berbew | 926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
Size

163KB
MD5

5cc6f52aa26c6158227740ac664b3fcc
SHA1

d080eb731477dcdb9573655381f34f1e2da1e259
SHA256

926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648
SHA512

9c5421795a57b3f9c7dbb38d1f4c76dbd2f8e0538b5a7243a7e04c60523c7d99b1b6763e7114ff15c27f0aa909eb4e87055f30f4a098813be423f9158ba5e82d
SSDEEP

1536:PzFUEg/T48+taofUtZkJlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUg:Bk/c8+4yUt2JltOrWKDBr+yJbg

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Oancnfoe.exePkidlk32.exeAjbggjfq.exeBpfeppop.exeBjdplm32.exeCphndc32.exePjnamh32.exeAbeemhkh.exeAeenochi.exeCbgjqo32.exeOqacic32.exeBhdgjb32.exeBbikgk32.exeCgpjlnhh.exePgbafl32.exeQngmgjeb.exeAfkdakjb.exeBecnhgmg.exeBlobjaba.exeBbgnak32.exe926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exePjpnbg32.exeAmnfnfgg.exeAmqccfed.exeOghopm32.exePfgngh32.exeQeaedd32.exeBmhideol.exeCmjbhh32.exePcdipnqn.exeCdoajb32.exeCkiigmcd.exeCpfaocal.exeBkglameg.exeBmeimhdj.exeCmgechbh.exePmjqcc32.exePfikmh32.exeAmcpie32.exeAijpnfif.exePomfkndo.exeAgfgqo32.exeBehgcf32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjnamh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

Processes:

Oghopm32.exeOancnfoe.exeOqacic32.exeOkfgfl32.exePkidlk32.exePmjqcc32.exePcdipnqn.exePjnamh32.exePgbafl32.exePjpnbg32.exePomfkndo.exePfgngh32.exePoocpnbm.exePfikmh32.exePkfceo32.exePndpajgd.exeQngmgjeb.exeQeaedd32.exeAbeemhkh.exeAaheie32.exeAjpjakhc.exeAmnfnfgg.exeAeenochi.exeAjbggjfq.exeAmqccfed.exeAgfgqo32.exeAmcpie32.exeAfkdakjb.exeAijpnfif.exeAcpdko32.exeBmhideol.exeBpfeppop.exeBecnhgmg.exeBlmfea32.exeBbgnak32.exeBhdgjb32.exeBlobjaba.exeBbikgk32.exeBehgcf32.exeBjdplm32.exeBdmddc32.exeBkglameg.exeBmeimhdj.exeCdoajb32.exeCkiigmcd.exeCmgechbh.exeCpfaocal.exeCgpjlnhh.exeCmjbhh32.exeCphndc32.exeCbgjqo32.exeCeegmj32.exe

pid	Process
2720	Oghopm32.exe
3048	Oancnfoe.exe
2700	Oqacic32.exe
2660	Okfgfl32.exe
592	Pkidlk32.exe
580	Pmjqcc32.exe
2404	Pcdipnqn.exe
1680	Pjnamh32.exe
2976	Pgbafl32.exe
2860	Pjpnbg32.exe
2352	Pomfkndo.exe
2780	Pfgngh32.exe
2424	Poocpnbm.exe
1580	Pfikmh32.exe
2168	Pkfceo32.exe
2216	Pndpajgd.exe
2400	Qngmgjeb.exe
1516	Qeaedd32.exe
1908	Abeemhkh.exe
1536	Aaheie32.exe
1704	Ajpjakhc.exe
1312	Amnfnfgg.exe
2272	Aeenochi.exe
2564	Ajbggjfq.exe
1620	Amqccfed.exe
2632	Agfgqo32.exe
1920	Amcpie32.exe
2560	Afkdakjb.exe
796	Aijpnfif.exe
2988	Acpdko32.exe
816	Bmhideol.exe
2096	Bpfeppop.exe
2864	Becnhgmg.exe
3016	Blmfea32.exe
2920	Bbgnak32.exe
1420	Bhdgjb32.exe
2684	Blobjaba.exe
2176	Bbikgk32.exe
2556	Behgcf32.exe
2232	Bjdplm32.exe
1108	Bdmddc32.exe
1148	Bkglameg.exe
1060	Bmeimhdj.exe
868	Cdoajb32.exe
1524	Ckiigmcd.exe
2268	Cmgechbh.exe
1548	Cpfaocal.exe
2332	Cgpjlnhh.exe
2000	Cmjbhh32.exe
2644	Cphndc32.exe
2256	Cbgjqo32.exe
2148	Ceegmj32.exe

Loads dropped DLL 64 IoCs

Processes:

926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exeOghopm32.exeOancnfoe.exeOqacic32.exeOkfgfl32.exePkidlk32.exePmjqcc32.exePcdipnqn.exePjnamh32.exePgbafl32.exePjpnbg32.exePomfkndo.exePfgngh32.exePoocpnbm.exePfikmh32.exePkfceo32.exePndpajgd.exeQngmgjeb.exeQeaedd32.exeAbeemhkh.exeAaheie32.exeAjpjakhc.exeAmnfnfgg.exeAeenochi.exeAjbggjfq.exeAmqccfed.exeAgfgqo32.exeAmcpie32.exeAfkdakjb.exeAijpnfif.exeAcpdko32.exeBmhideol.exe

pid	Process
2884	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
2884	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
2720	Oghopm32.exe
2720	Oghopm32.exe
3048	Oancnfoe.exe
3048	Oancnfoe.exe
2700	Oqacic32.exe
2700	Oqacic32.exe
2660	Okfgfl32.exe
2660	Okfgfl32.exe
592	Pkidlk32.exe
592	Pkidlk32.exe
580	Pmjqcc32.exe
580	Pmjqcc32.exe
2404	Pcdipnqn.exe
2404	Pcdipnqn.exe
1680	Pjnamh32.exe
1680	Pjnamh32.exe
2976	Pgbafl32.exe
2976	Pgbafl32.exe
2860	Pjpnbg32.exe
2860	Pjpnbg32.exe
2352	Pomfkndo.exe
2352	Pomfkndo.exe
2780	Pfgngh32.exe
2780	Pfgngh32.exe
2424	Poocpnbm.exe
2424	Poocpnbm.exe
1580	Pfikmh32.exe
1580	Pfikmh32.exe
2168	Pkfceo32.exe
2168	Pkfceo32.exe
2216	Pndpajgd.exe
2216	Pndpajgd.exe
2400	Qngmgjeb.exe
2400	Qngmgjeb.exe
1516	Qeaedd32.exe
1516	Qeaedd32.exe
1908	Abeemhkh.exe
1908	Abeemhkh.exe
1536	Aaheie32.exe
1536	Aaheie32.exe
1704	Ajpjakhc.exe
1704	Ajpjakhc.exe
1312	Amnfnfgg.exe
1312	Amnfnfgg.exe
2272	Aeenochi.exe
2272	Aeenochi.exe
2564	Ajbggjfq.exe
2564	Ajbggjfq.exe
1620	Amqccfed.exe
1620	Amqccfed.exe
2632	Agfgqo32.exe
2632	Agfgqo32.exe
1920	Amcpie32.exe
1920	Amcpie32.exe
2560	Afkdakjb.exe
2560	Afkdakjb.exe
796	Aijpnfif.exe
796	Aijpnfif.exe
2988	Acpdko32.exe
2988	Acpdko32.exe
816	Bmhideol.exe
816	Bmhideol.exe

Drops file in System32 directory 64 IoCs

Processes:

Pgbafl32.exeBbgnak32.exePndpajgd.exeQngmgjeb.exeAmnfnfgg.exeBkglameg.exeAcpdko32.exeCmgechbh.exe926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exeOancnfoe.exeOqacic32.exeOkfgfl32.exePfgngh32.exeBdmddc32.exeBmeimhdj.exeCkiigmcd.exeCphndc32.exeAijpnfif.exeBhdgjb32.exeAaheie32.exeAmcpie32.exePjnamh32.exeAfkdakjb.exeBbikgk32.exePmjqcc32.exeCmjbhh32.exePkidlk32.exePjpnbg32.exeAeenochi.exeCgpjlnhh.exeBlobjaba.exePcdipnqn.exePomfkndo.exePoocpnbm.exePkfceo32.exeAjpjakhc.exeBlmfea32.exeAbeemhkh.exeBmhideol.exeBehgcf32.exePfikmh32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Oghopm32.exe	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Oqacic32.exe
File opened for modification	C:\Windows\SysWOW64\Pkidlk32.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Faflglmh.dll	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjpnbg32.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Pkidlk32.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aaheie32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Pmjqcc32.exe	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Pjnamh32.exe	Pcdipnqn.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Pfikmh32.exe	Poocpnbm.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Oghopm32.exe	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Ofbhhkda.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aaheie32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
400	2148	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pcdipnqn.exeAbeemhkh.exeAaheie32.exeBjdplm32.exeOancnfoe.exeOkfgfl32.exeAijpnfif.exeCbgjqo32.exeAmcpie32.exePmjqcc32.exeAmqccfed.exeAfkdakjb.exeBmhideol.exeBdmddc32.exeOghopm32.exeAgfgqo32.exeCkiigmcd.exeBlobjaba.exeBpfeppop.exeBlmfea32.exeBbgnak32.exeOqacic32.exePgbafl32.exeBbikgk32.exeBkglameg.exeCphndc32.exeCeegmj32.exePkidlk32.exePomfkndo.exePfgngh32.exePkfceo32.exeBhdgjb32.exePoocpnbm.exeQeaedd32.exeAjpjakhc.exeAmnfnfgg.exeAjbggjfq.exeCdoajb32.exeCpfaocal.exeCgpjlnhh.exeCmjbhh32.exePjnamh32.exeQngmgjeb.exe926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exePjpnbg32.exeAeenochi.exeBmeimhdj.exePfikmh32.exeBecnhgmg.exeBehgcf32.exeCmgechbh.exePndpajgd.exeAcpdko32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqacic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe

Modifies registry class 64 IoCs

Processes:

Pkfceo32.exeAmnfnfgg.exeAmcpie32.exeBhdgjb32.exeOkfgfl32.exePgbafl32.exePomfkndo.exeBkglameg.exeCphndc32.exeCgpjlnhh.exeCmjbhh32.exeOqacic32.exePcdipnqn.exePjnamh32.exeCdoajb32.exePkidlk32.exePndpajgd.exeAeenochi.exeAijpnfif.exeQeaedd32.exeBlmfea32.exeCmgechbh.exePjpnbg32.exeAbeemhkh.exeAgfgqo32.exeAmqccfed.exeCbgjqo32.exeOancnfoe.exePoocpnbm.exeAjpjakhc.exeAjbggjfq.exeBehgcf32.exeCpfaocal.exeQngmgjeb.exeBpfeppop.exeBdmddc32.exeAfkdakjb.exeBmeimhdj.exeBlobjaba.exeOghopm32.exeBecnhgmg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkekdhl.dll"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdneocc.dll"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2884 wrote to memory of 2720	2884	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe	30
PID 2884 wrote to memory of 2720	2884	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe	30
PID 2884 wrote to memory of 2720	2884	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe	30
PID 2884 wrote to memory of 2720	2884	926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe	30
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 3048 wrote to memory of 2700	3048	Oancnfoe.exe	32
PID 3048 wrote to memory of 2700	3048	Oancnfoe.exe	32
PID 3048 wrote to memory of 2700	3048	Oancnfoe.exe	32
PID 3048 wrote to memory of 2700	3048	Oancnfoe.exe	32
PID 2700 wrote to memory of 2660	2700	Oqacic32.exe	33
PID 2700 wrote to memory of 2660	2700	Oqacic32.exe	33
PID 2700 wrote to memory of 2660	2700	Oqacic32.exe	33
PID 2700 wrote to memory of 2660	2700	Oqacic32.exe	33
PID 2660 wrote to memory of 592	2660	Okfgfl32.exe	34
PID 2660 wrote to memory of 592	2660	Okfgfl32.exe	34
PID 2660 wrote to memory of 592	2660	Okfgfl32.exe	34
PID 2660 wrote to memory of 592	2660	Okfgfl32.exe	34
PID 592 wrote to memory of 580	592	Pkidlk32.exe	35
PID 592 wrote to memory of 580	592	Pkidlk32.exe	35
PID 592 wrote to memory of 580	592	Pkidlk32.exe	35
PID 592 wrote to memory of 580	592	Pkidlk32.exe	35
PID 580 wrote to memory of 2404	580	Pmjqcc32.exe	36
PID 580 wrote to memory of 2404	580	Pmjqcc32.exe	36
PID 580 wrote to memory of 2404	580	Pmjqcc32.exe	36
PID 580 wrote to memory of 2404	580	Pmjqcc32.exe	36
PID 2404 wrote to memory of 1680	2404	Pcdipnqn.exe	37
PID 2404 wrote to memory of 1680	2404	Pcdipnqn.exe	37
PID 2404 wrote to memory of 1680	2404	Pcdipnqn.exe	37
PID 2404 wrote to memory of 1680	2404	Pcdipnqn.exe	37
PID 1680 wrote to memory of 2976	1680	Pjnamh32.exe	38
PID 1680 wrote to memory of 2976	1680	Pjnamh32.exe	38
PID 1680 wrote to memory of 2976	1680	Pjnamh32.exe	38
PID 1680 wrote to memory of 2976	1680	Pjnamh32.exe	38
PID 2976 wrote to memory of 2860	2976	Pgbafl32.exe	39
PID 2976 wrote to memory of 2860	2976	Pgbafl32.exe	39
PID 2976 wrote to memory of 2860	2976	Pgbafl32.exe	39
PID 2976 wrote to memory of 2860	2976	Pgbafl32.exe	39
PID 2860 wrote to memory of 2352	2860	Pjpnbg32.exe	40
PID 2860 wrote to memory of 2352	2860	Pjpnbg32.exe	40
PID 2860 wrote to memory of 2352	2860	Pjpnbg32.exe	40
PID 2860 wrote to memory of 2352	2860	Pjpnbg32.exe	40
PID 2352 wrote to memory of 2780	2352	Pomfkndo.exe	41
PID 2352 wrote to memory of 2780	2352	Pomfkndo.exe	41
PID 2352 wrote to memory of 2780	2352	Pomfkndo.exe	41
PID 2352 wrote to memory of 2780	2352	Pomfkndo.exe	41
PID 2780 wrote to memory of 2424	2780	Pfgngh32.exe	42
PID 2780 wrote to memory of 2424	2780	Pfgngh32.exe	42
PID 2780 wrote to memory of 2424	2780	Pfgngh32.exe	42
PID 2780 wrote to memory of 2424	2780	Pfgngh32.exe	42
PID 2424 wrote to memory of 1580	2424	Poocpnbm.exe	43
PID 2424 wrote to memory of 1580	2424	Poocpnbm.exe	43
PID 2424 wrote to memory of 1580	2424	Poocpnbm.exe	43
PID 2424 wrote to memory of 1580	2424	Poocpnbm.exe	43
PID 1580 wrote to memory of 2168	1580	Pfikmh32.exe	44
PID 1580 wrote to memory of 2168	1580	Pfikmh32.exe	44
PID 1580 wrote to memory of 2168	1580	Pfikmh32.exe	44
PID 1580 wrote to memory of 2168	1580	Pfikmh32.exe	44
PID 2168 wrote to memory of 2216	2168	Pkfceo32.exe	45
PID 2168 wrote to memory of 2216	2168	Pkfceo32.exe	45
PID 2168 wrote to memory of 2216	2168	Pkfceo32.exe	45
PID 2168 wrote to memory of 2216	2168	Pkfceo32.exe	45

C:\Users\Admin\AppData\Local\Temp\926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe
"C:\Users\Admin\AppData\Local\Temp\926d0e87cd6093dff7ecb49d3d1f5ab5892a271dabee5cccdcf5fbfc960e1648.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Oghopm32.exe
  C:\Windows\system32\Oghopm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Oancnfoe.exe
    C:\Windows\system32\Oancnfoe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Oqacic32.exe
      C:\Windows\system32\Oqacic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 140
        54⤵
        Program crash
        
        PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
163KB

MD5
071eb1abbcd531683d5f043527f9a4ce

SHA1
8bc859e9e2f7725e5df2a72a7be51e3ca78ecdf1

SHA256
4cf3807274f02eddb0a1c1d80da1e60b9cbd28d7259914570b1e1dbcd2dd2980

SHA512
f028aa05da280de99e83dee367ae6ab2e96813a31e59d110aa3314a3e24020f793f489418b91a306eaa6763f81d6c8a5049a14dc9c0a666395175fad07a764b1

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
163KB

MD5
e951364c10b6479023828a927e3f35c6

SHA1
9f72c49f066819c9e0e35a968d7e6e0c78643c55

SHA256
0cfba9280030068c489ec4c81c1d57140210ee1b5ecfeb0db1691398b69342a9

SHA512
1cbe8e58f5d4c950daf16a1bf30ac6784304a4df3bac23ca09dec1f7f53c0a1ad6a12b20718aabf346f0d06ffcdeb15e9fe0c4b0a532e63744115b044427f6b4

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
163KB

MD5
50276d1afcafbdf9b5920b07a390d80a

SHA1
ac6d0c45851084578518adbd04b7ea2774d38028

SHA256
07151472167a0fa66599de62525dd10644cc1e0a45f7f856f4459c996c8fd1db

SHA512
13bab0edd194b82abd40566e9e16375b1906d7f8dfb3bc958ecc1e77c012006ac510ae5284361bcf8d5ead4306759cd3676ad64531394d174150fea4f3d5998e

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
163KB

MD5
484f929646ab37bd2a3381246ede6a40

SHA1
c61f8b73bb05b3f160dc0d74057e22ea457c13b8

SHA256
1d556d3c602c916c809f751e1799e19e85a326faa1a101e8c4405b30d733e118

SHA512
7eb92c02e471d5e4d86357a82285c7193bb664cc32706e657c503761c1edbb490ac1ec3452e3995f10dc6bf24df7c9d555d895d12a217237112a27b255c841b3

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
163KB

MD5
aba3a96ff877c4181685042fe72fe261

SHA1
6e739cd2c3f791c513ab4f2dd40aff124ce07738

SHA256
a8987b7567eb6336b1a225bcb89f9b9daa568788f90d0b2383e691a83803649a

SHA512
e2de19de327399ad35c5315a22c2c660051f2a8dc1a67672d24192cda8e7980cefb2e7bf59b9cdd42a98e9d13146298f9ef16eecff02c20495c83e49d76222c2

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
163KB

MD5
79e6abed772d90d61ca29e912cf47f46

SHA1
b5600ef8cae61657e4a6ca594e629fa5c4c1ee74

SHA256
9e644d9c839b4cc13249fb3633186e44df7ce46cbe6f6cf0ded3f24b7fd62939

SHA512
c96ed78cc32024e3cf2b24c44162da8e64875cbe06f4cffeade5ec9d67945791aca52873150c2f95e084211fd86d8728d2ae9e81e278026be8390403021fdd71

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
163KB

MD5
b2493682b6b3326cdff97cd896b63ac0

SHA1
2ddb5fa2f4b66cf959a988ced18e92fc8a6be933

SHA256
972781e48c648f6431f816bf627fc3e0159c5dee6792812fafd091239e742d8b

SHA512
764559a95ff7175edf592702b15c258d6d0ca08737345245108b447374967c9d62e88da97883036dcb6fdf4a012beb020dd3c5b3823d41202f0409fe211a8ab7

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
163KB

MD5
ddfe986070a3a52aa3cc38bf08a0f725

SHA1
83f1cd8daaf23158da62bfba847c69ee408d4ee8

SHA256
6d51ed8dc28fd55c56394ed8bb1c3744f014c631385c4a9cc885054ada926d03

SHA512
c0a8b26e0bfca523d9d49bfa483e262da92286f411b9bdb2e71985456f130794cfd844ce3b780041d8146588a3dd9184323a6931b53e4d0afa68fd33a0936cb5

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
163KB

MD5
6b51918a4ebffefe43a6fe1cf2f6d0fc

SHA1
cd770c344cc89a9daf4dc63ab397afdcf25d2cc0

SHA256
33ed9f6f004f2ed1e90186daba34c8915bbaad18688361997de3a5480fe8887a

SHA512
d16c53aaacb7147cc23c983390c9f92b92bfd8a748f1d961fa58674b4352e08be470869a5e69f7435838d3a383f5e56b1955a52dbc47f0d6ddd27364be1b3e15

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
163KB

MD5
83b64cb0a3d191292208ca480f023d27

SHA1
1e12ec03c12143a9a4340dfd8bdfb267544b2881

SHA256
ad451c1917427e5a6dbd43f11e3857215ec6cb8599f9976c4ebf076f8ddd214c

SHA512
4c8342142dae2c5ff6e63a811d1bbf48824131db1ec2ee0a1e947f6ed1e3657cd2c37d173208591cdfed13ea24b5e0ee736c7b6a7b01bbbc0083d0a623e673a0

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
163KB

MD5
351fcab0f39887b17680f20958627e0e

SHA1
06da01df2d22af902aaac25988d37aa23117fc13

SHA256
a0467561950c6e58ee776570081e1aa701f2d30db7097149966cde4f6471e027

SHA512
fd3405e0d78ed316bcfe44c907997d2ee436ac8ab1944040d9a532e872360aa2bccabaa25d440f242ba86f04d508dc89bf3a6bb7f03fe838219bcdad8056c8d8

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
163KB

MD5
ea3465ac78f606f7603e36545f8f9e03

SHA1
4f3f025c8907c870959a565c281e24f97202a2e6

SHA256
2a0a99a05c3e0b99e754e6b09ce2551fd6cc135271ec6d299b0729327592059d

SHA512
66860e7309bc89d9c27fece7fbc4c11094fe673054dc0e6d355b45d512d2cb8e2f0eeede0e669a61a202bc5052675b5954013d0a221b286a28d7fec88fdc157a

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
163KB

MD5
a27a2b7984da2345382ecd0d434b37ce

SHA1
d8c0cce2b25e0e4a4b3e2d1e343e4b62373d557e

SHA256
7322ea52218827a468292d518725eaf6376d0b1944250fc9fba904909c7360eb

SHA512
ceee9f148867660cf7eebe02c989c0426c054799e2155b7951300f0e1613ffc04a7dcd3244f0271f1ca7d43846a00b8270a8e6a150f0af410cbec97c554f5142

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
163KB

MD5
464f1a74a0ba73a1daee0552337bb6de

SHA1
478bffbe3419754342018a6770b10a68621e6959

SHA256
57c390f004590433f9147597cb81e877da55cad644312e7dc4bd927bd141f4ab

SHA512
5c21ed409eaa638981858cec4b0ca00a8c6f58a8b12ad97b39e8d64ab8a7f29d8820e72199dd0cd5bc8ef149fdd13de3849461089e72ca291b70f435ee2e1197

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
163KB

MD5
ed63b7560bebbf3cc6f176adf589ad46

SHA1
616204aab2aba7dc7fc71c19ddc5010b414435cd

SHA256
860deaffdd51ee57fe2eaa0a2262755e159b601b6484fa41207da108ae8aa914

SHA512
f8a6c73ccd63e61f1dd437b979c1aca84effea07aaa1bc34e734fe52e5fbda2b113a15a81405fa35c27c8bb64d64280506e1e0a5db85dd50b4c2e99f74655a7a

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
163KB

MD5
ef76f48a34fca40c9d8376b6a0c99260

SHA1
6ee26bd73cfc4c4c18f39d40f22d4261cfdd3d0c

SHA256
2aa116591bc0a0a2398c2f5fe8124072c0c0ea1cb4fabca573685969aa756bde

SHA512
e3102faed1ade22dbb93cc88f1e4d943dc2ae99a916597cab1d62cab95e8be02fabf9f0e7b14531a5a3de0c7916f708ba710d21da7444b68ce808d99c25a2ef0

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
163KB

MD5
85499df3653b4c4a7b728c36d3ddf573

SHA1
88f8785ec4af425943505f588566dcdb902f4438

SHA256
3c68cf1c6bf41e2b0fd62b020dc3abe7e3b974ef2fce1e8d514664c6179b76ca

SHA512
eef26e1e5ec474241e3ef9080fc24424a63b8c38ff21f653f5fb8faaf0cc052209880417ef0617794b1f4c12357ae82ff3278ac666de25cddb567fcf1850ebcc

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
163KB

MD5
c9b0820e2d0607a3123702f12a766613

SHA1
bce985ccce1650d834642b47ffe85720fec28adc

SHA256
f043d1b877b8db71dd50d508b2ce2860f280c7d1a1c9c29058f1c420470e806f

SHA512
6008cf870b687dff055c2ab9e3ee4c103d5887885b04e48692b3ab4d296c517b417926d9d4c75af26aa37748e20319e0add7295de1c50265b40cbd6e648a4018

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
163KB

MD5
f2b47b0003f732d243679462683e6011

SHA1
f6eb1158e6b7f6383c2976965dbea1a33b07961e

SHA256
bba4b4ad6fb7b3d2dedb56f76f1cc6ce09215893924549f60a242db351078d86

SHA512
9b110a69c40851d5dc98e78cf640cd47626400b0ddb334005819a1d880e8224c433c64bae62f94f07abf39e32df17f37b81b655c350d626687401210af600978

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
163KB

MD5
52cd5cf1423a0da798d2e51bd9ac4b2e

SHA1
3209db29582c801603526407d00b8e74c4f3225f

SHA256
a3e85118aac77c0c7fdc7c193f3f3a6e8521456d73076b81e032c17cc1b0d5a0

SHA512
2b6a1ba9945a1bac9401d684a8d63002722a8a2beb0eaeb5905fc3cdf92768357108e5ee5bc816cd93201454d551cba92afff75294a9c2d05e88ecb590f705e7

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
163KB

MD5
48df95434309c69df7ae9dec424c8b42

SHA1
0624f0f6dbd4a69002da3414d313a10a2259cfaf

SHA256
7fe4c3a0f513b66271a2773d06e6ba641b8c4ca8e1255ea87c9e150ded3051be

SHA512
23290a94f7821aef3a33f01dd52f324bfb8b364de48e07f23f56aaa700bd760df31f3b6586a92aa375ed9dea6a844285416ac9e57e6e3f176b28dd46eb68569b

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
163KB

MD5
6c1190685713e890b0d074f75065def3

SHA1
5a3d8f21188a371e416139c9e9e6aef6485e48c9

SHA256
7b322d1654d9ac29cb2a160be89a10f244d15f0da0738520786c85cde4e6f53e

SHA512
b985f64a082e8ddde32e10a8747a05bb4a8944213fa57ad21d589ea367d49109d15cdb671483e7a4ce3536206d8db13d14c8903629103326cb6fe33c07bbfed9

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
163KB

MD5
c84679eb00632361ea300eb5b8934284

SHA1
c5f01a0212bddabefe40585058347098933517ea

SHA256
e22edface51b17773221a1576b5007e43b3fc531501e7d48d5682861ff19cfee

SHA512
89e57dead645f6daf3d59691299e964f400bd4eaf7ae0917dc07d23a7f5dbfd0d55d8fbd0ce83874a5e3029bb25ed961a450ec6088a1630898fbbaf11baca107

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
163KB

MD5
4c4004cf8b6f9b27ec680c424ccb5888

SHA1
9d98b75b4e0f3a40bff582bb5e50222a3cf0bd2b

SHA256
90061bf8b5aa356daa70d887011f7280c50746e0a37793a1634f59a38d93d1ab

SHA512
b7c8d1198766ed9a0f1985ffa39843285dfd6e54398b5fc23cb3f228484b1ab7f2a7eedde75a004ce02db0e3694fbd19a9df95096beefbd8bd7461e00ae375c6

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
163KB

MD5
98781b2dedbd176f4ddb3dc271f01e42

SHA1
bc93e8434d1ce900742574bb9db688cbe60452ef

SHA256
a83afe5177b6c6e3f3d3b6b9ebfcb8435e612174fe4aeeabb84d151afeca4148

SHA512
a2fc40e980adcd7bfc456624438e5f708438e6c30150bae32e397bb0296a88a11e6962c9927de08b161583d05f35d88e3d716d5e314e1f3f8a202f5f3e925a48

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
163KB

MD5
bf951f4723dfa001630a46c52577ceb4

SHA1
05b5b7115b06a31d7d3429fbc339abe9618c3c6b

SHA256
cb95f92cda8ac3e32424a68cdd4dbb18699eee168cea74349bfc932c50504f27

SHA512
9ab051997b6c148768ed1c485e496bc4c086cf8eb8defab083ced9bf78a239527cc96f3ba0279e666cf59821f763e5f75e0c857172911f6564652258a84e66c1

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
163KB

MD5
3d733d7ae03768f4add27f7d97e83e9b

SHA1
93d54d08fbaef2ffa7645bc052277d17df3f2472

SHA256
b8cbf265d02ba15b08023a137ce1c746fc258594e79b4c447cdabfe2babd5c6e

SHA512
fede2db7bafd79f1ca07ebd02a4500213da3b226a58e0340c4597577507fba63ba122e67d0f35315dc9d09f6588943fc498e1d8dc2c820bb6ad12cd6e75a4ad6

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
163KB

MD5
2bc153970a448d290501950bf32e3f84

SHA1
b986ddfe7939d60f8d0ca5cb535edda973026660

SHA256
795571c98e349ef03a7bc3cd9dd95c98a34a9ab1d0d048025f3e1fc555a04563

SHA512
b680c67dffdd4c692be975a351d84e0361e14d014377add998d4ba316896dbcbc803063129b5e5aa5385c7b062bb5e4d320e1d39bba5de749ce452aac7a86930

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
163KB

MD5
fa71e26c467ed6c24a738a4f83f8d5e9

SHA1
adf81202904e08276d0aec274259d9acb8318d67

SHA256
3434407e7ce72cac21dd42867eb7c22cde695fbb9283386e01ce92c51a46ffa8

SHA512
28367f1c9e84ab1f870c584da5b221a16dcfdafa77c2cff7c9dfdabf231a4b8377e4634aafd73a30f7fe0106b2cd397fceb7ee4a966bcd516419b8280e6147d6

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
163KB

MD5
f4315024d626f008aa57572449b396cb

SHA1
2c58b0d38a59e3837f646843d7dd67b8690b52f3

SHA256
e8024d7c0e36084f8d0bf92f50933e1d1ee36c1e4ebf013c33ece7f8787fb1ec

SHA512
868e389060f9bbee54c88de5458cddce22729c2c8dc3978e6753ad36dc30c35e7df588b9c7ab1fc2b56c15612d3f07c460829ca5be3847eb0dff183ef4ff5010

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
163KB

MD5
ddc359713bf905b077b62e30b2576894

SHA1
db625403281b2617c91791c83e4c060289c934d5

SHA256
ba87b9ec4a47bdd3a6e34cf61c1021d47540b91daa9ec071cbb8c13245701e59

SHA512
7eeb26bf5ae10860798ade1e82c025e97c268470f2edbc293319a938a140d4ee9dcac8a9e1e3cc9892fce5b1d0df2c5c593ee51f90302842049b83becf0beb86

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
163KB

MD5
f3ce346baac2687ed3be337e44e67170

SHA1
58ba1df46252dc055215d52710758220756da436

SHA256
e943ac69dbd97275f5ca02f03910cef64690eb268d1ce37af84af30b36eb561c

SHA512
a698d9d450318e239fe0cd6d08594057338c69975c1f768b55c64143c3719baf7873059b121e418efefe976a3635f32ecffdddb1c623708c9e4a8a3ff9202ca0

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
163KB

MD5
b3e9b1f238601e777d9e9aff72a5ec2d

SHA1
c692d8a3261b8756834a7c8112f10283ee789ebb

SHA256
b99fa2d141ee338547649ebaafb141b7a9cf5482cf27ab73393791d6bfdd4f2d

SHA512
a6ccfd704ff6b6724841b64ff4e527c29838d7f70a91717baf50fd6df17f4556fcf01ea9497963a3e75e540598744bcc65597b0299e4408f34d4033661c6858c

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
163KB

MD5
202b8d7c3e2f397d03d7fef7ed8e4c17

SHA1
8c9c86a9ff14939d4450a017db4597925102ab1f

SHA256
f9155eff08d850c38f00b9b4853e0ed1068dc91469ebd9bb3879cb4228c8f06c

SHA512
1727171120a140f2efd89ff175dcaef9224051eadf5eb1f075ed8d5b66797c2bcae7528cfba0dc687a6698dc51d1bcf386d5e1518bda46b3178cbd1ac1a7db36

Download Submit
C:\Windows\SysWOW64\Oancnfoe.exe

Filesize
163KB

MD5
a2ce42ff38c35c003f38380d1ada93da

SHA1
449538bd38adfee2bd011d12482e9456002c6204

SHA256
c69856eb12af3519a35365b63067a6a8e291398101ac7ca44171a9c12a0ef3f4

SHA512
3f4ef50cf1727a230891702176535b1b0902bf10018de5dd7ede4e592ab09dcbde507b4dd3b974b3d90b8a0ee00de478db92f5c013b0c6c101179ce9f42286b1

Download Submit
C:\Windows\SysWOW64\Oghopm32.exe

Filesize
163KB

MD5
9f46eeb5803567685f4d308d7327ab66

SHA1
8f085e265ffc9613cd067f6a74d85b75d192472e

SHA256
6d8e66ce00caef05981f4cd98f7a9752f274805bdc922c1ae44ef3e2d44308b9

SHA512
54a92cddf12e4916f21f6a2fc7edb9a1c8311d8b7d236e5e26202b4e4b8941ca253c2cf464d849d3b9e23ccfdf4c406a8debe34995f1a3ff504980e2cd90a7d6

Download Submit
C:\Windows\SysWOW64\Pmjqcc32.exe

Filesize
163KB

MD5
a6b22f45fd84721562a6e51f9fd5e135

SHA1
b66a26ba4e143bd9c8890507de07fc207f51f3b6

SHA256
354006208cca459f5617fab4e2a91e36f40736dc122c6be35579d4249b7988ac

SHA512
7d2b8adea5120c70264a2c2519381d67ee97b741b33eaa990d42c26ebf7fe5c4434c91162c3b4fdcbb8951a3e8b2a9a9a014ddcb794019a0bfcac02dd9e1bdc5

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
163KB

MD5
cc8d0ed9b5be31c45c4f83509d43dfd3

SHA1
5cb50a8559274db2aab9b5145c2232db71a49051

SHA256
af9e8d60ba199b265fc289373bd23080cc2ba938aa0827609b44d81fabc4a7ed

SHA512
14c189d4f0fbed9925c29a16b225de9cc6a931acc97af80bb3e3f29329c69e704e71e248d32300392334cbe1e7ec33f22e4fd911f7b4594f9517709d77b14f4c

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
163KB

MD5
947528a1424ec1303270ead506bf9caf

SHA1
4e4e45c80b62bf139dbaa3c8147e3eeaa5f40b72

SHA256
e077d444dfc9475bfac8ea34036046d3155c1c85af83dace9acf7de1e184319a

SHA512
c712eb91b99abc7b3b5d1894c07ce65642de216c9b2956740ee1fd6c2edb61778ca553df2e2810b60b1d48967948531c4385759beaa2b7e0f36953fccd82770e

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
163KB

MD5
118b1a9fdc339bc9ed5ebd32aef92e2b

SHA1
ab8e4068c3f30a197d8b98a010b68b2036c73747

SHA256
200aa7a6bf90f23ad8ada9a72bfb80867083f6f2ed32c482356cd9b831df6d24

SHA512
156da0f39cdc384a1ad317f2bf185786a1bb7a4d9350b93c5d6a617a42c94ccd024869b3beb957043d22a0a30ace1006a2cbba7a26636d8b41c34612e8359e8c

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
163KB

MD5
240853a4723965d81d3295fef81549b7

SHA1
c1f7dc92b935f290a0fa756013a2abacc524bd28

SHA256
05b097c493d89e500a9dcd994ab6a3e97f9f765512d7edee5f4b141f4f93236e

SHA512
a1da5f21552f922c0d838d8c77ee8b9ad611013d53dc02d964296469aa60a62c395037eb9bc43bc14cf7c2cb6d97d972e97317cf0a3bf5fc5d605db2d6833a72

Download Submit
\Windows\SysWOW64\Oqacic32.exe

Filesize
163KB

MD5
8da8643825c94d96bca0b849f4570420

SHA1
5cd3d1b218daed74bac062aa28fd2f5218401092

SHA256
d73d42999f71278056b045babf0d8a54fb37792028d28c57cade053097316680

SHA512
6ff1d45d860221578fbe0b2ac47b5e3798b65615518d2f9142b295c82c7764b6db95892da9768451492b0b52df031b8735d4c82d4cc80428a777edb102c757fd

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
163KB

MD5
3f2b935f9a11fc2ec47d36bc2664ffcf

SHA1
3c9b9176844f5c1472cf1fede3e3c81198a6d20a

SHA256
ba28dee8d9d24abf7ec5ff1dc440d4ed02d449e9106a546b5e080d01461dfca7

SHA512
698c1f9e51b5a58fa5b3b65b91ae36e2d2f7c4e92ce26a42f3d905663f5a7abad8b9b93fb15108e47d7310b6f8116afa5f4821f0ddd0a542e017c428879ae5b5

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
163KB

MD5
0f7ea9c50e9de309285ebb33e8aa34fa

SHA1
9f09ce5c4dbdb263dbe61386919e434f41eba195

SHA256
93da3e21591ce8f198a171eb0e04fd86566a992a83f2591e08f692b7c1323690

SHA512
619d5730764ba98eff453a122a171786c4835db35e2d0453198046cf94ca47f0799627e7213cecacc3662cde34c54d9c98331d2f0fd6af7ff998dcf0df2a0596

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
163KB

MD5
fcceb6899ab0ffb6fb957a9c9b66b12a

SHA1
effdbf573288b94372704efb74c9b1b478b9e08e

SHA256
bc8a75ef7f1e39d50452a71778fe0dbada42b3ac25a8f7326e1a2cac826e3686

SHA512
aaa6fa39620554a88e173a234ca8f9523dfca0b15f0febb9ff6d1f966b3b9e35e3691fceebcce7ab864b7797ec697e5038dc38b35511a6c6525b57119f86d517

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
163KB

MD5
645a8b3196a183ab7990f145a9c12e48

SHA1
3a1ed08d28b8c5b4ee1e5261882826644a65c5d6

SHA256
695d9ab99efbe359d702766aff2e77d45577618d3187bffd4c78c1743dcf23e3

SHA512
12da844ef380dcdab7b986177782280f6833e511551ee2514ec3393231e047358339fdf8138155875ae53f27e2ffc1b2a6f74141494726773c090e82361a310d

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
163KB

MD5
7eec5bc48edc8380a5b7338c0819d5a4

SHA1
c043b1cc2a599f5cf42df47711fbbc00850308cf

SHA256
50d098726cf5bf4a54a85cbb2978d6b523803aae118cb0080604ca73cf87fc44

SHA512
7a997c521be75a8e5d9389e1f4ea1198415fcdd8c4f78c1c0f4036a43be167be281941dfc39252a817878939b05fe326fbcb0e272bb3f9700c6f82cf7377fe6c

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
163KB

MD5
f10383fc6740f28a68c30eb774917e5b

SHA1
f34123d5d75aebb4edde55b88259d9ef7c54708a

SHA256
0d33ed3001ef3b15da95326921ef70f0508647779cff51fc0f62117ff3c47102

SHA512
d3fbb193c6bc4fb9e770790d63f242c413baff7c94c9db4ec9be9e4a09fc4d2bbfd12cb005209932efee2ba3f6612cab0cbd0ed06bf29a14427fa1d97b0d07ba

Download Submit
\Windows\SysWOW64\Pkfceo32.exe

Filesize
163KB

MD5
49e24150e1eedb1464f17208a33b4a80

SHA1
6360bbdc359b89978b237e61242811fd5518ea0e

SHA256
667a8c3dab54286dfaab87bdc141f83b7228344c77035f434662e5556fefb45c

SHA512
3f26080f4922efff91f54e30a01ee2679de94212f023b0ed284f0101102a333056a4e19a49fd749ef1419e2f11286a1de893ef6fde2c4dce6a6cee843423e446

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
163KB

MD5
8b38047c7f807869ce482779af4c888d

SHA1
cf4961a9141715d2af2c1e99f1b6b4f48ebecb8c

SHA256
dcdeef866a0d2514d2f80a71cc96b7f2a293b1854d10ad9ba24694b3f8e46f2a

SHA512
d0950078d18054b2ec68cf06ad53510dae0f0b81ac43f1961db9c1d9e51c8b358026d84e36cc3f6233f80c7cc67e39219bd95486b087e4842475ac3bda9b0c4a

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
163KB

MD5
b1a7ad098532688dd3cd207292a66546

SHA1
3c65e494cf8b1636de02b19b3acec2e01b6f41c9

SHA256
bfc2ea646fb30a98c163e179cf22587412fcec53d60626ed3895722c953a220b

SHA512
45c61332b73dbc3a0d2f6803db15164e8c455d4ebdf54783b8c4bb4fd4311e00a2809a6578a8273b595b996ea1e6ad7d900c8c824fb3bdf5c58164ca20605fe2

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
163KB

MD5
5ccf0fe88f0c3de129010da64634bfd5

SHA1
d4f08bafc2face03cb850e4ae4c6f8decc6a397b

SHA256
281e405feecc87f726a8b337925fb6c681c4fc4aa614f050ca5e47a512b4dd5c

SHA512
36e17367c865243439342af4940072ab383df894a857537452e4edb9619d926d28821afdb0d3a7de9f6a041c30b334e74ab454f69966336b7a873d07ddeee783

Download Submit
memory/580-91-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/580-95-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/580-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/592-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/796-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-392-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/868-519-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/1060-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1060-504-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1060-509-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1108-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1108-485-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1108-634-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1148-497-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1312-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1312-292-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1312-296-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1420-437-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1516-253-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1516-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1516-252-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1536-273-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1536-274-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1580-518-0x0000000002020000-0x0000000002073000-memory.dmp

Filesize
332KB

Download
memory/1580-191-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-204-0x0000000002020000-0x0000000002073000-memory.dmp

Filesize
332KB

Download
memory/1580-203-0x0000000002020000-0x0000000002073000-memory.dmp

Filesize
332KB

Download
memory/1580-508-0x0000000002020000-0x0000000002073000-memory.dmp

Filesize
332KB

Download
memory/1620-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-324-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1620-329-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1680-122-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/1680-110-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-285-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1704-284-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1908-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-260-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1908-264-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1920-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1920-354-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/1920-350-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2096-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2096-402-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2148-622-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-218-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2176-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-455-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2216-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2216-227-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2216-231-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2232-478-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2232-632-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-469-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2256-618-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2272-307-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2272-306-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2272-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-628-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2352-156-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-241-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2400-242-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2400-236-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2404-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2424-189-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2560-361-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2560-362-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2560-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2564-317-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2564-308-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2564-318-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2632-340-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2632-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-339-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2644-619-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2660-407-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2660-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2660-63-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2700-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-49-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2720-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2780-171-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2780-164-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-467-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2860-468-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2860-144-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2860-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2864-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-12-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2884-13-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2920-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-124-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-382-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2988-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-422-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/3048-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3048-35-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/3048-383-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download