berbew | bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Size

192KB
MD5

c9987d3ae89900b422a30b3f9b521bd9
SHA1

4880a8376e1f598f0f07b7f80449b69ed6b6d760
SHA256

bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671
SHA512

2635dafcf54172bf52bb74f82ec01dac1c494395dccff891bb480337413604d7578060aa632f190238b57b51ab54e33571aa5e186e057276d03e937c81437ada
SSDEEP

3072:t+7l7q/qhy0QQ5BbFsR8teZr4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNe8ohrw:tS7q/yy075BfwSndpui6yYPaIGckfruN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 23 IoCs

pid	Process
2412	Baicac32.exe
2264	Bffkij32.exe
704	Bmpcfdmg.exe
4816	Bjddphlq.exe
4428	Bmbplc32.exe
2964	Bhhdil32.exe
3896	Bapiabak.exe
2520	Bcoenmao.exe
708	Chjaol32.exe
4472	Cenahpha.exe
3088	Cjkjpgfi.exe
2244	Cdcoim32.exe
3944	Cmlcbbcj.exe
512	Cdfkolkf.exe
3820	Cmnpgb32.exe
4820	Cdhhdlid.exe
888	Calhnpgn.exe
4116	Djdmffnn.exe
1220	Dhhnpjmh.exe
2260	Daqbip32.exe
3664	Ddakjkqi.exe
1748	Dddhpjof.exe
4792	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4572	4792	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2412	1684	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe	84
PID 1684 wrote to memory of 2412	1684	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe	84
PID 1684 wrote to memory of 2412	1684	bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe	84
PID 2412 wrote to memory of 2264	2412	Baicac32.exe	85
PID 2412 wrote to memory of 2264	2412	Baicac32.exe	85
PID 2412 wrote to memory of 2264	2412	Baicac32.exe	85
PID 2264 wrote to memory of 704	2264	Bffkij32.exe	87
PID 2264 wrote to memory of 704	2264	Bffkij32.exe	87
PID 2264 wrote to memory of 704	2264	Bffkij32.exe	87
PID 704 wrote to memory of 4816	704	Bmpcfdmg.exe	88
PID 704 wrote to memory of 4816	704	Bmpcfdmg.exe	88
PID 704 wrote to memory of 4816	704	Bmpcfdmg.exe	88
PID 4816 wrote to memory of 4428	4816	Bjddphlq.exe	89
PID 4816 wrote to memory of 4428	4816	Bjddphlq.exe	89
PID 4816 wrote to memory of 4428	4816	Bjddphlq.exe	89
PID 4428 wrote to memory of 2964	4428	Bmbplc32.exe	91
PID 4428 wrote to memory of 2964	4428	Bmbplc32.exe	91
PID 4428 wrote to memory of 2964	4428	Bmbplc32.exe	91
PID 2964 wrote to memory of 3896	2964	Bhhdil32.exe	92
PID 2964 wrote to memory of 3896	2964	Bhhdil32.exe	92
PID 2964 wrote to memory of 3896	2964	Bhhdil32.exe	92
PID 3896 wrote to memory of 2520	3896	Bapiabak.exe	93
PID 3896 wrote to memory of 2520	3896	Bapiabak.exe	93
PID 3896 wrote to memory of 2520	3896	Bapiabak.exe	93
PID 2520 wrote to memory of 708	2520	Bcoenmao.exe	94
PID 2520 wrote to memory of 708	2520	Bcoenmao.exe	94
PID 2520 wrote to memory of 708	2520	Bcoenmao.exe	94
PID 708 wrote to memory of 4472	708	Chjaol32.exe	95
PID 708 wrote to memory of 4472	708	Chjaol32.exe	95
PID 708 wrote to memory of 4472	708	Chjaol32.exe	95
PID 4472 wrote to memory of 3088	4472	Cenahpha.exe	96
PID 4472 wrote to memory of 3088	4472	Cenahpha.exe	96
PID 4472 wrote to memory of 3088	4472	Cenahpha.exe	96
PID 3088 wrote to memory of 2244	3088	Cjkjpgfi.exe	97
PID 3088 wrote to memory of 2244	3088	Cjkjpgfi.exe	97
PID 3088 wrote to memory of 2244	3088	Cjkjpgfi.exe	97
PID 2244 wrote to memory of 3944	2244	Cdcoim32.exe	98
PID 2244 wrote to memory of 3944	2244	Cdcoim32.exe	98
PID 2244 wrote to memory of 3944	2244	Cdcoim32.exe	98
PID 3944 wrote to memory of 512	3944	Cmlcbbcj.exe	99
PID 3944 wrote to memory of 512	3944	Cmlcbbcj.exe	99
PID 3944 wrote to memory of 512	3944	Cmlcbbcj.exe	99
PID 512 wrote to memory of 3820	512	Cdfkolkf.exe	100
PID 512 wrote to memory of 3820	512	Cdfkolkf.exe	100
PID 512 wrote to memory of 3820	512	Cdfkolkf.exe	100
PID 3820 wrote to memory of 4820	3820	Cmnpgb32.exe	101
PID 3820 wrote to memory of 4820	3820	Cmnpgb32.exe	101
PID 3820 wrote to memory of 4820	3820	Cmnpgb32.exe	101
PID 4820 wrote to memory of 888	4820	Cdhhdlid.exe	102
PID 4820 wrote to memory of 888	4820	Cdhhdlid.exe	102
PID 4820 wrote to memory of 888	4820	Cdhhdlid.exe	102
PID 888 wrote to memory of 4116	888	Calhnpgn.exe	103
PID 888 wrote to memory of 4116	888	Calhnpgn.exe	103
PID 888 wrote to memory of 4116	888	Calhnpgn.exe	103
PID 4116 wrote to memory of 1220	4116	Djdmffnn.exe	104
PID 4116 wrote to memory of 1220	4116	Djdmffnn.exe	104
PID 4116 wrote to memory of 1220	4116	Djdmffnn.exe	104
PID 1220 wrote to memory of 2260	1220	Dhhnpjmh.exe	105
PID 1220 wrote to memory of 2260	1220	Dhhnpjmh.exe	105
PID 1220 wrote to memory of 2260	1220	Dhhnpjmh.exe	105
PID 2260 wrote to memory of 3664	2260	Daqbip32.exe	106
PID 2260 wrote to memory of 3664	2260	Daqbip32.exe	106
PID 2260 wrote to memory of 3664	2260	Daqbip32.exe	106
PID 3664 wrote to memory of 1748	3664	Ddakjkqi.exe	107

C:\Users\Admin\AppData\Local\Temp\bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe
"C:\Users\Admin\AppData\Local\Temp\bb45bbaf0ab5093092f82c36193c1b7320edae588ce45192303056a64cf84671.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Baicac32.exe
  C:\Windows\system32\Baicac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Bffkij32.exe
    C:\Windows\system32\Bffkij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\Bmpcfdmg.exe
      C:\Windows\system32\Bmpcfdmg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 408
        25⤵
        Program crash
        
        PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4792 -ip 4792
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
192KB

MD5
561e2ff4629e84832beeba5da58268a1

SHA1
b51dcb3d1ced3bdfae2a84db8c7100c2d87f9fff

SHA256
6b3f04ea19b3b52b1468426507a8487e436ca0f9d30fa3a714c5ec711fb11ea3

SHA512
f8689f0e6639436ae46f661dab46ab81203b5f0f49356676407f944f970b10dc0563332c82f0b0bf34d6b06b0a91759f8e559e56705c5351c07f601f8ceec22f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
192KB

MD5
8bc6af9ede8a7ab42a3b6c704a1a97d9

SHA1
0c13d0e6808806a1f9a607cfbec031732abbeb2e

SHA256
7f3c0fc795324022f4aa496967b1aa2e842d0d72c8c89379ef908c58eac6eeb1

SHA512
64b316aa9abd02697589715c7499031e79d70038706ea3fc1006d66b75d70040bfc6384e833cce5e396b75a8a244bd0d58ae6a925129387ef4fe1da8d1a5de0f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
192KB

MD5
58997ec56e63da025e9b71b7d5f5aede

SHA1
cd1b64bf22e3f8185672df026b6a03cbd868ef94

SHA256
9f97fd12ed010c868aad2853c54852cb6b08982eba96d759c932ef06c2c1df64

SHA512
1d345e67f8d53c501d9725f585c1d5882cee47153820fde618019da81f960a5fe5e7c60ad9d26c8fc9bd8213afc7ac2a92095c75d5c04cc295af3320c981d7ee

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
192KB

MD5
7b50567a86b4ad2a5b905c93d6363f4d

SHA1
c121f139118154823794cd9b226ba6396d0f7cd6

SHA256
d646baffbcdc5dbc1b68ce05d8d0a4cf935db7dff36d1af3f573418d123013c7

SHA512
09faf388ca8f3e8b86c0538fe8e7ebce11b2cd5cd3fc0b614000b6da9384eff15932d78da4faa12e0bbb2b24406fe4461064dfa994bc73a10068b8182b4fcf67

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
192KB

MD5
5f602d0e93beaed3ecd13d56faf55076

SHA1
8e43c02526a97759ae391aeb097b61c4e5814938

SHA256
ba462fa66039b06768510bc484c5be8a5e9da307bf010b2d85cac5d5e8d60288

SHA512
960d8a68117a5fec5811b1603a87a61079c272fae85b9261eaa1c740f702341b21b817f436bc4875e272b596381920e80334eb7a3e0b769e61ac910163c4fd67

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
192KB

MD5
5ac58a6747abdf2458ce03798a876f91

SHA1
23d05d4149f185a119c62836bb20ee05c6717bba

SHA256
6f23b2d00006435eb2391f3ae91ebac3eb5a6edd57f3b977340826655a4a5cd8

SHA512
7ce549a7f4fb45b6670b58a280f234745f0cf859f31f271b0b3b2153a8e51501a75955a06fc9f295bc93cd55945943f6e85709dfcbe3ee19d051de19f0626324

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
192KB

MD5
96b3f1547ad4e40664b7e9fc754223d4

SHA1
8e7bd7ba3828462e8d6c8ac14b1ce345ff9a8c5b

SHA256
dc4a38abc5f55c21140f34c0a9028ae70ddc02ed8b0acda7cb14510a05cb02b2

SHA512
13bc71430f6a5e58c224a83d54192c82c5e1eef1f0a54a5046503929553d6cb66880043a6e1f89f056a8dacdef78b6ad6c0caa0036493e5d78715a58d33c50ac

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
192KB

MD5
6379b7a3ca01fdda851344752a06ed57

SHA1
0b89989b1798f6c42c426b1385e8d7f991622053

SHA256
e076be6556757d4e0b4f118c6c9d9c67cfb4ef7fd6bdcf65956c17fff51890c9

SHA512
2a2ba638a0c68b0c9d28968a1c66c65c38a1a2a1a2833e0af3bb35ce3061d7e785dc6e3540280c32d01cc0756758438e564a3003d4af8ecbab59b2d97e6c708b

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
192KB

MD5
26e0049e6151a314880321e6f82a0137

SHA1
262e1c0be23e7202444d257dcb0a1b19e5cb9aab

SHA256
44a4607e98ec4f81d94c3e42e44e8729ff718de9cc024f89bc1bb8b0589abf26

SHA512
f71e89658fb4efb041804ee240f5052d73b28b76aa71ab3189d62087a18009f7206daed01fbacb376c9adc2a593f32f54fdffd3893390cdd23927c14abf3f693

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
192KB

MD5
435dc6328cbf3e28588da4148f647766

SHA1
7c058e2b118142a08cab8ff8b7268b5542376316

SHA256
b78d51a858b814cdeb316d87ec68e10a24418245c4612d41740a516b8f227b46

SHA512
b7dce4fe16fb999a2aaa2c0b76ef56fb24af5df625876f71dd90627dd7772d0e1e76b71f33648ad917fbcfbaf14ee40d516f7b16715fa04e6f1b83dd6e2b1eb4

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
192KB

MD5
bc9fb2432778fa72683d192b91064d69

SHA1
e75975bb8f4886c5937b61e0fd0a7f0b62bc9894

SHA256
d422439a17ca5d8464f6e472a6c4493b2eb4cb474febb63a70f057f34be27c27

SHA512
f098a5b554dcb0270f9926b7bfa718affae955cebd220b857b15bbd32f3c236d3ddac89ecde9e34957af2aa6c137160b827c07c06eb4cdfe107cd9600a8efe4e

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
192KB

MD5
3fe79bad52983c01bfadd33bc7c4fd8e

SHA1
61d4f013e36641ebf3ce2abe59b6487afd420388

SHA256
2a63c5b90d2deab918ab791ed5d38208b8990e192887c2f84e72e69fa4563877

SHA512
22c3014b1d63694628dee23510dec6108e54d44ca1f338d2d19f463a170dfd05d09642d3e5e617ac8599f091dabaf1d9c5b394b6fcbf56aff0d506cf85ffd366

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
192KB

MD5
f541ed3640e0704f3d861e561b973763

SHA1
a564c1218256f87ef8c54a004a817d6e9f08a914

SHA256
0898b18da409ccf6560a6e31d925da90f555a0d06ad5fb05bf148bc4a6b976a5

SHA512
38e9372fa0e2212374f73ecf43fc7a3738fa5a245ee299f6229d713919f219242475e92d727a417a88ce807247f2a527b2f80a3a348e661e5662ea48f7f01cda

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
192KB

MD5
73a6d77977a0867ddfcf085176599c7a

SHA1
ddf8569170fd3090426080f31de05fef79b23612

SHA256
023f75947faa0e660041d6b05f11a367059e352ec7f2f968f3c0ed7a0718e4aa

SHA512
b5e5789c148efd1fc6c74a6de25c3861a7add8851c408157c81e3ac8e2fdd7f971e53d0cf3c1d4665d58c5f23e8028d560fd109e00ff966d1a06f0ed2c8bfd6f

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
192KB

MD5
e55358cfb0076e46bcdd504ed56b8980

SHA1
d521a5e8e609b55c425665fc3f24ef0f92be0131

SHA256
70c2821c95ad2df28a3c5ecdc08acc32abbebcc0c716faa4ce29b7b3d3653eca

SHA512
b920ec78d3726068c8f071c7dd3531c2ccbe2472db21dec20192634ce0327c6fb2e32819a20463b54248cca15f3a6f0d2d584d37998076b8aa36619c6093f69e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
192KB

MD5
5ccd2591e1458b9f17063be1a6d5ba17

SHA1
3ffd7ef06c6240da1d854797ee0e44cb64151e00

SHA256
abcf324e6de82127303bd20a16278ebcde77eedfcbd64c7103d28365e801d691

SHA512
12411486e0eb0f8b7b7aee6828db91d50626b3d6d7ecc7244f2a4f48c05eaef8d37246091eb76ff301eac64f4724bc42ad81c86f628d9129feb2e8e9375c57a8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
192KB

MD5
1da342521b27161f6e4fcd5d53fdd4c7

SHA1
f2c73a4f87f850d5fea50561f37351e68b45822d

SHA256
23c434837521ee7219d6097541a9f945d928207f754a7769daa56f44b37b5f34

SHA512
48ab8e7f80e51b2e015c7d5b2dea9ed368a3f262807dad1b01f3680cd7316f74359d7ca06f17c4ef898218f8410eb3b82de227500506a5b8b68b94dccc12d447

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
192KB

MD5
8617ec15d94811091da09c95051627ca

SHA1
a0471d6f3ab107e4d0dc023dcf15b7ca28334289

SHA256
d2bcaf49a63906f67b4f50fa1bf48a67e5eac4085a5898f4ca9ab4578800bf97

SHA512
02ed3b06b8b631b832292d9f337c4c214ae5a050f94573db3b8f94eae88f90265df4859548da4dd3320fefae7ed9377552c95558d0d9adacfc1548062ffa2b0f

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
192KB

MD5
80e25ab725d33e96d8dce8d1c5f70c4c

SHA1
065bf21d8c4043704a0d0d688ba177f2190dbd63

SHA256
3913033bb28cb9106cd1a79b13a6b8cd26ecb983c68bec73a4f16f625a7f2c76

SHA512
038b7b9f27d9b7e4872fd163bed3f5de7e34945ac9100d38a42924f1c54922d3c049f03754034cfacca8985a54c961782440fd6726d292ae1af3cc2a6b4fa8be

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
192KB

MD5
5313610b8e9672abf7943b5ecd709ee2

SHA1
8abf514ab23e00759e09c4fd2499e02a93a73ea8

SHA256
2665aabacf39e9a4b81789e80bfbaec4b9dd7a0b3922eaa31b4a445692c3aa7f

SHA512
caf512176497fcf8e8eb0fbab8270762fd26c90a1437f6b172fc5505677e9fe30b32b30e922f6910c8ffd4aa29f77021cc9840c018a31f9bd035ccc211fdaebc

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
192KB

MD5
8ddf015481728091e724f746f0402254

SHA1
00eebff1cbb96efd4b64bbd1b5f2e49b89d0273e

SHA256
b29b2b44f9138e3edaa56054dc7eab71b38d73250db260e0db55be40ceb3272e

SHA512
16729835f5ab995d4d1a21029ca39f36f76b2a96558e55589eb4d8bded11f0fd00341ab88c1c724371b7fcbeb2115843a2c4a181f2ee90dc8a292ded77adb595

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
192KB

MD5
86e3660092bf44f6cf9f6835109569dd

SHA1
6fff6b4fe12677aad5e844788d8596a9ba1a6023

SHA256
0ca04a76c343ce426957f9142e8466601f91ec4226d85d65a398503bcede98e9

SHA512
971834877e02f81b3da3b12cdd4eb93e21545c255f75aac7e61f11df51e48707e996ffe8df1c8d7a41afeff2b19794915ebecc223790f275385bcbb6e2337ec2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
36643fc0037c52ce4837daff1c03cc63

SHA1
d7b8c432d683496fed8c02dbef4b40cac4461e9e

SHA256
60d61ca11af087be29a5fcd1f70887a3ed87b33fe4af53f1bcfeccaea45128ed

SHA512
a39964e11697d2cb1a66e21dccb90624f7883418a27ada75d64323e6b03ac8db9780924ffd3c874fbc3e903ea34a0f5fa0761213c477b8f23d9810976b55e123

Download Submit
C:\Windows\SysWOW64\Jpcnha32.dll

Filesize
7KB

MD5
5b4c304ccd3835252df9448d0683b156

SHA1
4677a3d19e7dabfb972ac555817037200424ac68

SHA256
dcee78fdcf0ee33f2f41209a161376f8f21d005ade12f130b265e03136cd0278

SHA512
dba7ce4e55420611f31a0ad4571484e918ef8eff38850284d7c16c5e1ad42bfc470190521a5d9abb32764ad2d15ab408569bdf6f5f1ae60e52da35188ae5bd64

Download Submit
memory/512-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/512-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/704-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/704-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/708-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/708-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1220-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1220-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1684-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1684-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3088-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3088-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4792-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4792-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads