berbew | 48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2

Analysis

max time kernel
20s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
Size

896KB
MD5

c4d82492819bf8ad493148757f089590
SHA1

3f34b569f94c9dd1bc6115d639ae2229d71aa6f6
SHA256

48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2
SHA512

aa49f52434e73f2704b69e089a3eff9030d096b53e9437d5cb0510dac70947453d376cdeca05a6a408b265f5b7a6b925649df7ee290377352cbfe46920f7577b
SSDEEP

3072:I4vBYIUx06jQ6eSdtY9YSaLRFh48/cuxGzt68pXBnPiU14:rvBYIsd+YlFiWFAECXdPih

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pniohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elpqemll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmoib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbmoi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcgapjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiiempl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhopgkin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdbcing.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilndfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeegnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oojfnakl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpejfjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjihci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfdbcing.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkbmil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfjjkhhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chblqlcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabfjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhjlioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlkcbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkbmil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnafdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjmnmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjihci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbmoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kngaig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeqjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dabfjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdonjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chblqlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlbaljhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iainddpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiiempl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilndfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abldccka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioaobjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjneoeeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpalfabn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcdlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioaobjin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glomllkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbdbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elpqemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iainddpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngaig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kflcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqbeel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpejfjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkhch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meeopdhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omeini32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdonjf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 59 IoCs

pid	Process
3068	Doijcjde.exe
2152	Ecbfmm32.exe
2940	Fnbmoi32.exe
2192	Gnlpeh32.exe
2788	Hlkcbp32.exe
2644	Hkbmil32.exe
2508	Ihdmld32.exe
2344	Jfjjkhhg.exe
2916	Kflcok32.exe
2832	Kbeqjl32.exe
2700	Mehbpjjk.exe
2084	Nklaipbj.exe
2956	Oojfnakl.exe
1724	Pfoanp32.exe
2012	Qqbeel32.exe
1384	Abldccka.exe
2372	Biiiempl.exe
1308	Camqpnel.exe
2352	Cpejfjha.exe
2424	Chblqlcj.exe
2608	Dlbaljhn.exe
1488	Dabfjp32.exe
1048	Elpqemll.exe
2356	Ekhjlioa.exe
2480	Efmoib32.exe
1556	Fgcdlj32.exe
2216	Fnafdc32.exe
1108	Glomllkd.exe
2532	Gapoob32.exe
2772	Hhopgkin.exe
2600	Ioaobjin.exe
3040	Iockhigl.exe
1296	Iainddpg.exe
432	Jjgonf32.exe
2624	Jjilde32.exe
2848	Jjneoeeh.exe
2996	Kjihci32.exe
1948	Kngaig32.exe
1960	Lfdbcing.exe
1428	Lbkchj32.exe
1692	Lkcgapjl.exe
2156	Lfilnh32.exe
840	Lfkhch32.exe
748	Mjmnmk32.exe
1680	Meeopdhb.exe
1592	Mcjlap32.exe
2276	Mpalfabn.exe
1260	Nilndfgl.exe
1832	Nbdbml32.exe
2360	Nbilhkig.exe
2632	Omeini32.exe
2768	Oacbdg32.exe
2796	Oeegnj32.exe
2536	Ocihgo32.exe
2176	Phhmeehg.exe
1604	Pdonjf32.exe
2836	Pngbcldl.exe
2896	Pniohk32.exe
1160	Bmenijcd.exe

Loads dropped DLL 64 IoCs

pid	Process
2104	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
2104	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
3068	Doijcjde.exe
3068	Doijcjde.exe
2152	Ecbfmm32.exe
2152	Ecbfmm32.exe
2940	Fnbmoi32.exe
2940	Fnbmoi32.exe
2192	Gnlpeh32.exe
2192	Gnlpeh32.exe
2788	Hlkcbp32.exe
2788	Hlkcbp32.exe
2644	Hkbmil32.exe
2644	Hkbmil32.exe
2508	Ihdmld32.exe
2508	Ihdmld32.exe
2344	Jfjjkhhg.exe
2344	Jfjjkhhg.exe
2916	Kflcok32.exe
2916	Kflcok32.exe
2832	Kbeqjl32.exe
2832	Kbeqjl32.exe
2700	Mehbpjjk.exe
2700	Mehbpjjk.exe
2084	Nklaipbj.exe
2084	Nklaipbj.exe
2956	Oojfnakl.exe
2956	Oojfnakl.exe
1724	Pfoanp32.exe
1724	Pfoanp32.exe
2012	Qqbeel32.exe
2012	Qqbeel32.exe
1384	Abldccka.exe
1384	Abldccka.exe
2372	Biiiempl.exe
2372	Biiiempl.exe
1308	Camqpnel.exe
1308	Camqpnel.exe
2352	Cpejfjha.exe
2352	Cpejfjha.exe
2424	Chblqlcj.exe
2424	Chblqlcj.exe
2608	Dlbaljhn.exe
2608	Dlbaljhn.exe
1488	Dabfjp32.exe
1488	Dabfjp32.exe
1048	Elpqemll.exe
1048	Elpqemll.exe
2356	Ekhjlioa.exe
2356	Ekhjlioa.exe
2480	Efmoib32.exe
2480	Efmoib32.exe
1556	Fgcdlj32.exe
1556	Fgcdlj32.exe
2216	Fnafdc32.exe
2216	Fnafdc32.exe
1108	Glomllkd.exe
1108	Glomllkd.exe
2532	Gapoob32.exe
2532	Gapoob32.exe
2772	Hhopgkin.exe
2772	Hhopgkin.exe
2600	Ioaobjin.exe
2600	Ioaobjin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chblqlcj.exe	Cpejfjha.exe
File created	C:\Windows\SysWOW64\Lhiqbpqm.dll	Fnafdc32.exe
File opened for modification	C:\Windows\SysWOW64\Gapoob32.exe	Glomllkd.exe
File created	C:\Windows\SysWOW64\Abldccka.exe	Qqbeel32.exe
File created	C:\Windows\SysWOW64\Omeini32.exe	Nbilhkig.exe
File opened for modification	C:\Windows\SysWOW64\Omeini32.exe	Nbilhkig.exe
File opened for modification	C:\Windows\SysWOW64\Kbeqjl32.exe	Kflcok32.exe
File created	C:\Windows\SysWOW64\Ogoicfml.dll	Kflcok32.exe
File created	C:\Windows\SysWOW64\Pfoanp32.exe	Oojfnakl.exe
File created	C:\Windows\SysWOW64\Jjilde32.exe	Jjgonf32.exe
File created	C:\Windows\SysWOW64\Oacbdg32.exe	Omeini32.exe
File opened for modification	C:\Windows\SysWOW64\Ihdmld32.exe	Hkbmil32.exe
File created	C:\Windows\SysWOW64\Kbeqjl32.exe	Kflcok32.exe
File opened for modification	C:\Windows\SysWOW64\Camqpnel.exe	Biiiempl.exe
File opened for modification	C:\Windows\SysWOW64\Lkcgapjl.exe	Lbkchj32.exe
File created	C:\Windows\SysWOW64\Pgaabajd.dll	Mcjlap32.exe
File created	C:\Windows\SysWOW64\Liopnp32.dll	Nbilhkig.exe
File opened for modification	C:\Windows\SysWOW64\Mehbpjjk.exe	Kbeqjl32.exe
File opened for modification	C:\Windows\SysWOW64\Oojfnakl.exe	Nklaipbj.exe
File created	C:\Windows\SysWOW64\Biiiempl.exe	Abldccka.exe
File opened for modification	C:\Windows\SysWOW64\Ioaobjin.exe	Hhopgkin.exe
File created	C:\Windows\SysWOW64\Qlckjo32.dll	Nbdbml32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Pniohk32.exe
File created	C:\Windows\SysWOW64\Ckkfef32.dll	Iainddpg.exe
File opened for modification	C:\Windows\SysWOW64\Kjihci32.exe	Jjneoeeh.exe
File opened for modification	C:\Windows\SysWOW64\Nilndfgl.exe	Mpalfabn.exe
File created	C:\Windows\SysWOW64\Fafeln32.dll	Oacbdg32.exe
File created	C:\Windows\SysWOW64\Elpqemll.exe	Dabfjp32.exe
File created	C:\Windows\SysWOW64\Qkgjae32.dll	Hhopgkin.exe
File created	C:\Windows\SysWOW64\Jjneoeeh.exe	Jjilde32.exe
File opened for modification	C:\Windows\SysWOW64\Jjneoeeh.exe	Jjilde32.exe
File created	C:\Windows\SysWOW64\Lfkhch32.exe	Lfilnh32.exe
File opened for modification	C:\Windows\SysWOW64\Mpalfabn.exe	Mcjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Nbilhkig.exe	Nbdbml32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Pniohk32.exe
File created	C:\Windows\SysWOW64\Cpejfjha.exe	Camqpnel.exe
File created	C:\Windows\SysWOW64\Lglbcaph.dll	Cpejfjha.exe
File created	C:\Windows\SysWOW64\Glomllkd.exe	Fnafdc32.exe
File created	C:\Windows\SysWOW64\Gapoob32.exe	Glomllkd.exe
File opened for modification	C:\Windows\SysWOW64\Meeopdhb.exe	Mjmnmk32.exe
File created	C:\Windows\SysWOW64\Oeegnj32.exe	Oacbdg32.exe
File created	C:\Windows\SysWOW64\Ajdnie32.dll	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Ecbfmm32.exe	Doijcjde.exe
File opened for modification	C:\Windows\SysWOW64\Jfjjkhhg.exe	Ihdmld32.exe
File created	C:\Windows\SysWOW64\Iijfeeok.dll	Iockhigl.exe
File created	C:\Windows\SysWOW64\Qqbeel32.exe	Pfoanp32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkhch32.exe	Lfilnh32.exe
File created	C:\Windows\SysWOW64\Pdonjf32.exe	Phhmeehg.exe
File opened for modification	C:\Windows\SysWOW64\Doijcjde.exe	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
File created	C:\Windows\SysWOW64\Lfdbcing.exe	Kngaig32.exe
File created	C:\Windows\SysWOW64\Glfiinip.dll	Mjmnmk32.exe
File created	C:\Windows\SysWOW64\Nilndfgl.exe	Mpalfabn.exe
File created	C:\Windows\SysWOW64\Nbdbml32.exe	Nilndfgl.exe
File created	C:\Windows\SysWOW64\Nbilhkig.exe	Nbdbml32.exe
File opened for modification	C:\Windows\SysWOW64\Phhmeehg.exe	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Nklaipbj.exe	Mehbpjjk.exe
File opened for modification	C:\Windows\SysWOW64\Lfdbcing.exe	Kngaig32.exe
File created	C:\Windows\SysWOW64\Eohhqjab.dll	Lbkchj32.exe
File created	C:\Windows\SysWOW64\Ekhfpeai.dll	Lkcgapjl.exe
File created	C:\Windows\SysWOW64\Mjmnmk32.exe	Lfkhch32.exe
File opened for modification	C:\Windows\SysWOW64\Mjmnmk32.exe	Lfkhch32.exe
File created	C:\Windows\SysWOW64\Mehbpjjk.exe	Kbeqjl32.exe
File opened for modification	C:\Windows\SysWOW64\Dlbaljhn.exe	Chblqlcj.exe
File created	C:\Windows\SysWOW64\Mdmlljbm.dll	Jjgonf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1932	1160	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nklaipbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gapoob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdbcing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pniohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbfmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeqjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlbaljhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgonf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doijcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omeini32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpejfjha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdonjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbmil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dabfjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhopgkin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iockhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abldccka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elpqemll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgcdlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnbmoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmoib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glomllkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeegnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjjkhhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjilde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqbeel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camqpnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngaig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbkchj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhjlioa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcgapjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chblqlcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioaobjin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilndfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkhch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbilhkig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mehbpjjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfoanp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnafdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjihci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlkcbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihdmld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjneoeeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfilnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phhmeehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oojfnakl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iainddpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjmnmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meeopdhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdbml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngbcldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnlpeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kflcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiiempl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpalfabn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqbeel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abldccka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfilnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkcgapjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meeopdhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjhjbbl.dll"	Hlkcbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleaik32.dll"	Jfjjkhhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baohnn32.dll"	Kbeqjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeqjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glomllkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgjae32.dll"	Hhopgkin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfilnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdlcl32.dll"	Lfkhch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkbmil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfoanp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlbaljhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalbfa32.dll"	Efmoib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogihnoda.dll"	Fgcdlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnafdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjmnmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phhmeehg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijqkpie.dll"	Elpqemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeejokj.dll"	Kjihci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbdbml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdonjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdonjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlkcbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kngaig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mehbpjjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjmnmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pniohk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnlpeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgaabajd.dll"	Mcjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghagcnje.dll"	Nklaipbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglbcaph.dll"	Cpejfjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjilde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbilhkig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojkpqcn.dll"	Chblqlcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhopgkin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iockhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjneoeeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnlpeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpejfjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gapoob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iainddpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjneoeeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilndfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnbmoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdbjl32.dll"	Ihdmld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kflcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfgbfba.dll"	Nilndfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engplgdp.dll"	Ecbfmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biiiempl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgcdlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpalfabn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmpohp.dll"	Pdonjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnklgh32.dll"	Oojfnakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegknghg.dll"	Biiiempl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlbaljhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glomllkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbokdb32.dll"	Doijcjde.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3068	2104	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe	30
PID 2104 wrote to memory of 3068	2104	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe	30
PID 2104 wrote to memory of 3068	2104	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe	30
PID 2104 wrote to memory of 3068	2104	48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe	30
PID 3068 wrote to memory of 2152	3068	Doijcjde.exe	31
PID 3068 wrote to memory of 2152	3068	Doijcjde.exe	31
PID 3068 wrote to memory of 2152	3068	Doijcjde.exe	31
PID 3068 wrote to memory of 2152	3068	Doijcjde.exe	31
PID 2152 wrote to memory of 2940	2152	Ecbfmm32.exe	32
PID 2152 wrote to memory of 2940	2152	Ecbfmm32.exe	32
PID 2152 wrote to memory of 2940	2152	Ecbfmm32.exe	32
PID 2152 wrote to memory of 2940	2152	Ecbfmm32.exe	32
PID 2940 wrote to memory of 2192	2940	Fnbmoi32.exe	33
PID 2940 wrote to memory of 2192	2940	Fnbmoi32.exe	33
PID 2940 wrote to memory of 2192	2940	Fnbmoi32.exe	33
PID 2940 wrote to memory of 2192	2940	Fnbmoi32.exe	33
PID 2192 wrote to memory of 2788	2192	Gnlpeh32.exe	34
PID 2192 wrote to memory of 2788	2192	Gnlpeh32.exe	34
PID 2192 wrote to memory of 2788	2192	Gnlpeh32.exe	34
PID 2192 wrote to memory of 2788	2192	Gnlpeh32.exe	34
PID 2788 wrote to memory of 2644	2788	Hlkcbp32.exe	35
PID 2788 wrote to memory of 2644	2788	Hlkcbp32.exe	35
PID 2788 wrote to memory of 2644	2788	Hlkcbp32.exe	35
PID 2788 wrote to memory of 2644	2788	Hlkcbp32.exe	35
PID 2644 wrote to memory of 2508	2644	Hkbmil32.exe	36
PID 2644 wrote to memory of 2508	2644	Hkbmil32.exe	36
PID 2644 wrote to memory of 2508	2644	Hkbmil32.exe	36
PID 2644 wrote to memory of 2508	2644	Hkbmil32.exe	36
PID 2508 wrote to memory of 2344	2508	Ihdmld32.exe	37
PID 2508 wrote to memory of 2344	2508	Ihdmld32.exe	37
PID 2508 wrote to memory of 2344	2508	Ihdmld32.exe	37
PID 2508 wrote to memory of 2344	2508	Ihdmld32.exe	37
PID 2344 wrote to memory of 2916	2344	Jfjjkhhg.exe	38
PID 2344 wrote to memory of 2916	2344	Jfjjkhhg.exe	38
PID 2344 wrote to memory of 2916	2344	Jfjjkhhg.exe	38
PID 2344 wrote to memory of 2916	2344	Jfjjkhhg.exe	38
PID 2916 wrote to memory of 2832	2916	Kflcok32.exe	39
PID 2916 wrote to memory of 2832	2916	Kflcok32.exe	39
PID 2916 wrote to memory of 2832	2916	Kflcok32.exe	39
PID 2916 wrote to memory of 2832	2916	Kflcok32.exe	39
PID 2832 wrote to memory of 2700	2832	Kbeqjl32.exe	40
PID 2832 wrote to memory of 2700	2832	Kbeqjl32.exe	40
PID 2832 wrote to memory of 2700	2832	Kbeqjl32.exe	40
PID 2832 wrote to memory of 2700	2832	Kbeqjl32.exe	40
PID 2700 wrote to memory of 2084	2700	Mehbpjjk.exe	41
PID 2700 wrote to memory of 2084	2700	Mehbpjjk.exe	41
PID 2700 wrote to memory of 2084	2700	Mehbpjjk.exe	41
PID 2700 wrote to memory of 2084	2700	Mehbpjjk.exe	41
PID 2084 wrote to memory of 2956	2084	Nklaipbj.exe	42
PID 2084 wrote to memory of 2956	2084	Nklaipbj.exe	42
PID 2084 wrote to memory of 2956	2084	Nklaipbj.exe	42
PID 2084 wrote to memory of 2956	2084	Nklaipbj.exe	42
PID 2956 wrote to memory of 1724	2956	Oojfnakl.exe	43
PID 2956 wrote to memory of 1724	2956	Oojfnakl.exe	43
PID 2956 wrote to memory of 1724	2956	Oojfnakl.exe	43
PID 2956 wrote to memory of 1724	2956	Oojfnakl.exe	43
PID 1724 wrote to memory of 2012	1724	Pfoanp32.exe	44
PID 1724 wrote to memory of 2012	1724	Pfoanp32.exe	44
PID 1724 wrote to memory of 2012	1724	Pfoanp32.exe	44
PID 1724 wrote to memory of 2012	1724	Pfoanp32.exe	44
PID 2012 wrote to memory of 1384	2012	Qqbeel32.exe	45
PID 2012 wrote to memory of 1384	2012	Qqbeel32.exe	45
PID 2012 wrote to memory of 1384	2012	Qqbeel32.exe	45
PID 2012 wrote to memory of 1384	2012	Qqbeel32.exe	45

C:\Users\Admin\AppData\Local\Temp\48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe
"C:\Users\Admin\AppData\Local\Temp\48685e0251349541862e3267b4b5d77b8a3d9c5f8ca122018ba80a7bbe8551e2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Doijcjde.exe
  C:\Windows\system32\Doijcjde.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\Ecbfmm32.exe
    C:\Windows\system32\Ecbfmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\Fnbmoi32.exe
      C:\Windows\system32\Fnbmoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\Gnlpeh32.exe
        
        C:\Windows\system32\Gnlpeh32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Hlkcbp32.exe
        
        C:\Windows\system32\Hlkcbp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Hkbmil32.exe
        
        C:\Windows\system32\Hkbmil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Ihdmld32.exe
        
        C:\Windows\system32\Ihdmld32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Jfjjkhhg.exe
        
        C:\Windows\system32\Jfjjkhhg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Kflcok32.exe
        
        C:\Windows\system32\Kflcok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Kbeqjl32.exe
        
        C:\Windows\system32\Kbeqjl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Mehbpjjk.exe
        
        C:\Windows\system32\Mehbpjjk.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Nklaipbj.exe
        
        C:\Windows\system32\Nklaipbj.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Oojfnakl.exe
        
        C:\Windows\system32\Oojfnakl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Pfoanp32.exe
        
        C:\Windows\system32\Pfoanp32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Qqbeel32.exe
        
        C:\Windows\system32\Qqbeel32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Abldccka.exe
        
        C:\Windows\system32\Abldccka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Biiiempl.exe
        
        C:\Windows\system32\Biiiempl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Camqpnel.exe
        
        C:\Windows\system32\Camqpnel.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Cpejfjha.exe
        
        C:\Windows\system32\Cpejfjha.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Chblqlcj.exe
        
        C:\Windows\system32\Chblqlcj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dlbaljhn.exe
        
        C:\Windows\system32\Dlbaljhn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Dabfjp32.exe
        
        C:\Windows\system32\Dabfjp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Elpqemll.exe
        
        C:\Windows\system32\Elpqemll.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ekhjlioa.exe
        
        C:\Windows\system32\Ekhjlioa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Efmoib32.exe
        
        C:\Windows\system32\Efmoib32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Fgcdlj32.exe
        
        C:\Windows\system32\Fgcdlj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Fnafdc32.exe
        
        C:\Windows\system32\Fnafdc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Glomllkd.exe
        
        C:\Windows\system32\Glomllkd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Gapoob32.exe
        
        C:\Windows\system32\Gapoob32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Hhopgkin.exe
        
        C:\Windows\system32\Hhopgkin.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ioaobjin.exe
        
        C:\Windows\system32\Ioaobjin.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Iockhigl.exe
        
        C:\Windows\system32\Iockhigl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Iainddpg.exe
        
        C:\Windows\system32\Iainddpg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Jjgonf32.exe
        
        C:\Windows\system32\Jjgonf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Jjilde32.exe
        
        C:\Windows\system32\Jjilde32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Jjneoeeh.exe
        
        C:\Windows\system32\Jjneoeeh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Kjihci32.exe
        
        C:\Windows\system32\Kjihci32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Kngaig32.exe
        
        C:\Windows\system32\Kngaig32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Lfdbcing.exe
        
        C:\Windows\system32\Lfdbcing.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Lbkchj32.exe
        
        C:\Windows\system32\Lbkchj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Lkcgapjl.exe
        
        C:\Windows\system32\Lkcgapjl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Lfilnh32.exe
        
        C:\Windows\system32\Lfilnh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Lfkhch32.exe
        
        C:\Windows\system32\Lfkhch32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Mjmnmk32.exe
        
        C:\Windows\system32\Mjmnmk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Meeopdhb.exe
        
        C:\Windows\system32\Meeopdhb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mcjlap32.exe
        
        C:\Windows\system32\Mcjlap32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Mpalfabn.exe
        
        C:\Windows\system32\Mpalfabn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Nilndfgl.exe
        
        C:\Windows\system32\Nilndfgl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Nbdbml32.exe
        
        C:\Windows\system32\Nbdbml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Nbilhkig.exe
        
        C:\Windows\system32\Nbilhkig.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Omeini32.exe
        
        C:\Windows\system32\Omeini32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Oacbdg32.exe
        
        C:\Windows\system32\Oacbdg32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Oeegnj32.exe
        
        C:\Windows\system32\Oeegnj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Ocihgo32.exe
        
        C:\Windows\system32\Ocihgo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Phhmeehg.exe
        
        C:\Windows\system32\Phhmeehg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Pdonjf32.exe
        
        C:\Windows\system32\Pdonjf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Pngbcldl.exe
        
        C:\Windows\system32\Pngbcldl.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Pniohk32.exe
        
        C:\Windows\system32\Pniohk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 140
        61⤵
        Program crash
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Biiiempl.exe

Filesize
896KB

MD5
39466144f78315000410efcb266a1cd1

SHA1
85975a6d5fc86252ba77ea87c1544633d87050ea

SHA256
326c595e301f50086d249a1afaf356ebb7045cb96bfd47756b6cc058dc385bfc

SHA512
fe06bc2e1dfcc295543292da10badf708047f69abee8f6cbf78c3334bd42233463d4fe2ee229581d6b60ec2a7424151e894e2d60cdc95d90e20c90035b857c83

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
896KB

MD5
6b6bcb5b9d5c30851508c5c598468823

SHA1
336acc2a00d076b19d2b15b4bad7d1800a9b8ae9

SHA256
1d5e923936e77f307ed4b74e816178389a4a845f0d9f9e5a48239d1cf7cb4237

SHA512
0a1a3030d4c71de12089fb733be64e82eeb13c8ebe1461c8956895a4def2d2b26c4ea559b5621cb32690c9d4aa21c24dd6a2adaff6b1382ebd47c387c04a5977

Download Submit
C:\Windows\SysWOW64\Camqpnel.exe

Filesize
896KB

MD5
54596b68bfe5cfa027e72dc00a66d4fb

SHA1
0264122dc669b1ed340156f60e801fd9b2f9c69a

SHA256
27322ddc7aeb5efc7a0ebe8be7b789d3f6a7d96aabf7364c5b5556ff8559f017

SHA512
3adc9c13388b34ba0bf74ad126c866760d87e17a164706ded51fc84090388d08e10670f6c6ce75d6ad73a8cfb9ef6447d62a378d6b6aa594b1a405e84661b257

Download Submit
C:\Windows\SysWOW64\Chblqlcj.exe

Filesize
896KB

MD5
c41ac86eb187da07790dde98da59b771

SHA1
372e569ee99f7f9c3b98e14fe7ca82298da5e012

SHA256
2cfb7d1d1dc1e391a1ed7d18da3c7e0f4fb55e6f7d56f61f8a92d80a039d8338

SHA512
953efbadcd0ec2b8033747f572b81ce9d5b472f9d277364448a6d9458c906d8f435d6ca07ce655a62fd4166d75e339520571e34b8e14a4c171c9a8226578b39b

Download Submit
C:\Windows\SysWOW64\Cpejfjha.exe

Filesize
896KB

MD5
00f83129b4a9da7cbf13c33946b2d6be

SHA1
db30f68aadf104e4eae72c45b4bfdee0bfc24447

SHA256
e56f1038308444bd11d32fc9ca3b8a1749960b7112b3a5c76cf2212588e88f14

SHA512
c209d88f0e11462cc30c437d85e75c063b7de97e10e8e9d9b4863ff538d4a5b79f4692fdb39d443a4bf6e250f608639b518517ae61f139d2ffaac046429ce043

Download Submit
C:\Windows\SysWOW64\Dabfjp32.exe

Filesize
896KB

MD5
ddeafb17a82dd38686b2e193db9eebaa

SHA1
7849d15de2e64a05b0afe6cd7766af5bb4ffc106

SHA256
3d6e39ef0ceb04dded1c28181f714a713b6e7c57ca901bafe76dabbea314c858

SHA512
acc58ad248cc4cd65c5820145fc8a94be31b291143a345b4c850f9a648b3aa1953096f881cf50033b25e8ca6e57b8474a17f923d80eb0e7adaf7acf7d84cedeb

Download Submit
C:\Windows\SysWOW64\Dlbaljhn.exe

Filesize
896KB

MD5
fa2a7a5f0f9f3fb6e00fa79b4b59728f

SHA1
d48ea1a74b474426f77a99e84ec8b1b5a4d6f38c

SHA256
16af71f4f8c3c98c191911a820832022041e7d65c5d2a4950d18f99bbffb11b2

SHA512
2f63a6f0ed6efc300477bc9becc51e9eb0c91dd5e08af22345ce7e8e91c9d20b218640a1560508be7abf399cef179e32c61fc464914f963513c7ac8d0141e443

Download Submit
C:\Windows\SysWOW64\Efmoib32.exe

Filesize
896KB

MD5
dd8babdd7a95e5a624ad7d6f8cab6bc9

SHA1
90cb0a123e79253e1440aba6d5d97de62cc190a1

SHA256
3690ce081fd1faba1a0b2fe31819566800f5f6b715f373f2d44ec855ea78ccdc

SHA512
44d8e1d6defd7541ae8f394cd709b37a9bbe64c6f4447a1602606444d3bc4528b96f5b4f7174a95f6c05bb03b4219ae29fe94fc685687ea076651d650401eda9

Download Submit
C:\Windows\SysWOW64\Ekhjlioa.exe

Filesize
896KB

MD5
598c6cb8df4e5d5e4f11f8aa3e5d382a

SHA1
e0932d354058709170d31eda0129b1f8dfb2ba36

SHA256
455c67e07f0aa6c4131f7aa61111b8131ec934a044b238eadc160a4190e0bb18

SHA512
f4a7fc65e98c766769ce4fa06fad7e6c144bf5beb053766501b1f7711a953300525334f22529bf5798ab77f100f71e28c869ab6e70ddcc20185ab04ea5baf0fd

Download Submit
C:\Windows\SysWOW64\Elpqemll.exe

Filesize
896KB

MD5
62dbc82d5ad7a2082eef9803ff915a10

SHA1
6ab18bc2236cc58ec43925f37e3d9adc75487988

SHA256
ddad49819dbdc79481c61b4e2c6e354c982876e6d7f6b87eb821e8817b59ae3a

SHA512
626a77e57a6b8925ba53c268743e18b8d4d6a748e4efd3c31c489c90e89e081b64fcbc36b3bff90c2a2147f26c23a3d8987c086e54a3e696c6685a0ddf740cf0

Download Submit
C:\Windows\SysWOW64\Fgcdlj32.exe

Filesize
896KB

MD5
c7f6924f7860cb4ef98c35eadc67e807

SHA1
a4f4fdcdf6215ea157fe68b44bbab91ed745a526

SHA256
f9a2e6ab4260561d5504401b7ad6f87c33bec4efd37cf2c0c606d090d9501e51

SHA512
23a609dbf82b6422a17a372cfb6b3f9b30d3a72ec99ade92c3a94069c13b28c44bd5130f96e988df78313f39dcffdb7cdcd399397cf95f7a5151660f2dbe3169

Download Submit
C:\Windows\SysWOW64\Fnafdc32.exe

Filesize
896KB

MD5
622df74828cc2a7c1dd2dd878fb9faa0

SHA1
105858223bb4ed4a9a65432d76e370936d03dd61

SHA256
e3863c0b1b6be349135d75b0937cd7f0f59f20bbfbb224bd2f8bd59d75bd7bb2

SHA512
33cb6d1a4ec6df1d117145f05c86ecb8efeed664fa26bad64866bbaa857096c9f3ffeff6c386b23eb9d94d213b251c7e4c42fe2cfc0b95bfe23616f38eda1812

Download Submit
C:\Windows\SysWOW64\Gapoob32.exe

Filesize
896KB

MD5
3efaa531834da0cce917348f4fb388df

SHA1
9573ff429e77577b947e8e91043af1c86e92c827

SHA256
01d941868b223e0cee05fa86f3a81ef034d199c456f7f9c2ceb027cf049d1f46

SHA512
dd9d0cd9703634acd3b48c27d852e5896615454e4cc84fd2f30f7fe017012622b24e9b9f44877f86bf10cb993f3322cb484803bfe309566cc3ae0ef7e252dbd1

Download Submit
C:\Windows\SysWOW64\Glomllkd.exe

Filesize
896KB

MD5
31139aa60108fed8c572c3de44f0e1a6

SHA1
a9dd796c250992d4e91f84ec616e8efeb6e47045

SHA256
614861fb5bbb925ee7164cd1fd09c21cb916977aa105eff53dc351e405d90ef2

SHA512
2b77066126b0f24c9c182953cbd0c5fc6bfc043f5c6016cb0e1c1883ae2faced276366748c717271a1fe5d786af66690eb50dccb9ac8af755b9b308ba0997c87

Download Submit
C:\Windows\SysWOW64\Hhopgkin.exe

Filesize
896KB

MD5
6eb03294729f276b508b4f4340b5ea6e

SHA1
02a94b5082d83c58eda1ec566a71deb9944199b7

SHA256
21ba880bf0ae469ba817edfa2aae7be8faacf99ae2012ce033e7b39aa1fd3dd3

SHA512
99696a0efdfe69d13b0cbd8e6a247972a5b40c71bf54973b7780c52b109fa99b0806438b27107a077d60f8d5ccaa83fc69e13ea29f6bdb4da07c08de36514125

Download Submit
C:\Windows\SysWOW64\Iainddpg.exe

Filesize
896KB

MD5
3633fcd1f0bd3e5f5d3331c969badfc8

SHA1
507845ab244ce66b0d60cb367e1928b57af8be44

SHA256
7935114a550bfd55b7e37c3436c2a20b4f7a6ea215b31ca6321bc4a2822ad3ba

SHA512
46f982b3dc3659d5b3a91512881791e2d0c3e3fc8d3b6cac75696e4e09bd0d0bad97442a7b25171e64b8de242e563ccf9723221fec3263a29883eed69ebf2b33

Download Submit
C:\Windows\SysWOW64\Ioaobjin.exe

Filesize
896KB

MD5
2e222fabac52217ba86b0eb66ccdde0f

SHA1
2d67992ccb271c0ac7e42b88727f7ea3600aa964

SHA256
4b77db0cf602cdf8967c7c275667a92d9bc3ffc9daf20b59bcefadfcf3084415

SHA512
46268f0b5ce0ffff70e7c2518b4384dc8dc52e6e4bed728899851ec2a53f2bd6db43f37564b08487cb9399c0c7b054059cdb94defd156a095a8b50c10600f222

Download Submit
C:\Windows\SysWOW64\Iockhigl.exe

Filesize
896KB

MD5
78e9867960b7051777150b98aa250afd

SHA1
f51b897e817452d67cc5d631d5325dc3227573a7

SHA256
0845c2332b9dc3b7681bc66835ba7ba597c9a665bf5e32b6e3e58d691ad0d59c

SHA512
c2e68aa1dfaa9f2e24c991ab610d43bd94d683fed4e2a7cd2b28b7e2a77a4ed9bd1c7cd44102a75a6f75d7371f4c59056bd5a3d504062309e8262140e01e11bb

Download Submit
C:\Windows\SysWOW64\Jjgonf32.exe

Filesize
896KB

MD5
6b4f12ae974c8af91257c0644cb2e9c4

SHA1
0ce28c867aeb4d13f8965eb290cff315e43648e5

SHA256
42f64e92eda7f1d0d501d85593ec9dd55c07dbd6299b17702352b1c2baa3e943

SHA512
bb537829e14b88cdca8025caad11800597e6f39640e4992335f36b31ab5c1c2d5dea1258f2dfdc94662b8d5c0963d23765b055c54a4f006989ee0414d60100db

Download Submit
C:\Windows\SysWOW64\Jjilde32.exe

Filesize
896KB

MD5
1714407bfd2f440fe1daae3a8eb17102

SHA1
e46f42101e5c98357795bd8f1c84c1ccc6730ab6

SHA256
7fdf7a0adf783012c898ca6d8b297930062e3b2f499806774220f37d0c19287d

SHA512
56592b42ce8c618526d7bbf71e116ba62df00cdd66997754b8421e5617e244b99b4e4ebddea08b127e47df061fc39de87137ccac08635170062c9aca1a0a4f71

Download Submit
C:\Windows\SysWOW64\Jjneoeeh.exe

Filesize
896KB

MD5
388dc15bcfef2a0d1436d960b342f925

SHA1
3cc62997b85dcf7417e419f5138ed81c45e9244e

SHA256
fa8f4d6694c086a8ddb4d83593ec6289fa851d9ee407c12b93e5ddf32f2f80e2

SHA512
a0d66fac318c0c7b473cfd794dd247cc290246a38df73f45a6702ea10398cdf31d144c6334dcc9843269b1f946d914a4c7c1062ed0b66fc28336adb5d7f7e072

Download Submit
C:\Windows\SysWOW64\Kjihci32.exe

Filesize
896KB

MD5
195d06c095255ae1e388dd6bdd60af61

SHA1
00ac9536658e2999cb9b30b810a4e244aa8d82af

SHA256
4f2db20a753d187d027578924e730956dcc059b7463ad9b35de619b6c6471994

SHA512
93d1637045991831111fff9a8ac04380bc84d50e27d6a27802729d72e02767cf049b8562661154e3b3b146c6d2dd95de71b51a077b068d68f6b8205af87ae244

Download Submit
C:\Windows\SysWOW64\Kngaig32.exe

Filesize
896KB

MD5
2ce810d1512845e4a98e7d3c1c0bb0ec

SHA1
d06490ae2ed60b6e9c06acf16cba7573a609ceca

SHA256
c296beb79ab29d8813fb45dc9a7aa8ff945319380da5cc5102535fefc3cc2019

SHA512
11f1343cd60c70bed72ba8c384b1292a2ccd044b663d3a3a5ec9a57a76595210a90e2e9020cd087222b379aa8e999a32bce15b65814d5bf5c2d8380e5ad02568

Download Submit
C:\Windows\SysWOW64\Lbkchj32.exe

Filesize
896KB

MD5
0e970a06fe9a380930531074f70d1c2c

SHA1
4dec0aff3592222930cbbc21200adea4f6e29f12

SHA256
3cf96acd727e537008b3f93c2e7c1f7ed687b332ff6d152e3c6ba32a3cf3aa48

SHA512
dd1001aa863c4747b108c7bc045a0114cc092e6b0ca982543f1607fc8d8fa2867206a4016e4bb7c3b6d71cc2645d927a955cba94f6c768147dc03cb9e592054b

Download Submit
C:\Windows\SysWOW64\Lfdbcing.exe

Filesize
896KB

MD5
4a45991323bbde9981eb65ab77160074

SHA1
fc6b5a52a0423eda88718f6cb34c53e0d7bd1e1c

SHA256
163ecee92aba82b80810a1765df3e58e69b0016fa64d096375183e2441fcb8f8

SHA512
08d230123717913e54282ba6cf6ca5714d60ea709bf95df28f49c5bee7bdf907f8b8be3016aa11f4f09d906ed27b58db8025097ac799c7674047e14f2b66836c

Download Submit
C:\Windows\SysWOW64\Lfilnh32.exe

Filesize
896KB

MD5
d063ede2a18f7c9dd7f547ab937c68ce

SHA1
a46dc8c0897139461f4f4452c992eb3ec8811c75

SHA256
a320a34e73f886006031fc4e37ed31f9f58af5444184c9e63c8e81f222d5eee7

SHA512
2bc9156afd3573589605b1bb224f32641c995a73e56b17e9469a417792c3a7de5a0a3a23243f75f74f898c5e8e7ee12a1193b054ebb9d98ac11093fe55a5eac1

Download Submit
C:\Windows\SysWOW64\Lfkhch32.exe

Filesize
896KB

MD5
559e8dc8f9cdb0fdcf44f7884064102a

SHA1
0f8b4075f847ac06edd0f817b7cfd5305a0efb0d

SHA256
344fb3f5fcf60701c993a1933739bae6f23f9cff19915d427c2144755512cf58

SHA512
101efb0a4388896b0409967ac0e4833333b0c4312afbc4bf81a7c5b84cc770f0610666b3e800013dc13bff51ed3e1ed73d1bb5bdaa97286638a3cab7606cfad4

Download Submit
C:\Windows\SysWOW64\Lkcgapjl.exe

Filesize
896KB

MD5
1efa0c79a5ca441586ca73fbe2c2a938

SHA1
808f3addea8f4deb7745178c4373ac24f3d83400

SHA256
845b5bb919adbf402acb335988664464bbbed82f0b0b833b783661377d7580cc

SHA512
c00c299a3a73481415d21d688f2cf5c31409f952f64a30b9de415b2a113d92876b4fe5c5e66fe36aa2422e632d9b0a75137e50d2cc68e1b350a33a5fc69cabbf

Download Submit
C:\Windows\SysWOW64\Mcjlap32.exe

Filesize
896KB

MD5
4776f7a23c189d031f995bbe3b881384

SHA1
af4e1f9116207042499dcc8cfae680c13e8b27d7

SHA256
083bfe02c30495c2deae8c4335ee92621a44ca0e82293b20fd898ad5930132e4

SHA512
300f0ddb0da229ee38f44b1bf4e1c09810ae000e8bc24e88d6ea678a3cbc0de53b2dc96c740f4716c09aab4f8281dde96eff8015b122c4328b1117be2b1310ad

Download Submit
C:\Windows\SysWOW64\Meeopdhb.exe

Filesize
896KB

MD5
76829d36fdf2e1daa8210b1c7815ec13

SHA1
2d9b6cfb91018c8df9912135686869816291ddf9

SHA256
f2719892c5cc063164dcd97857bbfe36c132269110404beb694fee09cc8bc084

SHA512
40286ef1c5f5844699d72116df237ab09725b66e93f7f11990d429749d43e16ea999f275ffca85fec3551df3e609a9ce9245535abb17ee286b3892304f5dc69e

Download Submit
C:\Windows\SysWOW64\Mjmnmk32.exe

Filesize
896KB

MD5
6da294e6f87dfc624f479ae5aa6c48ac

SHA1
a09335867b308645b4a520051d79f3d2ae2c3845

SHA256
0769b2ba6134a7be223187ae5bc7b720432884ff4ea2712f920822d8a9fec318

SHA512
081294847047e1faf3ef57ee83b86d1e31d72d883f68c360d225d7218eda4ec6be9190736ced1e6458b65568f22a009777ac0b30f2389e17c307a61c025f9033

Download Submit
C:\Windows\SysWOW64\Mpalfabn.exe

Filesize
896KB

MD5
6f7b51a2bcf309b6eb5903f970d1ce9e

SHA1
498a63de537829a7606cd76c8139524616d99d70

SHA256
32655183c0df852c1a12d6f34b1eda8bf926b73c74ce94365099028d8ff30f6c

SHA512
a8db8337558b9153b182731ab1511232e294bc586cebbab441eebe43ac0f032a2f1f78c21ae175eabcc39095abd7f07f274df2fb476793e9e8fff311fab9ad07

Download Submit
C:\Windows\SysWOW64\Nbdbml32.exe

Filesize
896KB

MD5
94cf6a31e8a115acfdbe3e70f614ba5a

SHA1
706d59bee8ce523274238c7f2d50eb0c2bddf0b6

SHA256
5a2b0236028ce4a5074fa7c5b3ab99557b1b4bdeab74079f4a495db83307f383

SHA512
c1b88fd8702dd59a885a46dd758f377761b280e8fcf9b2977fdd061d1e99ad5265aa44f69a8b549d77803e04bae31b8e15f0afd1ab3e65f4f178b4a31a1f8dcd

Download Submit
C:\Windows\SysWOW64\Nbilhkig.exe

Filesize
896KB

MD5
a0465d036bb6059b31500946a3730fcc

SHA1
d011405f2ff622ed94f58e612584aced9e528d10

SHA256
98342eb0e95e8c517cb0ff956e485fcb8b13cbfba5e97496b5fb523d4f712c8d

SHA512
9ffaaacb136a137a2a2c315cba5207c517d61db088f6ad2c81fe3b2112eb86041cb28bbae3b125ede4b2217ab7725218920705e03fafb88eba1137817099dfc3

Download Submit
C:\Windows\SysWOW64\Nilndfgl.exe

Filesize
896KB

MD5
7408cce9f0f0ac862c4c7a2bacf16090

SHA1
4ce571e73099b088964f9a72dd0e6d3e9faf0186

SHA256
575fcbf6bc680912a455a9ef24871cbd924b8ea7d9bdfda7fcf5cd8f25fafead

SHA512
0f07d0b5f6457898a62e9232c55fa62889ae4a097158b02745dd08e003a953661e65b24f9936185bcc6c072eec7832b8daed7291b249d8f824521f89ff143dac

Download Submit
C:\Windows\SysWOW64\Oacbdg32.exe

Filesize
896KB

MD5
257b654ecd09e5935f0c9d5bd4cfabed

SHA1
245281c0ed4f36825594f9a366062f0f43b1b2a3

SHA256
3f8ec5d8e19acde978d5db320930c93a74ae1b767c483835683c26f07cfa5af8

SHA512
6f1cf80e931662b2da076a778b6eeab9cab7a4f749934cc76cbaa08509fb4ae4d7c38654b6b7593bc6add8d547403b3e4891e0cf4471ba4c579245f6b18aadc2

Download Submit
C:\Windows\SysWOW64\Ocihgo32.exe

Filesize
896KB

MD5
479c9718a13e4a4ad4932c0c6e98042a

SHA1
e95ad4d91401ba395ac2fe78942189d2028dcd05

SHA256
b851d07be33b5c119bab45197886d956ce83e65f6995e80480f3c7c00f718360

SHA512
007f4566714214983fb620ccf08e6fe4ace8b3ca6980612e42f7e115eb37a0d537b9923a8047eaa6252c1b1e14fb160e83f6fb7ad113d920ffa3f8b81a9a446c

Download Submit
C:\Windows\SysWOW64\Oeegnj32.exe

Filesize
896KB

MD5
094af57d5589c193adfdde536b9181a0

SHA1
579cb73f276d741376cc0244bc0243cc80fedb06

SHA256
852ea15335cd1d55032e8d410c9924320f3f2dfb03e266b6d3c3dae532e5478a

SHA512
9a709600a732947e2d35db79ba02f1f5ba41f6a1d4b422084cb240700d86644d9841eb1d1b2aa31da438072aa9b5c71b7e3c6722a3ed07795f65a8b3e3de755a

Download Submit
C:\Windows\SysWOW64\Omeini32.exe

Filesize
896KB

MD5
57a42ec5ad31a75206b4cb0504257b6c

SHA1
1f4af4b4b2333815b0cbd46a38528e75f25a1580

SHA256
ac4f0b2bbaeac782bba05ddfe22c0e702a3f7bc1d0ffed3f123e4c9d1aca69e6

SHA512
b968f32ca618f39862ee2c623ccc1cf0d3fec6f5c5c0429ba8b4dc405640598bc121b44170b82cc0012cb42728dac89e06853def1345976e9ea58dea82ab05d8

Download Submit
C:\Windows\SysWOW64\Pdonjf32.exe

Filesize
896KB

MD5
b9d42d43fb580fc067abd1cc26de32f7

SHA1
6ac82740554b41c3ac7da2e1aacdbde6262b4cc8

SHA256
8b225e245fe6f7d885cce75de82f69502ec800259979098fc117a6a58db4167d

SHA512
3db21e96d5923668539822577c22f59d10255c08602d32d086a59d65e4f72c6c3a27a2de2e2d23cdd31f96e991e9014fd527294751959538865991d586858ca9

Download Submit
C:\Windows\SysWOW64\Pfoanp32.exe

Filesize
896KB

MD5
46e286addf59d412da9bddb2401329de

SHA1
17efa1f94440f2043a9db5df11fa821dff14d840

SHA256
e2ec9b790f8275a5a5074c545af9aabb33bb3d37c5146614dd926560628c4055

SHA512
82f8bdddf094c0ea286c01b4a9b99c6450c8cfb2ecb40dc0930d82d015363515984165473bf2839607ba4812ac7d7b38630b5fa79bfda37416154e3ad2951470

Download Submit
C:\Windows\SysWOW64\Phhmeehg.exe

Filesize
896KB

MD5
42bd8938f5e596c31bcc810d3c02bc59

SHA1
d32331031736e1d03ef5d33b0119c7211c7a1dd5

SHA256
9e9626d3664f0839f36f236f060e2a69a0688e74cca3f099c0e4bfbc39cf3d81

SHA512
6fe9e50826e994999c939277de788baa153cd0a7616d8b669927772f590cadbbd782b1c9537708ea3fe1d47713e13ee1176372c64b3808207c0af3f218880548

Download Submit
C:\Windows\SysWOW64\Pngbcldl.exe

Filesize
896KB

MD5
9fb32e373ea8ba88fe7327ad8cfc1fcb

SHA1
f2174ef2bfc7080e2ef57d05faa2be75755298df

SHA256
cf529b78e307d1d882addce87074933276db67c856d49a79c120ed4d28ab1e40

SHA512
cf27c02ef1f138122d21e832c837f468923211e6450fe8ce96cf5a15138758b75d1f093cfde91737690340760ccdb335b29d62f68f8338db2a15b8f4fbcf944b

Download Submit
C:\Windows\SysWOW64\Pniohk32.exe

Filesize
896KB

MD5
51d8bee7c924d0d6a07c1f4f5b7b98ff

SHA1
928c8e18569e9db88e89992233fe246b4e7dd981

SHA256
c2ba41b05fe0ec6f9b7aa30d523a60810bbd16646bbec1206508a3b6e3c55588

SHA512
7badb27b435d80d39ff25ec7b345aeaab00cbf9a1305b41aaba3b69a0e516c991fb0848d4b0886461b7e304428d82056ad9cb9e19af613539fee7a863986442d

Download Submit
\Windows\SysWOW64\Abldccka.exe

Filesize
896KB

MD5
2a36654f0dcbafb7190fbd05abbe6728

SHA1
bd588e5ede3e480c2c806344f837b75d7d07e218

SHA256
d8f9283af5ad8c124734e4b0619cb4d1214dfeab599139a925c2809068699641

SHA512
4958ef45c1e1e4542abb1fa7a58bd99c83b23715a570eb81f2e912b6db6840b5f9e738b972aae5f5260fecfca92e01a4e02bb355dc984de8db9559016233b037

Download Submit
\Windows\SysWOW64\Doijcjde.exe

Filesize
896KB

MD5
863148ab7c8d186fe66564c2f48a582a

SHA1
667811e1388e0c35e71528ec71d34beb0a70a819

SHA256
b7b749e98a7b04d7a1469a104a917cc6aab97cd1f47bb078598f561bd077047e

SHA512
2f94e3cd43f1185f829cfafca9fcc0ca961824948146e922f1424251fec9c749fa92b0df49a110d6a2fa95c27edae271b03a0b44eb3cba733df22850bc242d69

Download Submit
\Windows\SysWOW64\Ecbfmm32.exe

Filesize
896KB

MD5
144f706dbbaa53dd8a96a00073b126d8

SHA1
1c5fefd5f3e3f2f099470b20dca34860cac06cf5

SHA256
3c3a230d2111c6c39d552f46ceb6f1f35d7bc29a31ba24a44e6bcd0b699bf4e4

SHA512
32ae97cf08953426902be91f50c9e075ab6ad11cbb3b74c0f066f95c6716f15b3bf1edf91040958ba4adf79afa923a48d0181c29421a32759f7ab66348cc33b7

Download Submit
\Windows\SysWOW64\Fnbmoi32.exe

Filesize
896KB

MD5
4c45cbc51035ebfd724710688d280a30

SHA1
f6311909f9f0b796ef7c323a2a1e13e926c320a6

SHA256
9380d1b2c587136fed5c1b9f4970d208b625d59fa160583a75409a681574b1a0

SHA512
69b162ca440d3f737bfcd8c277fc3a68e3d9ea6e134101af1c855f6c28bf9bebd1b731137ba545bf8486b112ca127e14854246b2e5bde470f79eabb2edc94fec

Download Submit
\Windows\SysWOW64\Gnlpeh32.exe

Filesize
896KB

MD5
75eb4b256894fbd9a9bc64df92c1ed78

SHA1
9bc439dc0f68890245cb505ebe05ffa25fe177ff

SHA256
53e90790fe0f96b665e201c9317f10cd74732805e481676ad9cfc6d7853b3f5d

SHA512
b7d0dd56370c1bfc0a571bf9fd8e4cee094bc2375b5e0f986c72ab6ab69373f71b2cb37b6382f1e3f3337e0ca8b02deed7e675df3720bab24961199b94930097

Download Submit
\Windows\SysWOW64\Hkbmil32.exe

Filesize
896KB

MD5
0b9a9ae931aa0e2b0645b8c74cea7207

SHA1
a69c85103cb896484351bdffeea08175a8e5d928

SHA256
03ea442de8f093cc6b3caac029058ae23c3937a3caf12770a3699e6609c1b5ba

SHA512
14cfc826c680f404c18db5fe3cb4a07da116b0aa6ae06d63ddd665b07f82a005664a955be954259116b89df0773747bb8cf397a10179015cce5c77661f24deb7

Download Submit
\Windows\SysWOW64\Hlkcbp32.exe

Filesize
896KB

MD5
8612c8f567176ca529e62531d2805b2c

SHA1
7b4f5ecbfd05be90572228806586cb873d4c7b87

SHA256
6546e8e30f2b80b59cc8cc04d8bc16ea59c9f39149ac2be3d83a8e88a160143c

SHA512
faddb1ee189fdf8975d5bd6640e7e495b90ea429dda32b30b6db59ba9acaec5e90c74232464de73009c2db60fd766ba1ac2cab5319e66cbce2b5cea7c4620281

Download Submit
\Windows\SysWOW64\Ihdmld32.exe

Filesize
896KB

MD5
a1eb18950c5ec2f064ab16450c34d3df

SHA1
6accb84b17e6866a2e0f92654a6976ea0a6ba459

SHA256
ba971d3f9c8bae857d741af211c8852d71ca96c89219118ed92b2eb443077dd3

SHA512
785c20a072e65bafe843194b13ec5ba1ac03f05ac7856511bc297282ffda82ff305760866590c95d28e8c31545515bb128f7caebd49180eb37de0a550c478938

Download Submit
\Windows\SysWOW64\Jfjjkhhg.exe

Filesize
896KB

MD5
c918e7b351257f91d18b42eae6ae441b

SHA1
1589ce1a864a208800f173219bca1919eee9b6ee

SHA256
78111647244a576830b25a2548189ece149b3c025e96f0e16291c78c571f8767

SHA512
d1009e45c2ed2aaede40cb842de480b17ae75b1a91d259eaf1ea9ff1839343ba81eccb8ced30414a6e621f656e523e0afb727e7e3397f57ed16240d28911d552

Download Submit
\Windows\SysWOW64\Kbeqjl32.exe

Filesize
896KB

MD5
b02f586ba1348e4740953ec54ebec7b4

SHA1
cb16e8620cafa4b6877820009dfab10d6734b63c

SHA256
d9efdb40e0a36345249012418a3155bba04715074efc7e86a1bec18da303a02f

SHA512
040cae440c07435ea947b0b4630012ba58cdce1519624bfa05b2deb4bd8e315990b68601ce511b2666d24421409ee4a9a543639b380f16f3969da1df8f8b8f32

Download Submit
\Windows\SysWOW64\Kflcok32.exe

Filesize
896KB

MD5
bb47817eaafa723f1bed033933dd236a

SHA1
95e0ee4364514a97da674a353f8de5f846789d72

SHA256
03c71ff7526de2f86b8a8a5d6ef69503def33888508c52055a66bce97aafbf01

SHA512
71c4f4604b392d8f9fbd4b39fd82f173d14a305c9f38f923026929f482758959685362fa437ea6a670c150b94e2dff5566699c62d9c4a9a8b7a0612bc67d1dab

Download Submit
\Windows\SysWOW64\Mehbpjjk.exe

Filesize
896KB

MD5
1319f9d8797997729aca2aae7be376a0

SHA1
cca2ab08ada96624fbfbd10e277ebebd14ddf4da

SHA256
0f3813b56eedc7941a940c57c416e50520f1b1950d5672c2510213cb6df5b201

SHA512
5dc857f9f071a6567ad8101df6309ceb55c19e5573d32de5ca9c45ceb2e6e8a052a3aa88030b448c6ed6615ad0c4a5046d252cb5c0a1702cec8a2e8e07d3c629

Download Submit
\Windows\SysWOW64\Nklaipbj.exe

Filesize
896KB

MD5
720b15bccf93a639c08d9a54ca489edc

SHA1
f061000d46a70db04dfd0e1d549a99a3e27e70ce

SHA256
4745209e6db722e174925611fa6c2ea12f631bba068b872d9c7b6233ea73b93b

SHA512
57fe29d0cf55d84304a34bab248c023858516f5fda8e4a00349eb35373767f63c301c16a71a57d14bdf93de07dab13a68ace2c53dffa560155000a237e019a8b

Download Submit
\Windows\SysWOW64\Oojfnakl.exe

Filesize
896KB

MD5
b0e13cdd5308527f2be6bbe11128351b

SHA1
50a94d492f9105e54f1c414db1bba1f30de812b9

SHA256
1e2f81f9ccab9764e195406d1a7c17a6840da422f0105b7e255d0cf0ceaded82

SHA512
67fcb222f18a1996bf9d015835b8af755a27a366f99593275da33034ca0357558b2e2c7a24c3c51491b8c5606bbe2abdf3551b55b14065baa72d6b685b9e5acd

Download Submit
\Windows\SysWOW64\Qqbeel32.exe

Filesize
896KB

MD5
62bd8df6c5aaf0016bb10cbc60da206a

SHA1
be6e3ada04bf80a032170f6b02fb70e54a23e90d

SHA256
9b77f642738c53779fad431a9bd2b0c7fe1fb665cdd1650e88a0d919ebbd0fcc

SHA512
906f8c0c101ec5107f2f044e49eddcbbc69305562a44580dbe42209a991173c36d3615489bb7b88998bc7deea85e1becee7b9e5051aca07478a9964b13b46703

Download Submit
memory/432-429-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/432-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-304-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1048-303-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1108-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1296-418-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1296-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1308-247-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1384-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-227-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1488-292-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1488-293-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1488-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-336-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1556-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-338-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1724-205-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1724-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-219-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2084-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-175-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2104-11-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2104-337-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2104-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-12-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2152-361-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2152-372-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2152-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-40-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2152-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-41-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2192-64-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2192-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-348-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2344-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-123-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2344-440-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2352-259-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2352-260-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2356-315-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2356-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-314-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2372-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-238-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2424-271-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2424-270-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2424-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2480-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2480-325-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2508-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-106-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2532-371-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/2532-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-395-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/2600-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-278-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2608-282-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2624-442-0x0000000001B70000-0x0000000001BB2000-memory.dmp

Filesize
264KB

Download
memory/2624-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-441-0x0000000001B70000-0x0000000001BB2000-memory.dmp

Filesize
264KB

Download
memory/2644-419-0x0000000001B70000-0x0000000001BB2000-memory.dmp

Filesize
264KB

Download
memory/2644-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2644-92-0x0000000001B70000-0x0000000001BB2000-memory.dmp

Filesize
264KB

Download
memory/2644-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-160-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2772-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-380-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2788-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-407-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2788-78-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2788-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-150-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2832-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-451-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2916-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-132-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2916-454-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2940-54-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2940-382-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2940-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-403-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/3068-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-350-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/3068-26-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/3068-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads