd652b0a9da035708df9f3714f200f63

SHA512
190397fcd1cb98c0a3ebf1c466442920c970b3e0af9d6eec00824c1b7f6af8bf50211e09379cfa588c4c97cfa12954eb1048ef8938395d72b8d31e2150cff844

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
63KB

MD5
05363900d7733151912b6aeadc12255e

SHA1
447a0a6d03bf4e36895d7627f1c46bc2bbddd34c

SHA256
699cbcc558c0413c83e97974e6ff163f59ba91a877b8c32802255c9d2a7f15b4

SHA512
f97ac4b5c7c51e5ffc8147cefea85287f81844c805eee3922fb79cc4b8229f9c7c0d351b05f10e09eec5af81c445c08f8cdc54353d666aca775f571c9f0a3c31

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
63KB

MD5
c7f47ba92927c5f509b21de12c3844fa

SHA1
87a5f83bc83686aa674743bb82371417659682ed

SHA256
117f116c5b81b97999654b53a5eeaa5a60e54729ff402b4dc93e1cd1457abb53

SHA512
77516d2a0bf2c331e4dd0222a75f7622f4a31eb183d27496b9e9ab453ac7e76df1c588132e97f0c1b960ff2e8c0cbada86ac518f13166df2d640b80b347286cf

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
63KB

MD5
91aca5705a4204871030a77bf7bdc494

SHA1
09f7278d51979cf3a7db887efb978608e1145bee

SHA256
bb90e4af9d519584e31b6afce4a5ee3d6b2143612d2acf69a7d9a7f59a4e71e0

SHA512
61db2fb151a28272ab1f1a4b2f58fc4c3f8b90c3a5dbf7b9ea129a45125e253f67c460f4e1fb135e16634b421e4b2749de30945a06225567315f7f2a6efbfba3

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
63KB

MD5
b26e2c0ba82765babcf014fe80f57ecc

SHA1
86cb23ba2d9e52e46cd5134e2cefbc03d1944c93

SHA256
59543474acb861cf81227642f019546ebfc2910f5e396d3ae1fa0efc4e890764

SHA512
46082425da5283286cfc605c8659df1978a0dd8a0c8ae0975d5f490d3675630ab72ea91632394ec4e51247c99646166f8753df770e117f76addb0d5cf3a7803b

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
63KB

MD5
9170dea001ef572399e7909da95cedae

SHA1
4ad3b91a806742e62a567873d589aeb14b102a85

SHA256
4afe27cd4cd8c3441a0407c08f16ee564f5a1de8e49293ee7b53d7432c378d98

SHA512
58cb5ed9d3cc1677dc804b63a862dc36928bb6cbdd6cef6207faf9cf8c9fba1e4b98f2c4659e239ef4ec84ab84faa149aa793fa9471c2cab2a51f449f2b16604

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
63KB

MD5
951d9aae8ca572340e550bd236c8b00b

SHA1
a53fd0446e3467046f410a67712fe641129d9198

SHA256
017bebaffa4ebd3f31e5548a1e36f054f4416a09af84d2e4c89bd782194a44a2

SHA512
cc426b227ccd9aa8322764d6fe9b90e5137e23400197691e9bbb3c8a230a318a4c7d76a18f098fdee0503efc9d9c2da12f19c42f92afd660fb05e38521fae98c

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
63KB

MD5
913fc15f8851a744ab22c67ea3ae8054

SHA1
06941662074d72ba6135447723781b851a896852

SHA256
f742f1fd4d9e5207785c56ef224bed3e61f8f045372ba275d2e4b65042d90450

SHA512
3fa0cff86321ab68cc47f75bea32945c78a0c34e6d3afa053ee4dd210294f9ab6df0632b56af4370050d6c19a2c463fe80a5e717f171b9985cc60830880ae049

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
63KB

MD5
616323b7cc209297455669381b82624b

SHA1
b4cdf2e75bec22e9b2f32c97dc0b67f3b6592f47

SHA256
82e0c6a2b6e9cd8755f7e796f35068983fcf93c50c8ad18cd9474d936d5570c9

SHA512
9dc77d4ddb87cd1f7a0c3b02e5c48178924a5bb16f8231ebb0ba800d391ba76e87e7d305df0ee6a6f206302810f11e1c9a277e391a3ece29eb5437585327b726

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
63KB

MD5
2c2b2484b9807a3b528ad6c3b1180b2e

SHA1
6a0fcd7ff12f2234b6dca0a9d3727b0686119e28

SHA256
e2463dfbde34857f33d4c7b34f377fe3964b9cd65b9a4e22e3b01446f5864574

SHA512
4f341ee5f6caf4320e8d83ea41542c5ac21af0b58a3e9d765e5ef1dcc9f8e414d5eaa4ef46ad2317047aeb0c5adb390ac639e623ce5b337f31e3456ce16df9ed

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
63KB

MD5
846712f91c6fb3ae13965444def05ea4

SHA1
25edc0b341024a6c8abcc8afab24988945dcc931

SHA256
e46c7b2690a3252a0f64a0d1782e0689bb22419f8ffe88b3184f616b9aa1959d

SHA512
1fd4c1b79cbcb26419c00a2526147015d14873e519b19f8b20edbdd0043ded34b3047c62eefe4d815399e231395a031e47c72198d9693e3d5f253417a099b995

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
63KB

MD5
5b940a443233693f85547fec2154c1a7

SHA1
d3ee9227f8fc3fff4ec143e32d6780978e88f732

SHA256
f5560c4ecd43c7d376f97b216c6525880e6ead3295cec2bb312efb776aad22c4

SHA512
335402cbef985059cac59d3714a5fea6003d93b096f7baa9f1826166d9b4db002232cba125d1924c2a2dd92e2c49d0aaaa5e077d148bd661f0b02ce174f09e24

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
63KB

MD5
1ae8f42b8884c6cf4cdec0919eb1cec3

SHA1
d96bedd3cf0a547443729e8c78c5f36cb061bd54

SHA256
8059aeb7ff577f772a8c898657c9afab875435355efff6fedecc5bdef546f9e7

SHA512
6aa7aa9cd3944e1634dafcc63f44272d5753013a5a47e80337791e0dcb0680ac6a1d0aac8c17f8601e4ecf4d382e75e0cc31194649aaad602b35e735be073917

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
63KB

MD5
47e6b46823b7a2d3c7c4dfaa8a33fd8b

SHA1
dbe3855ef957c0f9b4016ea66fdd21adf56e97a5

SHA256
bc3b3cd25a264f3070005f63e022ccef57bb131b16f4feef46393231db5ccf0e

SHA512
1350d02087a63a59cd7aa7fad6c8cd81f13a80d484df13a6c83051d9492d5b5ded9ab4c8765f1f80ab45b35c19eaa509928bb42d93097e4593e9b61e92ab2286

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
63KB

MD5
35bb801f78bf1ce9c5e1d3294d92d07a

SHA1
0e78ca110ede6f13384097c29fc5c73da39b0fa4

SHA256
e3ce1c89532aad761439abc74ecdb00006fa237250906eca48513ca6df951980

SHA512
4aeff040e48fecdc96fe7a4fc5d62f4b425ab80528e2353e2721a6824e96d60e299ffe9a9ec3e5a0f0d36dc41e8a108db4db1711b2d7783f142bb83156eb3cd5

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
63KB

MD5
8b833477a36ae0dbf8c0773b3f05ed45

SHA1
fe9e37547fb4d838361aa21ffbbe9b5bd9d11b2b

SHA256
2402661b8e0d4a0b9c86aa40c74b19c0ca3e0a85954d657049eb30a380760df5

SHA512
74035075dd2f5002fee2b82600999659cd9e0b1fb42d5936f1cc486c6ad610057260675b5be7f4b5910e7559ee6874226af367ff1f9d19f55747f70725d3a117

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
63KB

MD5
25e347227132dd6e2ce0519cb4b7c723

SHA1
1281e2d40782bd0b3900001f6e1060f52939b603

SHA256
5610e198bf1dbb25288f3e99a335d8d8aa11f12e0150967318dbccceddf5fca4

SHA512
41821dd576e13f51e4b6de00f521c6a2efd50cf77bb4d925202163893ca05755be63b0e2c835aa0b4551df514b06686dc442916710b0ac511895319ca2d67e8b

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
63KB

MD5
f52f6b5aefa3a6b88e47be96305d2165

SHA1
9523ac7f8780d09b979ace601cd473bd54feb7dd

SHA256
301e879b40a61ee1fc2abdf90215090040a77b5b8431ea9e5b28703f973ea293

SHA512
eb8833675503e61a910fe2b9564db187b3c3f3ff41d5121b1f04f0f6ae4ad1e32136b19483783d32e6ae03e668a6c57e850bacd1eb7ab26cb7dc5239d79d64b4

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
63KB

MD5
ad871674d9f8980cb6e53785b6690afa

SHA1
787814228ea12d748ebbd156d4e68fd12be7b28e

SHA256
bb0044d2e57034fb7dd57ba78b1e9b9b7c111276388e52acfb18686a461915e6

SHA512
7943154cdf65c6b9fee5f3215d48b24ca355a68f6448d7bfe2697eb9f2e224dbc47c2a6ab6cf543740160bcf210dcc561ea306e9491196631a8762200bddaf7b

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
63KB

MD5
c0bb8dad50a31b23732fe11f0b062a3a

SHA1
335afbe3cb69cddf0f8990afea07eb3ee646ce55

SHA256
94bfdf973e7dbe793729c70f2b79114f9352e785e94eedb7e7bad86b4b1b21b6

SHA512
e95ff6e7989ca1c314b04070e8953c431a56e4dd9e2f35efffc3df30443b2fabd3b2cb2dccdb37691bc6c3573bdc8593818ec351e6e0e0c3b9a088daa9683aaf

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
63KB

MD5
44d7a77fc81a2d9d46740d924c3373e7

SHA1
217f82e06153fee98c594e1c86f1f659528d06c5

SHA256
8bc0d93a7139abdaa4a006dac179e02f2d113865e2fa6035e79977ef532c26ec

SHA512
078590e161f2bb33683fa337b72de93f494d39a25896bbd2a2ad77bb38c7a927f89ce6fecf9e106f948ff478213f8d267fe92f3359c85f8a8f97f404179f3ec1

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
63KB

MD5
a76177ddc39e28fd306b9ba0f4596f57

SHA1
7d4b87491a45bab5f01bc419541fbe00e84823f5

SHA256
36794905fd1736ed8326337b4cfd6d7d008c9553ca01a0562860b34c10eebf0c

SHA512
2df0379c99e74284a481b195883915ac64f9d76938ad948858702ca55181aa4792357c3970ff12b6fa3b6ceed2ef0ea9aeb65eb10a6be9a0ebf22be17006f3ef

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
63KB

MD5
fe9b49dbcde575e2612130b949094486

SHA1
8a16dd58bc388f2fd729c87536ca42146f7f392c

SHA256
b6291d9e8de2b937ac4870c6353f642a00f00e5c339508eb361f0c4088f79417

SHA512
925f7335414363b4a2413c326e4d058a4dbf375aa71a4b4bbb30a886446633ad13154dbc39d89fcfed9a4cf32f7f7eaedec1b6ada94443657268e1238856d468

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
63KB

MD5
e6edc3972ccab628b1797688e461c319

SHA1
27dfd47467e4591dd522c972783769af14d4a4bb

SHA256
70e67f1a4d22492972dbde4b583bb0c01c8221583ddfe9ee836990a2b556f1f2

SHA512
1064cd7c0904347662d8d8035e77ec5c8d0d04b4af071d34c17cd2e56ea6e9f19e12fa6005f1cfc2dd431f0e81a40d9bc8bfa8341e129a37e3b1d1b1aeaeafce

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
63KB

MD5
f12241ee11c7769b682fc09fb21fa0a5

SHA1
ab14bff5560ae29406afaa7a4fffad2d3270a99f

SHA256
798391d359521a4fea23afeac3113b29ac3b0c83ad61c9213f60c692b68f6b51

SHA512
75adbcdb5f8036d09aba7f9039779e7e62e9257353c4cfd5b8cd2cb1584356de18e580d800a1ea97598bfa83e3e4ae2dae46936cf8ea3c23256f27e480735a35

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
63KB

MD5
8355d8b2d6fd73eac6d81bce8851e240

SHA1
78c75785768c5c7c61622ebe87acad6416809dcc

SHA256
854a5a0b985ef246f399f6abdd8c84806c9c7271527b321ccf28818d4ff18f8b

SHA512
88adf149bda6d76cb6bb0212ee73d01144fceb54147eccf7980d6dbcaf76e993e902969dc131e3b98e5a49fd3e48cee4d878e0a12946c62ae122d538326c6d6f

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
63KB

MD5
d5e480e47b1a2d110da7bb9e21fb78af

SHA1
0aff3009207bf900cfcdde3cac27bec8173bbf4c

SHA256
c2d5ae1fe48ce5f80f9da242e85a7bf40d09b3101a87ccf0f36b08225ba2e37e

SHA512
608684c8c0ca3e7ba0caac712eb33c368235c1e5ab4a2fa215d07c5c66dab836f9e6f36432d69ce49a96ef54d056b4f2ce15d60619768c4773d2314048f1d533

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
63KB

MD5
8a8a7535677e6fbbc793799db8ca2d6a

SHA1
405417b63fee95a8dae5072a0728a150ba384b77

SHA256
5550919a61eff6921d8289d11965598688d25d24ea48417a55bf213fca3e9d05

SHA512
728ff152930ab5747848ec946e6295643030dfdc5ee880faf53e19d4c93c13bee12321b1f811ca02ef7ae7e9480cc167958bd433a388f6e233680605a2b1007b

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
63KB

MD5
85fed48013e167e2a44bae11aca456a6

SHA1
ba086d23358ed64b117e6aa722ca1f2037e1df1e

SHA256
650aceaeb10e1f04db01b57537b887d9f395e72e734ab670aa77cb533af9e74b

SHA512
592a4b7637056ba2abb2773cc0b31dbda96f1ffe1cba5ba47a4de60490b72118ff923b0850345ed468704bdb614a7021cbd087c14fe185c05df1121384d39a90

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
63KB

MD5
8aa8ec074985a088d0ad051c3764c3eb

SHA1
81f78e134173f3ed40cf6056d00cf4f251274476

SHA256
eb608bdda3d5aa05fb8fe12c4f4e9afa809a82b38db709ada752e5e7095fabb7

SHA512
40d3d94033475b22ca21071b1b073c37b6733ad61e9c70bdf8bccdf768b0349dbe0a87c08d64a68d1bd9096ad9b14bd41434e95444a568b78061476a81b77d64

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
63KB

MD5
6cc31a43b3360030138cfde49966b1e3

SHA1
05c677bdb4436cd75be0894bc6e462ff12e665b1

SHA256
72be7522ea9f6d3c4cc332e5bae278afec97b93d561298ec198b51205515d7df

SHA512
f0f5ef7573aef0016807d442f499a71451bbb19f7d4bf41a36266df1c2deefec4258e5cb3b7f6726f9106d31d215340e0fef9b5d309b89f8ef0f8ab177497426

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
63KB

MD5
5b9456ac733e192cafee9c8e1b314f57

SHA1
e8d147b96e8f555673ed224e7fb5e8dc5482b63f

SHA256
e40639785dfbcd7084fc43a818b3a652ca48a7f1191df786bff6f60fb8e9c5c9

SHA512
dfb6b410f6d61e53fc738edcd7275e3f610698b51f396b688ef05583e22bc73d3c1795184000e7d437eb54aea52f6d29a095ec71fb960c64cd06a16fd735fbc8

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
63KB

MD5
fd1f03101d4fda34f3192b8beb1969ec

SHA1
41ed5083ad1f55f479357099972340ba08b0c723

SHA256
c4e618616f5723d80964e909606dca9d1b640dc5c1c0068739a2fe94846f4f24

SHA512
da0bd3cb312ba2853dc02e5476925828e6e50140fde5abe0b573ee329862c1b393f16d671ba360bfa47671c8bcd033ba7122dd16cfe4b91982470dbe52f03993

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
63KB

MD5
e6e42523b50e422e73f483b9f1e15099

SHA1
151a841c549cf0bd02a66b767e64c6228c817224

SHA256
f657fae7fc3f6f3c45c0446e389df378925df75bc05affc89e62b8a2f87feaf3

SHA512
1191ebdf0598063f0d0a8f9816eee55f154eab1cc2c19779762e6adb5f618f8032ce536658d7b1e2604fd45e87f64395469c8fb0c5979ad6c33b98450c6fddef

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
63KB

MD5
4687b6e1f2f42e1672e1d6b1ffccc189

SHA1
c76d278f28a5c4906855c2d73837a42578fb8454

SHA256
97598cbaa12f652c0e724add6b7f6a726dfd6d8a7293dd87b93124043807249f

SHA512
09532f2284b7b535b609e2c19b9c2fb48ef71eff34570ca5d478ebc7858bd24b835a18921e97a89efd4fe74bce71218e06d7db9a848d72a9ac608871282ed935

Download Submit
C:\Windows\SysWOW64\Oalfhf32.exe

Filesize
63KB

MD5
bf71404d3886b3d1acd4eb26c3bca842

SHA1
832b408559ec0a1fd75dc10543c211abe65dbe98

SHA256
2c7fca85da72399b9dd40913b88920afb141e307e1705154a8296c5db533eaed

SHA512
f959f30a059fef4a3b9fc4bc296be65c32e75cd87bb441052bb6ad18b4575bb4a397c9dc9614f0cd10d726b063fcef3be89d8f3eec061c391c8acc8873059e63

Download Submit
C:\Windows\SysWOW64\Ocalkn32.exe

Filesize
63KB

MD5
a7796d92e309753abe27f880fdbcde36

SHA1
2f4e6d8a3e094a891cd04b0369881181c0b9fa62

SHA256
decad99451f14997022c7500f47a78b79ae806f9a0778176553835efdd11fe8f

SHA512
a8057e6317d54329565b9db3e6c5138447bd8ff868c6bb6abf9e797c5f95fdbcfd344337602878ae9701fd6e1544e4a974899287bf8ebf937b76063dd46d298b

Download Submit
C:\Windows\SysWOW64\Ocdmaj32.exe

Filesize
63KB

MD5
db1b7f4a7b9fe2411e1501b1366ece15

SHA1
9ba5517e76caf56422589a5308745263726f0da0

SHA256
52b73c28254af5d2c0a049648c47f9dc1d8ca314bb75396ad4b00a18679e2550

SHA512
89f0ae74cedde9eb188977f125158e66dc8d8a29edc8004de2b7c22a2d310d0a25872ac7aefba1d4690b12b81127bccaac930812c1dc9ad31a5443e6a62ef7d1

Download Submit
C:\Windows\SysWOW64\Odlojanh.exe

Filesize
63KB

MD5
775ad05b8d2254841668dc4b117746e6

SHA1
8cafa5030a103b4a7e4dff7645cf2a83590607d5

SHA256
f523357e765ebc965d53d2cdf97a127e67f19b23486ed0a7639067ceb0677aac

SHA512
1a916036ffca309ef2a122a008eda12c81a0b120f21595b143a98b7269cb8c6d85ff254bf0e84fe6bbc202805ccc2e2a379117cf989bd8c61fafae301e099d59

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
63KB

MD5
49d8605ccdf69936e09a398fbe4fa44a

SHA1
ab4ab02429ee752c9a4db93f7cd3120952cd1b30

SHA256
79fe7c6394933533605fa8914e967f634cbea017653b2c25aee9296a32827dae

SHA512
2aae9b1ed43683f72d36e5e1318e5db73da4f9e3320c7dd0b245ecc132b855b957b2cd9a12ee9499652409ab4aed054142e38a972e91e693810e9dd1983fb4c5

Download Submit
C:\Windows\SysWOW64\Okdkal32.exe

Filesize
63KB

MD5
556799d97234432158e08e32e6efde3e

SHA1
8e4bc387655b03ec4db7fe7a7a5df6d85ea4daa4

SHA256
8f21939a4b2588a14a7db8370acad0ff77bc412f0050799719ddb17482e8a0be

SHA512
e3591bef98712cc14a798357a827cf4943514f58e1b5572ead62f1600917e83a434747c93a21f59bf3bbed5cff2f9a1b3caea25d96472d6c541005a11b194bce

Download Submit
C:\Windows\SysWOW64\Onecbg32.exe

Filesize
63KB

MD5
836fb8d7addf1bf5d7c8dbd95c858113

SHA1
47dc901fc1684031653482282806504a52ce5d0f

SHA256
a885b32acb2eda6ce6bb46e108a02c1cb66844d9736061dc5232e06196f0a0f5

SHA512
88deba11e3961907a604550010cd1d43ab381898910d796a9a94d8a11c3ce471c9a0eaeeffee0a3b43bc689d1b4e687d2c650bee04de1706a7608f51b5e76e4f

Download Submit
C:\Windows\SysWOW64\Oqcpob32.exe

Filesize
63KB

MD5
d9e31499518fee763244af1b76cc0a28

SHA1
f0bf3618c28bd22520069e72a48be7e07e587110

SHA256
dd805e2252d3236deeee04335b8299ca285e26f92d4477bbdb8d6901f5a02832

SHA512
651a93dfc3667bdb8de38f6a5e309900604c75b8396bd476c68f431dd75cd9ed43f6e5d40f3948206bfe797f847698383bac250832b5da54ad9d22947217bc72

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
63KB

MD5
f8f6516216ac8b19c5a06364c802a0aa

SHA1
5550b7bb91d139135fd3bd3cbc6418585a7638ee

SHA256
d7f9ceddbbaf7cc22ebf1a16630e16f01ae2583258060fe883eb07b527640533

SHA512
baa34e756c88117919bf95a16a261cb496c5024b54a23fedcafd5a68d4ea15b596310b1d33bffbcd9ef8ee8bc1348b2dc10ef29a3b0a417d190d87190e674e60

Download Submit
C:\Windows\SysWOW64\Pcdipnqn.exe

Filesize
63KB

MD5
8424e0e7c0ef91a8425c8809d0140fd3

SHA1
fb11b1f1c22d67ff76f3332c62379124ddd8308d

SHA256
865637b9f5a4f8d3db5a427414943aa4ec792a311f79566ad7f15be2eba9ee61

SHA512
6892614a203237c01cbc46ceed7087b10ead7fd48f408ff9620c652e5d5290712bdb81ffdbe2f44bf665550a07047b1aa168d87d158835ed845c2b3b750ebaf2

Download Submit
C:\Windows\SysWOW64\Pcfefmnk.exe

Filesize
63KB

MD5
6677c7c95a8711193c76055f889ed6fb

SHA1
ef1259134e78c4ebaa05690203465b9d8dc4de63

SHA256
db1d33b680e62a7e4413ac3f5497399d2e188be7aa8d0144a6d5bb4f306220a9

SHA512
e69598dc58ca590952a5de149f9f57d65e411b458080d5e0e23d6f7b3b9b9d9c44b15e611d4aa3e5931d8a967ef4147f53b2dafbc6895acbaf3b107e5f6589c4

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
63KB

MD5
326b7df25ad44701fd854b46a005e57a

SHA1
0d26859b9599bd73954fa489363437cff2e28171

SHA256
d3ba59fb31b0bdb6c9005bb485d6f08b969dc6f663f445009decbe76f97fa84e

SHA512
ec0fe3722011911215c066db9dae5bf8274e965361402560bfa85be29d939e8975e166c7737734499403c0671bddca226cef6f064249553a749b995f180a7e8b

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
63KB

MD5
d9c718a2692e08ba72c04c615382721e

SHA1
c6a53ebb52bc040c34b19bd5289a4cf9f4f3891a

SHA256
90f396a4a4121abb2a6a6fe896e0ca6dee65d3a90477cac6d9dde8312d03cd25

SHA512
9e01e4a6dd9119009614cb26d876fba7e516ac063e388218e58d19ddd1d3428cfe7f64a8f58d1dbfb050f07c6b0d974e19321984a8c5578b162332b34042aed5

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
63KB

MD5
581f0a032595252c72a2371f460a602f

SHA1
758cc09fbcc6fffd655ba77f9b2b1130a9ffefbe

SHA256
87ed4c63c30754080c351cc0dea3152182dd4c243f51c49df8430948caf512a0

SHA512
caf5cf0a82f5c52fa66bd7acc398642d98fd91359ab814ca4f0ac8c7851f4c1a015f890b2a82e1f4bd48fb00b484f09774eb17c7a1828648020e51a118be19a6

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
63KB

MD5
27f90e687277869c69f87ab49b42bd10

SHA1
f1fc6bf4eec1f1e5af313e2f5579723c2b4f1626

SHA256
256596d9c89e51f3d316b62011e734ca998ec146b5002eb93891d5225a70bf7e

SHA512
42ee207206dddd2bc5f8e2f9ad2ca18c6367d6c0d0f684e19922ab11b7adb390d6a7246a78a5a12f1c6bb0d837b390611a08b87840ed024f28b6e49cc20a23af

Download Submit
C:\Windows\SysWOW64\Pmlmic32.exe

Filesize
63KB

MD5
5906ee7fef3244389e0e900fa10dd76a

SHA1
53671616a31d1d792f1e59ba5aafea15a98d1333

SHA256
07740c11d3deba3ac46f5f02138969cb9f3b4041adc12f394e5b1ca1b5b8e431

SHA512
4ddf7be464b2647cf951d8537a108e81753cefa30efca893b3d9af0d7c49a933123cb4b1e7a82ff57b3ac48b577e368c0db4a2c850ce7468713c70dee7085822

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
63KB

MD5
2a3035d68706cac0b2fdd2d415622989

SHA1
fbaeefcc5781690093d51626526dc37591d81c86

SHA256
fdc48c49f636b1b27d2d40aaf56c1864139837003e44b694f6aca483aafe882b

SHA512
3b1a9de664887fdee3c30322e0c944cb82b3b0173529fefe805454e1c1d808feee908382657af7cdcf856eb9e26d6790d31acb69ca2334b8591592f992e899a0

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
63KB

MD5
46f80f0315e976d9ab61b8e5720ff286

SHA1
fae02bff63ff9760a05a560998e616dcdcf8cd4d

SHA256
71323cb4fa05ee7f965aa48709b6f288972d26165080274a36966a301c044e7c

SHA512
1205599727a483c696e9bd637e6fe5413d62132c71db4b78d0e43047e7c3b63e02985755e2774ba7f52fd2e5cd7217ac273419273ab0aab4f13f139e88af7de8

Download Submit
C:\Windows\SysWOW64\Pnimnfpc.exe

Filesize
63KB

MD5
c0795dd97ae15404a07ddb008f195e9c

SHA1
6bdeded0d6b8020b18cdfdea0ddf38860288438c

SHA256
03ae0f2efddf15c2f8874d8d2a6b14e98ea2b3ef2fddb802da91e12f453d7faf

SHA512
61d301b7d30b67752e24c47094ad5821c3be5def61bd25e8aa451921be2c5e44511fa9a8a3ae5144015364af7a7643d1dac061017d4cba6a5c98bd134f95f8cd

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
63KB

MD5
1320b722e931eaf73556203ccb7490eb

SHA1
ed44d92ea34d78b6f88a9b189d9e81a2a212a0b4

SHA256
4d7c2a13a5279954e7deac3f45e7fe8551be7e1711c6fd2e940b83582f06c3b1

SHA512
c92036aa2c770f55e67f650deaf3f16ebc60543bd09f10779f3a6a4382a2a2b601097f5c0480b751a534faa8dee313b6c1f4d723b615e71c74414a5bcd54561a

Download Submit
C:\Windows\SysWOW64\Pqemdbaj.exe

Filesize
63KB

MD5
f9c46ccd93cee516abaf09e9db133c8d

SHA1
b8ba073caaebb84c704e903033ea30efb6f39952

SHA256
a5d003fad597ee49acae9796238c398fba637ee1036d4df0a0a992ab2e6e5070

SHA512
efd0d53e4145a770e615301c966c5e39c1e3f6345c5d95dbb4c948fa1f57411a9fef642fdbc7fc35ca1ed68c59cc87fb64597ca03b90cc07eac77289a1021529

Download Submit
C:\Windows\SysWOW64\Pqjfoa32.exe

Filesize
63KB

MD5
e039b06ef02ca9f8f69c5ae610a098fa

SHA1
5ce8acf77a318aa359afb8d506ab4bec37061e12

SHA256
9bb19672b0f123ea6e783168982417eecc518baeee22243ed81322c305799291

SHA512
5dc2a4bc002cadabdefa4232d51372c1f59852981224f8cec71b001a873795b12d9caebc88e2a7c52d583e898d3484a743aa0ed6a5021d9e1957aa619305c3ce

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
63KB

MD5
4f7116d9bf6cfe0bcd3e8a4107dcaf85

SHA1
c4c137e622f6f885398a345923dd0deede7945ce

SHA256
efed34d13ba7c11dcd217c34681cc6e1d308ae46e5c7785ee46b1fb16975f20f

SHA512
1174326c9d2c135b60c10e0f42f01cf8dbc42688bb6adb3e4864b9be1c2c4203df49f80f088e579a8ab5528e9791e299f603c1bea596c2c9b6b2ffd4f2855c1d

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
63KB

MD5
0400f121cd27612a9ddef2fbf97ca1f7

SHA1
66c4be4c02093db42f8f8e8d735e4f33258cf070

SHA256
fec50fb0e81bc7d54b92f8de4c5a384a2d6d6ef8fc0308dc367f8afa87fdebc7

SHA512
9558405fd312c0ba1e08226c34f9ae167541a83c855094dc53c43afa85325508c745844bbfe8fab6e539dc9e110b2170cc70f7e5d16b0dc91aef811f0fb10545

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
63KB

MD5
9f594a713d6c70f7595a7b984f8659f8

SHA1
7c3c010b31bdbf57d71d791f67ef8bd876de169b

SHA256
4ac89dc041489710f1ce2745c19661eae9059c8e5cbbf4cbd7fbefea75997e57

SHA512
c415d6434bedb67e29d036d0faef510b330e699b17d9d977be088ba8e267dc734eca1aa0bf572cd5373d63c103eab63d28ec139e7c84d26b2a5d5b268e4cbf16

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
63KB

MD5
ee3cf4a3b8ef8cd1a7b7e62b6415e055

SHA1
ed826a1b40e86004b6e3fa6f6566f7c3521ec4a4

SHA256
e89cdc323a26987ba7d70dd1208328386d82578d08dece221260a5109d7e2290

SHA512
604ae838d6d8371b256265ea50af02deca6a9dc08949b85d0348214792f8a4a656a6acb0eb8203a2d9308fa71e78ab0a542084ce277863719e8aa44286249017

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
63KB

MD5
4612c147861423951e0348b33f7f89c9

SHA1
1a6b73cb27fbc3e1af2ef4b052a24587c4d34d78

SHA256
94290603a7b5cd119cb3b4b7aa94da8be30b3d13dc57978911ecf6a324cb3a96

SHA512
da19a539b564296e00d4f78d6d8b9a2ffc24847070f456c5ae8c062fc5dd6ec3dbf067efd19232bae41101f027b3d385bb31acf18f73b3d19595c43a5192702b

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
63KB

MD5
0531299f88ed7ffc2ff642c17801bfb7

SHA1
baf6f287f4e872572a307ac8edb99dfaea6f80ec

SHA256
f182a4b4e9caa07c20b22249467a4c8bd128a321826b7af0cc3111f45068c72b

SHA512
36345bdbf185c82354741312eec6340bcc2a3fb7343944baa1b214909ffd2cb08d7ae064f930e193fd2c72a02b93639d521715fa39046af796eaec7b7f9d71f0

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
63KB

MD5
e4734ad801b7f1e1c8081298ade5938d

SHA1
eb85dfa3658b12fe3679112a911aa8c8dbba440c

SHA256
1a0ab37725577d1ee12b0e9d3ac42d10825079075904da85fc49fdd9abb3fece

SHA512
bfba5057f2edbcd44c1e7c8448448d27f0e6d00d58c8c01badc0d403b36cf7b6503fb114a531a9e32b50f8965e8b26193d470b6a1ab67f0c37f82b9ac5d73b42

Download Submit
\Windows\SysWOW64\Nadpgggp.exe

Filesize
63KB

MD5
4f1908f50b6bb5f888143f08de04698f

SHA1
5c8f85935b19dcee624a19045cc72676fe66093f

SHA256
eb4687ca234afa616bff5c4419249a587d9acf24d1af8378bf36e3c1e3ca7751

SHA512
27a1a59fd7822b63eb1715acad108a272958fa74721c8164b507ea74b08ed59125cab44842b4c74d2ef8b1397612155956a8cb5e367873de317f2309baaa8815

Download Submit
\Windows\SysWOW64\Nhohda32.exe

Filesize
63KB

MD5
ea2468a838cf2073f2c6aad80ca16773

SHA1
88ad1dc03d6f08813b40c500ec40d69300ba898c

SHA256
cd92dece90fdbc215594f070c410a143beced35c943b0d06f26d898f85003c0d

SHA512
6b33ab8ee0d470364d64fd5a4a4073aac9be2468b0268e5dd68d0829160561adc1ed018a82fefae51d13f841f786908709d910fee0d19ab1f697083a2636055d

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
63KB

MD5
b8c6a2023fdd10c2bcb431a5dcfd3152

SHA1
572db51e90fc8ad6b497dec717f1f01c6037b806

SHA256
77c5e5e7142a4c1b2512dcaff660c598338dca85308548cc2fafb7f4cf7cf629

SHA512
fe587ea8f57628acaa2149bcca2bd184dacec2c4955421dccb5f7f944da6a5aa125842368cd26a7ca08ddaaae02e1445524e7714a53d1f023f2ac31d34914062

Download Submit
\Windows\SysWOW64\Ocfigjlp.exe

Filesize
63KB

MD5
e93f8603510055a4064c9a398cae9285

SHA1
cdc1a5a2e685c88ae7059565d7b838eb7274d1d7

SHA256
58d32790639309f2174fa4e94f001f2038b547ac954a4f9d179374ec7439a86b

SHA512
3095ddf9e84d157fee5eccb4e40c06303268b88ea765eb85ae794d63612759b824b66d1c1845aa25d6240c32500d483aa566f219ff85856cd3d2da3b31638f34

Download Submit
\Windows\SysWOW64\Odeiibdq.exe

Filesize
63KB

MD5
d74a58575d7ac5f6771d807854d4a6e0

SHA1
c70bea3dabe0bf700d82c0b43b3dab8faaa4ce93

SHA256
069eca7a59afe645d565c4a0aa28c6fd8557dae8f3f1548eea93b8884fb8e4eb

SHA512
e1a90d7b7b6d7cd772c7ae069a188346db5dc5af6ccfaca3144362088301f5f9597afdb1297a342120e53567e2fd9496a2d1ba363b411b4ea7071b07b0afa184

Download Submit
\Windows\SysWOW64\Oeeecekc.exe

Filesize
63KB

MD5
230929fb0141f9d0ac94011e97847fd0

SHA1
fdf326e598ee97189eb5cfaaa771527e24f07a95

SHA256
cdf98b35b98cd92eba16deec9d87b1ad16420b82d5b05f738204f9b06ceecd66

SHA512
8badca33135346aaf0031b10c156b3b884d507a22b4eecf57befb3805827a314a781d00af2b5e0fafa33d3957fbfb85a82a7895ab0691be93babad251b07f085

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
63KB

MD5
64dcc7b31026abbb6b802538f1dfbbba

SHA1
b75bf58cdd00fdba349df80dc9a97ccfd3a95c49

SHA256
9701e4149597eba5836fec3d9da705daaa44315848ecd6fb0affd61c26a64ad1

SHA512
24078aa2287ed8f85c9c2c0c3e345da55036305e011d6778ec8811b5ef2598adb46600381f67ad886d5cfa8faeeefdfdf19128b6a0bd4fe535ab8f65f7ae9637

Download Submit
\Windows\SysWOW64\Ohcaoajg.exe

Filesize
63KB

MD5
73af293cf4109c78696166d3c751be8c

SHA1
267322b7af2627de6f197d7cf6e6824569106320

SHA256
2df59e4ec104b77a573d39ce7e42cfbab3808c453b8b0bc0abb9862b7f1c51a0

SHA512
ea9f1a8499ebde147b69283e1bfd55ee6630f0f09033fb803b8e9c00695428a5093b4ff6b3e0547ea53da3bef9db7ac5467bad03fe0620c0384b5e943a34694a

Download Submit
\Windows\SysWOW64\Ohendqhd.exe

Filesize
63KB

MD5
e5fed9d6549263856b7c0ac69e863d85

SHA1
5d055a80525fcb8adca198a9e803efed416a1bc5

SHA256
0a58421c63d2254fdd1644b73f45263e75c70f45766b6381f782e17577d05794

SHA512
f88a37287227373c6403e4c62431df0f16896bcaa70d83c88b63551df728b1539ae65dbfcd1834683c4486fe91625a7c70ee90886d994152918759fb681b1c4f

Download Submit
\Windows\SysWOW64\Oomjlk32.exe

Filesize
63KB

MD5
eb3fb0f68ae2b2437542b0002b0a77a1

SHA1
28910563aeda045d67c2887a65f6fa1e3aa14b20

SHA256
68b9798c375af2116563208817d093c6529e563e6281bdad8af499bc60fb44a2

SHA512
e2e8a6bf450e9b153c7549e578a4d302280a9291045b02fb4128f43dcfba6f1cd5d56729bd4e326cab5c4193582b3c6c2dfff387a4b6a422418b1abacbaa2fb8

Download Submit
memory/308-132-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/308-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/308-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/344-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-354-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/772-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-353-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/796-524-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/796-533-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/836-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-473-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/836-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-142-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/904-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-367-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1040-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-366-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1144-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1240-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1244-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-409-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1260-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-168-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1420-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-522-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1780-517-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-193-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1808-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1808-543-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1808-219-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1852-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-377-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1960-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-256-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2096-299-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2096-300-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2096-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-388-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2148-456-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2148-461-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2148-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2184-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-523-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-278-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2356-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-274-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2368-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-289-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2512-288-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2532-238-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2532-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-113-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2552-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-320-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2572-321-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2576-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-62-0x00000000003B0000-0x00000000003E5000-memory.dmp

Filesize
212KB

Download
memory/2616-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-88-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2672-430-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2728-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-11-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2728-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-331-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2788-332-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2856-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-39-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2892-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-38-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2892-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-342-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/3056-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-311-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/3056-306-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads