berbew | 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67d

Analysis

max time kernel
116s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe
Size

163KB
MD5

50710b80a9b5fb2bf2f52e528d564a60
SHA1

a117104493aea0d4a37cbc3fb590d4a5cde0e18e
SHA256

2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67d
SHA512

f9b82f408fa1f28bc4f12f1a43f9c8180ce943a17cb74b56868a9f22b8473f255cf23a5154940c750d8375d0075ff2d7b921d910638c47e7a37b41f4974ed594
SSDEEP

1536:PhgmknnkDSbwPi2ZqPWE5cDe1FDUxlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:JWnLc62ZqP51FD2ltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heocnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iejcji32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2892	Hbpgbo32.exe
3752	Heocnk32.exe
4900	Hmfkoh32.exe
5060	Hodgkc32.exe
3648	Hfnphn32.exe
2012	Hofdacke.exe
4540	Hfqlnm32.exe
2392	Hoiafcic.exe
4336	Hbgmcnhf.exe
3160	Iefioj32.exe
3596	Ikpaldog.exe
3644	Ibjjhn32.exe
1372	Imoneg32.exe
2756	Ipnjab32.exe
1696	Iblfnn32.exe
3532	Iejcji32.exe
4828	Ildkgc32.exe
368	Ifjodl32.exe
2136	Ilghlc32.exe
4796	Ifllil32.exe
3156	Imfdff32.exe
4300	Icplcpgo.exe
4652	Jimekgff.exe
1332	Jmhale32.exe
1608	Jbeidl32.exe
1248	Jedeph32.exe
880	Jmknaell.exe
1236	Jbhfjljd.exe
1464	Jefbfgig.exe
4304	Jcgbco32.exe
4560	Jehokgge.exe
4676	Jlbgha32.exe
224	Jblpek32.exe
3204	Jifhaenk.exe
4824	Jpppnp32.exe
2332	Kboljk32.exe
4932	Kiidgeki.exe
60	Kmdqgd32.exe
4444	Kbaipkbi.exe
3728	Kepelfam.exe
1968	Kmfmmcbo.exe
4228	Kpeiioac.exe
1796	Kfoafi32.exe
2108	Kmijbcpl.exe
3816	Kdcbom32.exe
2724	Kfankifm.exe
4860	Kipkhdeq.exe
4404	Kpjcdn32.exe
1852	Kdeoemeg.exe
1328	Kfckahdj.exe
4480	Kmncnb32.exe
4380	Kplpjn32.exe
4044	Lbjlfi32.exe
5052	Leihbeib.exe
4700	Llcpoo32.exe
3544	Lbmhlihl.exe
3916	Ligqhc32.exe
1588	Llemdo32.exe
864	Ldleel32.exe
668	Lenamdem.exe
2080	Llgjjnlj.exe
3124	Ldoaklml.exe
984	Lgmngglp.exe
3940	Lmgfda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Bpdkcl32.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nabqkgan.dll	Ifllil32.exe
File created	C:\Windows\SysWOW64\Fhccdhqf.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Npibja32.dll	Imfdff32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Jifhaenk.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ecnpbjmi.dll	Hbgmcnhf.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Hodgkc32.exe	Hmfkoh32.exe
File opened for modification	C:\Windows\SysWOW64\Icplcpgo.exe	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Hoiafcic.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Ifllil32.exe
File created	C:\Windows\SysWOW64\Khchklef.dll	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Ligqhc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Nekfmb32.dll	Heocnk32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jedeph32.exe	Jbeidl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmknaell.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ifllil32.exe	Ilghlc32.exe
File created	C:\Windows\SysWOW64\Jehokgge.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6236	7116	WerFault.exe	276

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoiafcic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hofdacke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifllil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmknaell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hodgkc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iejcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefioj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2892	1100	2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe	84
PID 1100 wrote to memory of 2892	1100	2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe	84
PID 1100 wrote to memory of 2892	1100	2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe	84
PID 2892 wrote to memory of 3752	2892	Hbpgbo32.exe	85
PID 2892 wrote to memory of 3752	2892	Hbpgbo32.exe	85
PID 2892 wrote to memory of 3752	2892	Hbpgbo32.exe	85
PID 3752 wrote to memory of 4900	3752	Heocnk32.exe	86
PID 3752 wrote to memory of 4900	3752	Heocnk32.exe	86
PID 3752 wrote to memory of 4900	3752	Heocnk32.exe	86
PID 4900 wrote to memory of 5060	4900	Hmfkoh32.exe	87
PID 4900 wrote to memory of 5060	4900	Hmfkoh32.exe	87
PID 4900 wrote to memory of 5060	4900	Hmfkoh32.exe	87
PID 5060 wrote to memory of 3648	5060	Hodgkc32.exe	88
PID 5060 wrote to memory of 3648	5060	Hodgkc32.exe	88
PID 5060 wrote to memory of 3648	5060	Hodgkc32.exe	88
PID 3648 wrote to memory of 2012	3648	Hfnphn32.exe	89
PID 3648 wrote to memory of 2012	3648	Hfnphn32.exe	89
PID 3648 wrote to memory of 2012	3648	Hfnphn32.exe	89
PID 2012 wrote to memory of 4540	2012	Hofdacke.exe	90
PID 2012 wrote to memory of 4540	2012	Hofdacke.exe	90
PID 2012 wrote to memory of 4540	2012	Hofdacke.exe	90
PID 4540 wrote to memory of 2392	4540	Hfqlnm32.exe	91
PID 4540 wrote to memory of 2392	4540	Hfqlnm32.exe	91
PID 4540 wrote to memory of 2392	4540	Hfqlnm32.exe	91
PID 2392 wrote to memory of 4336	2392	Hoiafcic.exe	92
PID 2392 wrote to memory of 4336	2392	Hoiafcic.exe	92
PID 2392 wrote to memory of 4336	2392	Hoiafcic.exe	92
PID 4336 wrote to memory of 3160	4336	Hbgmcnhf.exe	93
PID 4336 wrote to memory of 3160	4336	Hbgmcnhf.exe	93
PID 4336 wrote to memory of 3160	4336	Hbgmcnhf.exe	93
PID 3160 wrote to memory of 3596	3160	Iefioj32.exe	94
PID 3160 wrote to memory of 3596	3160	Iefioj32.exe	94
PID 3160 wrote to memory of 3596	3160	Iefioj32.exe	94
PID 3596 wrote to memory of 3644	3596	Ikpaldog.exe	95
PID 3596 wrote to memory of 3644	3596	Ikpaldog.exe	95
PID 3596 wrote to memory of 3644	3596	Ikpaldog.exe	95
PID 3644 wrote to memory of 1372	3644	Ibjjhn32.exe	96
PID 3644 wrote to memory of 1372	3644	Ibjjhn32.exe	96
PID 3644 wrote to memory of 1372	3644	Ibjjhn32.exe	96
PID 1372 wrote to memory of 2756	1372	Imoneg32.exe	97
PID 1372 wrote to memory of 2756	1372	Imoneg32.exe	97
PID 1372 wrote to memory of 2756	1372	Imoneg32.exe	97
PID 2756 wrote to memory of 1696	2756	Ipnjab32.exe	98
PID 2756 wrote to memory of 1696	2756	Ipnjab32.exe	98
PID 2756 wrote to memory of 1696	2756	Ipnjab32.exe	98
PID 1696 wrote to memory of 3532	1696	Iblfnn32.exe	100
PID 1696 wrote to memory of 3532	1696	Iblfnn32.exe	100
PID 1696 wrote to memory of 3532	1696	Iblfnn32.exe	100
PID 3532 wrote to memory of 4828	3532	Iejcji32.exe	101
PID 3532 wrote to memory of 4828	3532	Iejcji32.exe	101
PID 3532 wrote to memory of 4828	3532	Iejcji32.exe	101
PID 4828 wrote to memory of 368	4828	Ildkgc32.exe	102
PID 4828 wrote to memory of 368	4828	Ildkgc32.exe	102
PID 4828 wrote to memory of 368	4828	Ildkgc32.exe	102
PID 368 wrote to memory of 2136	368	Ifjodl32.exe	104
PID 368 wrote to memory of 2136	368	Ifjodl32.exe	104
PID 368 wrote to memory of 2136	368	Ifjodl32.exe	104
PID 2136 wrote to memory of 4796	2136	Ilghlc32.exe	105
PID 2136 wrote to memory of 4796	2136	Ilghlc32.exe	105
PID 2136 wrote to memory of 4796	2136	Ilghlc32.exe	105
PID 4796 wrote to memory of 3156	4796	Ifllil32.exe	106
PID 4796 wrote to memory of 3156	4796	Ifllil32.exe	106
PID 4796 wrote to memory of 3156	4796	Ifllil32.exe	106
PID 3156 wrote to memory of 4300	3156	Imfdff32.exe	108

C:\Users\Admin\AppData\Local\Temp\2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe
"C:\Users\Admin\AppData\Local\Temp\2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Hbpgbo32.exe
  C:\Windows\system32\Hbpgbo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Heocnk32.exe
    C:\Windows\system32\Heocnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\Hmfkoh32.exe
      C:\Windows\system32\Hmfkoh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        23⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        25⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        37⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        41⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        63⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4264
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        70⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        77⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        79⤵
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        81⤵
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        82⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        83⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        84⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        85⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        86⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        87⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        89⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        90⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        92⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        93⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        99⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        102⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        103⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        104⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        105⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        107⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        108⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        110⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        114⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        115⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        120⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        126⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        127⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        128⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        130⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        136⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        140⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        142⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        143⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        144⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        150⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        156⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        157⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        161⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        162⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        165⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        166⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:7000
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        174⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        176⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        177⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        179⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        180⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        181⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        182⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        186⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6740
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        187⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        188⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        190⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        191⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 404
        192⤵
        Program crash
        
        PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7116 -ip 7116
1⤵
PID:6176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
163KB

MD5
d58c9bf9be745d57612ad17b18fa6339

SHA1
53253640f720fade0aa54610a6ac34a81d2b66ff

SHA256
c59539dbcf0819eb4e26b1921fb4d0bce0955214fa69d5d06fb4696c04d59fab

SHA512
8d21970d53b2d856d7eff87f545570722e6601813b00a2c33fee8fee2a202d41fe5c43ef11bc226d5f4c410a12cb5b3eaac4abbaf73564d44e00d0cf77778c87

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
163KB

MD5
9e293cb1f997f3a0749d20d7fcc7bc01

SHA1
6c0d5266fddfcbbe062e030267d7c6982077e182

SHA256
717fe8aa74344209e5395a937c113c51ffca1af1594cd47ccc2311b109f9555d

SHA512
78119d17ae69093a3aa2ac47f092b600750479f3d97cbc3f3f6067a701159bd30fa22ca1ab5c078b3c98eb8240d2f4034f4100eee6c2993189a8ee7604ccea9d

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
163KB

MD5
814e48c1ede73942be83efd6d16ef495

SHA1
76186db7412a28c8b0e2c807b7343a80ce5d9fd3

SHA256
95d60206df304dabfb0589433b290cf56c4700b28e8870c93dec3a4cecdf72de

SHA512
655291e1af2a8b9033cc9286fd482813ccb361650836bd45067fac0c543d2d448eef163d85e63067d24b3fa7dd802f7ec77b950737b269d1c5cc455837b72441

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
163KB

MD5
ee0460fcf9ddb150e8bdb32997715f11

SHA1
acb6133cc3212202999524f504dc70cf20e0f106

SHA256
3bb6c7c49de090084606e20fd441f35a2baae0952355a1dcedbb139e418709a7

SHA512
d636737e44ec3670862a57a118c83d1f3152795d57448e60e20464e00882a61f0fb1cb0819d64fb85965f6f71d6af2e52291dc6be5397b0c3acc3418758ba2a6

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
163KB

MD5
883a6f8a47fc3825e27a3898e9f01276

SHA1
40f8c818ac36c70e6c5a4606c5d0ccb944ccf9e7

SHA256
685fed5e2f9a0d917a701a1917cb14d586f40f03b98083a76df92db4d4829b60

SHA512
f603633e38b4101940f75e14d8fcf0f0c8c0257a9120208ed68575b533893b8c736099b9db68e801f640e07d48f2d54609b0a9b88a1b155211173cf9b9aa163f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
128KB

MD5
85c44fccbf6ef49433bef051567c641f

SHA1
7f80bfc27e72b2eb1ad6020faf7729d12e16e3b3

SHA256
f0ae208f1457b3e3778cc889a4391f1c73b187817645c93b92a1fd254f69cbde

SHA512
a46ab06e923824f78f5902902eac615c343fcb72b745b7f13526c4338e46f6ceae8b0448ca139e8825b335517129d8aca5beeabba889033dcf5033daadd2b6d0

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
64KB

MD5
2effb0bb01689c604016ede3183a90db

SHA1
5fed57c3d0855090f55c04a010bdd0209475244c

SHA256
4b6d6bd5cae596ebf1960a87ac96fefe999b96dc901062a91388b6fce056f057

SHA512
499a5952d6cc8b9f5b8709b7698c367ede2056256288883419fd02fdaad98fc90b0c659c47c99d9369b971f27430c377a1d050d22b412980b1479204efcd71c7

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
163KB

MD5
1b3dd1bfdee132c27940f1fbaa5b5728

SHA1
801c2b4051bb1933aee983ceb24909a2b2d69d3a

SHA256
d020da84f99d86721721c2bc9f682a4152027f8172f01b1fa53658ef4d39fe11

SHA512
9ef412f952e13534aae6e739fd4548b8142e47ab5e0242461714f9302ecd1fc4ce08aabcb7405c293067e91520484cd3b8bdcce39303a1801668e6019f1a2304

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
8b8e83e854ead289d9b91777897b9417

SHA1
9e7ec3962adbb0f2352b9112950a04ff271b9a8b

SHA256
8de0831317107310662bba6604c951b74680b2b64e66801a6c960b0d0cec1112

SHA512
4394f2e989133f54e2945c46f253ab0c7231cd96455bd0fe88cd72c4d263674bae099fe4e970aac5531530245a78d43c9c1eb04a3c8fde2c90786c40af22cf4e

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
163KB

MD5
f1441606687b4818c06cb6cb4fdc65c5

SHA1
6cf938bcca4e8e16667ae9443c226460037cb9e9

SHA256
246e18ffc7d4a205dc4d4d82ea828b9f8899e72e8ce9c05a3847ca146e9711ee

SHA512
5c0fb8c4cb220e19e0a4d8d69a61fd13bff581cfe2383250d836faf574ef3640856ffba7354373ebcdc9f44ca22c3a27c204bfb00e96b437c9d55f08b2091955

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
163KB

MD5
14a859a13e804924cad71be4fbbcf2dd

SHA1
2dfa3d4057f10c6a4a86cb354a5e4638f9d88e7d

SHA256
52d24f59e7011e1bc97b74dbd08f7297ee4fb88780e07c02ef8729f0b127cd26

SHA512
2bda9e2d3b197fec7bf1b998112d9cba60ade1b4e259433c26ee6d5d582a6399feac70c43776baed8e7ff009676cd9a432ec5416b995725444e498b10ed70499

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
163KB

MD5
faf60c9e65160169299dd62d88b4a562

SHA1
66c5bf2330fac5f6e07cc2a0f5abd25ca3dd353c

SHA256
bdb39574042a2dcd2e45d30afb7c437fbdb5b9edbf1577ccfd1d52302e140115

SHA512
1aec7134067d6399572629315b9f61330c7df07d7e0fcffdbc2cd1ecd8fe6dde7eda246211117f99b60666df5b703318a4b2afe010f5df6431550e14fa1d0a99

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
163KB

MD5
ece9eb2a4bcd83e447429f6e0cc8d384

SHA1
fe86ff8a961de68a26370e5581912944018c6736

SHA256
6e6e0397fb75e06f5fe55a4ce3025803041c5ca7eb25e05486d48d913f55a6ba

SHA512
13d3a0c2e07a7339c2a72a0539057858a43c52334762f218e903a78f909865681ca2e015df0b5294fe362cf43e44a23e993b7315d0ecd35ed7c548fc036499a2

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
163KB

MD5
20173811081d3e50dd3c7db80f52eec4

SHA1
f317748af4a696c4576f047ede21e1b2e0b24c6c

SHA256
5ebb36e646c6a860fbf85343581cdcc907edb9cfa6833cb51403f9dc20a06427

SHA512
5b595248ff0db81389cc33b85ff3ecbb2cb29cf736957c93580df9481a15c514733143793c09b65b74b89b9a9b1443384876c0af6e9e4587e38290b95ea9c5e2

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
163KB

MD5
4cf6667ec2b82a0a081a3d5dac84efa5

SHA1
6911aa357c69a0d9c98245fa4fa44ff128a1a305

SHA256
ab4e190374e627b38e34bc1d6e9bb45f161f45a9729bfe9ce17847399127833f

SHA512
71b97cc8b6adb7f727fdc18d7b22354a8d00d95df625cec1c274e4b3aea2820e8866561aeec075dd1f84845d2ffe8a5fdb586e741147e5d746cb8d89ffe98dba

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
163KB

MD5
48c76772b9b452f40b8b3134e689fb80

SHA1
1c2a8434eb04a5facece1d10a8d8799e5ddbcb15

SHA256
b6740fd212984f24ab19266d1b2a29f4de0c0b47ce5f3c9da91cebbb47878670

SHA512
54280d86013bc5e0cf1a06e4792499bee0148835ead93b60a43632a1abed2a8cfc98c9f4c1cc25f52fdb3c5476ddc798f4216a6ec796d4a2825476e4729cff9e

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
163KB

MD5
8c4335473de155ac23df63397a66da89

SHA1
198507d4fd586e940700da0a0e4503df6436cb2a

SHA256
233710a71218f9723b4ebd084ba67ae88747e99ec6d8135119715a1be7649072

SHA512
9dd7023d4f00b617b1717b76c5cc20f7ef5623514cef213f68e1e9d37aceee21ce104d98bf87dd139f1f3ef084cdaab164f87303503f67501456bb084158f5c4

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
163KB

MD5
d3cb455a370982fd3a5c3be97607817e

SHA1
7267fce644f4ff7ec2d81880ced86d22f33a9ed8

SHA256
ef69ece69b2d5defecb8139ad469703e570507d5467113c8b21e2eab13873dbf

SHA512
651819482620aa73788c02868347a5292f155fac0b171836b018d28ff1c24de977436baa1f9f2ce2d552df13446892c40e65af7124a6f36a71fb391e6ad38df9

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
128KB

MD5
15ba5d8436f6f60958bddb0a9eb71815

SHA1
7aad270ea20598121bab940d9f16d3eff3b2eb63

SHA256
cb9e6fac96b32d3586ae968383ab79a52c90aaefceb70e8c6e4975cf31593195

SHA512
4d6d37a14ebf77a9ceadf7f6ebcc3211f0635dbce3dd149ac31c5ab08763556f56d612ab73418df606fd37ad8150207667dd5011ec75bdc3e9c743a73e410586

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
163KB

MD5
e8378308998e63e8d6271f50637e474b

SHA1
a6b3e82508a2bc2eb5c76775aae758b3752f318e

SHA256
a5413aa805177199cf841864e858db8a97200cb64dc2b4466ae8810ed9f2bddc

SHA512
3537f7c6515ab40eddb19a636327218feaedae0fe74d3b64a36638af7d6b692d2080b1c3258e0a98c0c70d0a4f837034e67f6c5d90b2a88607eb8a5da5e6ba55

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
163KB

MD5
d391ad2980c0f7795102bf493801a454

SHA1
111a52ba7d2657cedebd7d5787c8be61bbc3aed4

SHA256
c6f00ab2c74035cd93c4d3dc5d10a86d26c3ff434184604386d1a2fab800943b

SHA512
6211e65ec7116fcfd3f047348995283f8df67fe751231e16bde4f67cf6272d86316197e0a43c6dc6ed9c92d83373d724fc12e9ec55c452bc8652e2255e873e29

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
163KB

MD5
8aafc35a8316723ac9da6bfe78b71ef5

SHA1
c387c5acc99c29ad27e1362d5b62fade7f4b622d

SHA256
138f8ee1a7eb3d2e1551b0336a8dd1c6f4557e282dc1a68d396108f1698c792e

SHA512
45a65949ede1e531381fb3c657ef40dcb40cb5651d88a65eb437371b3316fe8aa86d4f780cf57491876630fb67de2b93180af9b5e1785795e5905a4051338d38

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
163KB

MD5
a583af36b1079c4bdbbf6b9e15af3d7d

SHA1
9fc9b121e0d9a4f92d1ea37d71465ca568aa54fd

SHA256
bf08e3960a4a711243da61d886492edf7ff084b89df78d08f79af13daa048e30

SHA512
7f5657d8a0aca60e1e1a0a81e17c629467e3bb22afd62206e6d5803140b180d7729b6546362db921f443e184bdfa249d236f0354f63908b0abce108a46d6b49f

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
163KB

MD5
b44d0409e69e6135fafb66535939554b

SHA1
f6109dc3d8a2b6f2ffdd85abdbba02ddbfc7dd6b

SHA256
25ade2cfdf4719984487762b0a3e963b7396a83e793bdc5e58313a660f57aaa8

SHA512
f8582c5a2230fc0ff42be9453b90a881b2679dec53678e4b1603a34c025d8be7698309778d24a830baece503fc50b100d839c8f2d149a48eb9df9c894bfbf17e

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
163KB

MD5
a0fb419f2e21df9f4ec5806fe697e9b8

SHA1
81adb944907bff9365db03bf12706c15905dc6ab

SHA256
779b86f17f4747a94c730b97891ef5974cc6ea14f87b26028a2ce2f55a82bc41

SHA512
7cc1fd1c293f517be9718afe9ffbc178bde77e74f7aad64cd0029af67b757a4badb39c2a25253be708d58e7bc03fa0244f669b3f7ddead61290158f898764162

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
163KB

MD5
e968a1279bcd6753b9f98027a2cb44e1

SHA1
760d7b6de4a805883433ed9d9e88524283601e52

SHA256
6cb082c7d43e9bdea90ff668e2672294b6b6f873ae65b602c821d82a967d6d0c

SHA512
6bbfe16f15a907358b081f65f68b2e348c543439b4b29e05d64da3c4fafe2c8c3c4a824db0ddcc8368bd61deb80d5d0c54a88a416849e3d545e5abbd5e235a30

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
163KB

MD5
f25e4c7db341974ade6c1accaf56d691

SHA1
12ca4a7a09c1476eefb5be9620c4dfe3676492de

SHA256
00af17aca6d43c8d6c40cfd9d4e3d2300e5f476f73dbe3bf6181e6cff522558f

SHA512
77f89da550bddf684ffa40689f94bb3e06fd3e1b9ab5f00842a8e3b8426929bfbdd5ae6a7e7a7908fc4e759d5f915db7a913c1695edd774508604b5c7cc47330

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
163KB

MD5
edc23673347c2b0652f804dfd30fa91c

SHA1
d1c5b074f5f47930ed584ccd176819c9c93e3f87

SHA256
d54fccc1fd26c281686595f4453664c103f1531736e502aa3f9a51536e7fe7ff

SHA512
eb9555ae5edc55f368bb30c942ba4d6d8e5e00d179654acf3556600304d9f89f1d3f05c507f03895a0d96f49cd1c0d3a595c55992e8e53da5453cb4da62dd651

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
163KB

MD5
73d61a02ccb56cc39e445b6262c505b0

SHA1
f472981498c4ad0a272338c04c0951e32b8a2113

SHA256
7a8f93837b26ee9383eeb864bf0f65c5f97cb8f19a7367c8531d6807f42bcb13

SHA512
356a0bde9633fc672e7e58e3af55b7832bb11ab9e71d25b08af2b1a1b3d53d1cdab57b4463d584e78ca17ab0defab0fae04773c0c7ca063b0a46973639ae8f97

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
163KB

MD5
ae96de29588ebaead0ef8de655fdc67b

SHA1
be1e2335d0f34c2acb5c410de77f7dd92dd0ab02

SHA256
547ebcdc3b2883f4c05969b6635d78e18b3942b45b3968b5f2b959128573a7e7

SHA512
7ea453e1fde5a2ebc4fcde123ec3c9e78e7d9bf1b1332d77a1087b7aa82f3dd0d55a5d359a968d27759c64abbbc6c27cb2d9e9a72c6201af3621d7f7c28ca5f5

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
163KB

MD5
269908242b82d9c93fd31a7f1b077d0d

SHA1
3d2c382d799e5affa028ea54bcb2a2709a8530cb

SHA256
cb42c73ab4ebdd3097008f8be71ae65fd730dd7ac76640d6fb4f9b9e939b0179

SHA512
52daa720a8deb1890d47e427859b57e49bb76db01c315f10f2480a25d108e4a3d590a3cddcd15b6aa70d48e05423e099a9d5f87cdd7bc8447f314284c600cf9f

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
163KB

MD5
3b197f785915d8c25f74938d5c14d331

SHA1
c5e36f25830e8d5c794a28f42352fb1e069672be

SHA256
a2f914f271d1ed233926f4d5aa8b173eb68bc19c57097adf50e8aab8dc5dae51

SHA512
8e827f98c6fa2fffe776329bdda3718f3c886199c789af80e0f170e5779eae67c8661a9cd2eb25d98d0fda26d6d1767793664bf7fc124e072c8480fdbd6e39d6

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
163KB

MD5
0c6c990a5b48d454cdb982852436afcf

SHA1
e6edf43ca20c2ffcd3f6db1346bfdc2c1aa5c503

SHA256
56d7116bef787e2dd0017f028d525b435d92096e9c1bd1426b5bdc324df2b72b

SHA512
5337f7328eb8a8c6fa34ae71e14f5189fcbc83aa576d482a255667111e0fbe9e86165b523243061077cfdf56441d83aab90db8ec61283bc2648fe6f85c08b0b0

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
163KB

MD5
5217dfd30fd765bb3afab76b92fc0475

SHA1
0feb84c1c1335c032579d9fdf3d5687f13c148d1

SHA256
28b7b7bf6d31a8ee33e6ff5bc43da5b597df562d499df84214b1fa0ce5f6e243

SHA512
4820e2c7b45dbe8a8c0872823968a6df2bc3c0518da715ca9c49a8fc220a98f2b235f9b9f0d92935e684c42bfc4441d227abb7a797423320510f92b1854de5e7

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
163KB

MD5
4578b3ad0d031ae9b87f3447a3c6ac7e

SHA1
cdbe7c0036436afada938abccd948c2d43e1d4b2

SHA256
962583ed7445b0a9a2085a6cbd137e5c5141aaebb363a2a5cac3dafbdb4934fa

SHA512
803878d8b37a143e7befe254435dc777804bf919cc5788da2e5769b66fbff8fcbf63ad63311de8ec3b1b9e83dd8b116387604d34ff959855d7ff2ab875335b54

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
163KB

MD5
be6de95e1bf075ddf151cc8435b284e1

SHA1
4283cd63c746d3d61076c638d371ea5e1603bb18

SHA256
fdfe5fc88adbea1409c5b677c964489892add5bf366b1e878a8e220991ea4381

SHA512
81b60afb5732787283ba594dd1c6a9ecc21190624884a58a7c64da7d091648684995027cf4fb3a776a05ddb056598e6e75e69f4ef38cd72fee25151c9d9fb6ee

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
163KB

MD5
2666776ff970d7058c83984011bbbc2a

SHA1
d47a61f57863ef7d580c61ef480d184601bc5020

SHA256
2ed048d2f0ffbbe017b9b810ddb036f9757d1b8c8786c5bc79c2553e7ffdcbe2

SHA512
dca66b0bdb895f8e8d575d8bfe9b25f46c46c46b45f5a7a18b0cce8b50a2518c6995f123d7fdeed8af8566f3dff973d163b9741b6d5b04395d8647c47f23e1d9

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
163KB

MD5
1379fd8b5166859dab8d595909ace479

SHA1
cf8653c22fd65f81a8da8d278239399baa6fadde

SHA256
91b545037f123b87a5846105d5c59ecb8f184b92d6787f52845de88b2cf52ebb

SHA512
567a996306e12de281283dd78e580ebd7016ecc70029efc7a5082cb6a189b50bf776f587ffaff6e3bff80e5685c827f013c45cc5ca251d1703512f2b586fe6f7

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
163KB

MD5
89c9c739a6b16b414de2687edfbfa8c8

SHA1
5862b8902d6b41a17e9d1420a80d6b4b250b2496

SHA256
b00e06a0bbafd2814de06aa46b9e6b6dc9ecb116cd0cecf561f6602cc8d2ff66

SHA512
62a7b635565d053b848de5a5e037c1bc76dd7354beb76e69e272389c0361382b63b9d946be19847b75ef9a096f341b9f7c83233b89d19f13492417c5e9ab3f7d

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
163KB

MD5
1b4067ec61f0fe6ac615909a53e08b8d

SHA1
c2bc6ff0bdcdb8100e7eae6105e663b0d68ec6cd

SHA256
4ec04b4791513386d0cf8e2705648cbd81070246ab7836c3dd4fb521c11da53e

SHA512
a3057aa50739fd819eeb0eda6c16f520f992ca7b40d9802e3e3984444410ccb2c51253231525f2cdf0b0d96f74a0fd7459992c2b3c2e733802387d84043478ac

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
163KB

MD5
17b8bf0eaf15227801bf37f0abc2ada8

SHA1
63de544e83b8503e419ceda2e54331e91fd576be

SHA256
e9d9b3f4764ffe0fbe5859e26f238f22194779b53b3d971eb2ed0cb4625b412f

SHA512
5a1480712b986382733c7fa04e77256ba8d43c2680f50d047339a6a8b50858c7e39c9dcef63f2ad1a56ba2daedd0573bff5c5a105f93aec13965994468217f56

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
163KB

MD5
1d3d33c0c42b5690b61ed7b27c4a383d

SHA1
80ed045e628e557446f538ec957c5ab9e2d93c7c

SHA256
5cf451d1ac9c4eeb628277c8c43384535d11db6f964e8ee4af24e29055a6cf90

SHA512
358414fbe9e7f0ed203eb0ec1b93eb4f69482f27313c29d0cc6acf19d881dcc67b6995f1344e8c5b9153bb3bc732d9bcdc1fdfb2708625a64168c73bcc29d252

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
163KB

MD5
3d2377d51231556f76f5dca334b2f13f

SHA1
cdc12acf1a967fcb41ab509608b885c0370d3059

SHA256
74e18af85ad314e389f1e7fb2f8bb7bd0a7478dfa275bcee3f2ce98065e4169a

SHA512
15e2b81f31349167eeeccfba63d36c094b40973a58c11529abea9a7847958394f6df1e4cb0dda8c9f82cf9821c8e84c064ba0acbdb565023eb4b5de89e0158d7

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
163KB

MD5
dd3ba581867a816df365351624917414

SHA1
d65b8999bf3a7acf3c1f4c339946c8b45cbce73f

SHA256
3ec45cd1287fe2a9e9a8861658d4c306f432257001ed16ce3a75f2cd6c9727be

SHA512
17d4de778f51d67eee3f98461b209ce414ad76e155c822660d1f6fb0c1bc8196a8f8d82bf81c111607d504d2cce178828e0d90abf3f15c0feafb5157f52fdcdc

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
163KB

MD5
ba72f25b182b58dd642ad5adefd73c0a

SHA1
8c3a8ca91f2da1a7f8bf3b40137aba8869436e3b

SHA256
e0a212cc384c8d349822e9ca9a3eb287c38a1202d846007b78ed4758fb00372b

SHA512
28d46af7e9ea364f991b637cf6588ad2ec7f91270173b66c7f607a7ce2ee81cf904df68392440a27cbea143dd5957b7dbc48ca35b8b69065a8f28d86bf161021

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
163KB

MD5
53ceb2ec32daf0af6b6c2ba1841d575e

SHA1
be980076daefc4213e4a5051277c4e92290ee3e1

SHA256
b7f6e97a67f066895f3d43c79dee0ac380b670177998d8d8cdf4fb5f5d6cd1fd

SHA512
f6a0f6087d6159fbde97d579ae149d1b27699cbf622769bba3fd609657028fa136cc88a3aad22d406d75b5edce095243daf6e13ba52441fcdf36bd62722e95bc

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
163KB

MD5
719600e2634bac95eec746c496de679d

SHA1
1ff0d2c69caa4eca0a5e372cf041688980c69a24

SHA256
dac4b1ce40cd70b2a978a3e85b6629fbb8c9e157fc076bf1e9ccace00ab25a56

SHA512
99079b0a7b416c665d098029f6e7eb36c1acbc6a0b6519bfd169f0ed991a264647c631ba1c3f57f7c1dace64996831257b19359e15871b365bb778edb1d1868a

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
163KB

MD5
1b10491da4156ddd092ad8d8543534fe

SHA1
94f094fecea1799de0a49a80d7ef0bc2f5138f63

SHA256
5e8ce5cf0f1f3ef290bf0b63170682e274dff02fd0052c7bf016f92c0f4194fa

SHA512
97f05a3076ea7bba1ede5328312ceb40b9d294b538594de85ea8e1df89e4c74dc6993a51b58319edb3eb094ba4a10ebbae4b6a3ec148bb149faa14090d55210d

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
163KB

MD5
9b490b22db7fddf32ad26da62c8aa453

SHA1
5359f8418ca24caa31a16452364539d97d71bde7

SHA256
b08e8f98a399d4edbd78855b0829333793aa52c2e2bdb9bc175cf615337a851f

SHA512
549750ffa95bc89405d01e82ecbc882280123bf65b9b43a9f91cdaedefbce7feb279c1a12cf7664c94df09730cf0f16e3069d9a689684224acc630483b88e95d

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
163KB

MD5
795beafbc12de699478456e533e99542

SHA1
741d159291251a382dd9d852ecfd4ac52620f01a

SHA256
ac1cbe77bb844f19331a68d8e6b07060ba2e9c2d42dac29c23083b2f4b8c2357

SHA512
1cdeae24db271ea73f492d49a3a0bb192e9c33cb9a46918a0a1db75c8f47249e7a121e996dd5ebd042cefd8b16258bb1e947e934921301228480b4bbf815cdd7

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
163KB

MD5
0b1fc84743565f8818dbef7d27e20322

SHA1
bc00d9fe237a77dd70bbd49f2f9ea5420f65d09e

SHA256
1df0fde5ee841c4b3993a35c6c6c4d87bd9296a1ff4d908fb7f59d07c4d26e91

SHA512
548f8cd49b46a876dce4f9b565fc0530e2511f308690645e862810d6b21ad58380e1b9522eee48f078d7c9d2ef0f5ca53a2d8868cb9320cf90f922414d20a34e

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
163KB

MD5
fcc4286b71724415fc79e713d04b72d3

SHA1
2b33060546bb970943c2fc594c07d26041415e90

SHA256
bf90026216e9f06fd4ba6b8630349b19680e5b829cfdd73cd8011d8534e19334

SHA512
ee7919709715c8e74542813440ce0795c674438f81599ad6e5d35b7a89bde3bb188a3e6f235c37341fa9e6630d6eb14b7bc5328886e4d0f0f3e2bed6a6216915

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
163KB

MD5
c6b620b6c9d9a2d37d4b52b3b52cf5dd

SHA1
d2a5ca40504629ae6398a97f8ec5c1ec102b104d

SHA256
963a95730f6820013a6d5eb8516765ed9f5c4840777e1defdee5e4135909d10e

SHA512
ed5aadac3b0856357062f81ef4c05035716d2a2bffbb6a63e8d67d00cec6673d9ccf0713c5f115666ee435877e79f2026722f7bff7104e4037d0a87e1ed8f03c

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
163KB

MD5
629cca84fb3daf2f345908ac404a71b0

SHA1
ddb0e924798e54a76b08072688b71ea5eca83833

SHA256
c249fec6cf1ae02e26fa5bb4367969267ccbe2938b34d18ab7372c80c6a06b19

SHA512
eca429091b05891b400075e5dfe77377b520df51149b9436245b4447b416dadbad5299046e040eb02dc0332125cc671ab3facea4172aa1930c8659a571f60118

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
163KB

MD5
29d21768e14b5492820827425304ac0f

SHA1
2dc2f3cb5ee1541869e03e8d31d81278bab6a94e

SHA256
1135d566294d94ba445f8b6e38406c36ef8e6b2505b587874f4b909699f7523a

SHA512
a26d57d099295b0eac9bd9b9b844d673a8c0d91ea2023301459c0a6d2b7684586a4dd9281f01e60b14988454053cf1d9d08b0fdc86a186c6aaa12e6538f28cdd

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
163KB

MD5
5eb79b8273f69df350714df8a92a29e4

SHA1
44eb89d6802ff8ee17923c381088795a761bcc71

SHA256
dcaca0149f3e5e614a705e87fbb539ae3eebf9495feb4a0cd04a7468fec22f18

SHA512
cabbf5106d1969b1104b59322cc9090dcc8774b51b56e7f7a5f0f3c3426dba05eef3c31c2a45a15e6bea29cf65af7fb354514feda981be2022e889fae9961149

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
163KB

MD5
9768be26c01a0c4a0b53ea9c957c8738

SHA1
54191c551596a335ffe626f2ebd34de48b8c9ba7

SHA256
e5e50b3f3515fa6611fb77c209983bb6133f95e0d9b147a4c1a346eb0a072fdf

SHA512
3e6963a2494a0246b25d9c2b46aedb9b57da19f5c23471e43dfef6c799f395d67da6ae8f53652c5ffec36129e3bdbec824f2b5a0fcddc70c79d06375d3b34d8c

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
163KB

MD5
932f86ceadd5833f10e4f6fbf2df8ce8

SHA1
5393f8770d7a7799b9e09bcfc02f05d178bc958c

SHA256
10f28b2070aac921271de3676e805f21125d1d0e90c5e1f80272a8e94ca89e62

SHA512
975533866b85f695928c01db942fcb3a5fbb5301f034548bed79bbcc5ce50d47eaff6fd69108b0ae07c0fa537b80a4cb79c87b6bd53c177fc1b29b82f4c15528

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
163KB

MD5
7d3ecfd67a3940fadc20efb54191c786

SHA1
5f63ebc970bea1f71c7b6c9fb99c89e7f10d3a79

SHA256
3145e187f0833f777322e6c7fdf5fda5954e5b21173df2685c0025def8b3879d

SHA512
d30559cfa6d5393ed9b425b0eecd01ce1fb9860ef913fe42f7df3044721637d920128b626f8e34574914cdd22c7f269b311ec386fbddd572e49f381a4a049ff5

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
163KB

MD5
95d670f032d97e7f4cef143658f9bce2

SHA1
b2c7bc271c4d94c80432c4396f1d756069af0421

SHA256
3af0d9106242703031b7fc6915525a454ffc74c6e5744e712a3a900ee8b211dd

SHA512
f93774f756df1ec7bd0afbbfb9cf032248d981015b51601018e7cf14b42052a05f69074852300616a31f4f868ff090ee40f0dd3f3dd0e469c3d2401e5ece68ee

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
163KB

MD5
f84fd5834c4c79c0b726be22addb5260

SHA1
b7c80e37219efaf216f85b94916e0fabc0341443

SHA256
8917e036abd34594e8c80e482c845ed42870bbebd2fea3882a047dd3acae05ce

SHA512
a898a496d4055dfe4981d24c57105331311d3b60e4c09f2488b0e0c949d0b4832c529e7cd079bfd8c18cf9d6207d69f79bcb8d99fc249ad3ba10ce07dd8b96db

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
163KB

MD5
3dbb3e888f4a9be823be207fc34dcaa4

SHA1
e69881907154af076a23eac6a1255d8bcb1469b2

SHA256
52505c1b4120c07c080b8bc93d4d33119a69d86d3433a5807bcad131ea58ffe5

SHA512
654be9d4f890e2ec67e3922492a8d0facff17e5f7d06418d34f6031c8f5ff01c80573f4c8a74346b52c01bba8aa6a9fdf3058f1121cfc6ab28257db1ebc3f299

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
163KB

MD5
3edec877a6af6781d8464bb8a9a2031a

SHA1
42d2fc696bdfaf3b147c2dcb22171f3cfbe54207

SHA256
0ad24f99c3b7d346b53028a0012c7993a0f6a725cde244da47cd533c7567b818

SHA512
cd44ebdd240a6d8fe1e494bde673e48a1df9fb44220515c1147e180bf8d1881d6167276569b43107cc0bd9faea3038ec998f624dbd049b68afc293ad3dc7b7a5

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
128KB

MD5
7c9b3964a76ef2da67c0f5ce6bc83cf7

SHA1
92c85817cde0a67b7dc62f9960457117cc1ab0b4

SHA256
3898d840c3d2472fa9a6e338c42352e9ab434c121b7a6167ab7951f382ef5570

SHA512
032c1ebfc1f7b53c9ff18d5fa6ae92b1cb11697caa8aa9a1c2ff9ea0476cf3ba53e1003d1b4033fabc95846f179cf76e95d2957703d9ed09614456214316f878

Download Submit
memory/60-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/368-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-1505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/668-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/668-1533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/864-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/880-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/984-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1100-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1236-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1248-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1328-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1332-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1372-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1496-1483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1588-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1608-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1696-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1796-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1852-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1896-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1968-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1980-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1984-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2108-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2136-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2392-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2392-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2756-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2832-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2896-559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3040-539-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3108-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3156-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3160-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3204-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3532-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3544-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3644-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3728-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3816-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3940-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4044-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4104-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4140-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4228-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4264-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4304-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4336-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4380-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4404-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4444-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4480-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-592-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4544-532-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4560-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4652-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4676-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4700-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-566-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4796-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4828-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4856-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4932-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4976-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5032-549-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5532-1460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6676-1328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6876-1319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads