berbew | 64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Size

64KB
MD5

baf07a48182a918f74fbb0cc9c39b4f9
SHA1

c4743124d1719c1a7531d14d95f2ae65b1122c7a
SHA256

64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3
SHA512

08fa74b4d24a71e3df8b260cbde904c30f1e93e3948aa31e9ef1b46f51dcce9778226187fe5e7e91e5f1c4864a7204e6bb5ab8b05431d7e0ff0877d5aaff387d
SSDEEP

768:7f2MRLmZaWc0egAiSgVkrr0qnQ/1H526XJ1IwEGp9ThfzyYsHP:7fRRuaN0egAfgy3RWBXUwXfzwP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 35 IoCs

pid	Process
2756	Pjbjhgde.exe
2892	Pkdgpo32.exe
2684	Pckoam32.exe
2296	Pbnoliap.exe
772	Qflhbhgg.exe
632	Qgmdjp32.exe
2120	Qodlkm32.exe
2912	Aniimjbo.exe
1204	Aecaidjl.exe
2964	Akmjfn32.exe
2612	Ajpjakhc.exe
2020	Aeenochi.exe
3068	Ajbggjfq.exe
2192	Ackkppma.exe
2308	Ajecmj32.exe
800	Aaolidlk.exe
1292	Acmhepko.exe
1784	Ajgpbj32.exe
968	Alhmjbhj.exe
2992	Abbeflpf.exe
1736	Bilmcf32.exe
904	Bpfeppop.exe
1944	Bnielm32.exe
1804	Becnhgmg.exe
2636	Bnkbam32.exe
2792	Biafnecn.exe
892	Bhdgjb32.exe
2884	Behgcf32.exe
2520	Bdkgocpm.exe
536	Boplllob.exe
2416	Bdmddc32.exe
2268	Bfkpqn32.exe
1520	Baadng32.exe
2532	Cmgechbh.exe
2936	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
2848	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
2756	Pjbjhgde.exe
2756	Pjbjhgde.exe
2892	Pkdgpo32.exe
2892	Pkdgpo32.exe
2684	Pckoam32.exe
2684	Pckoam32.exe
2296	Pbnoliap.exe
2296	Pbnoliap.exe
772	Qflhbhgg.exe
772	Qflhbhgg.exe
632	Qgmdjp32.exe
632	Qgmdjp32.exe
2120	Qodlkm32.exe
2120	Qodlkm32.exe
2912	Aniimjbo.exe
2912	Aniimjbo.exe
1204	Aecaidjl.exe
1204	Aecaidjl.exe
2964	Akmjfn32.exe
2964	Akmjfn32.exe
2612	Ajpjakhc.exe
2612	Ajpjakhc.exe
2020	Aeenochi.exe
2020	Aeenochi.exe
3068	Ajbggjfq.exe
3068	Ajbggjfq.exe
2192	Ackkppma.exe
2192	Ackkppma.exe
2308	Ajecmj32.exe
2308	Ajecmj32.exe
800	Aaolidlk.exe
800	Aaolidlk.exe
1292	Acmhepko.exe
1292	Acmhepko.exe
1784	Ajgpbj32.exe
1784	Ajgpbj32.exe
968	Alhmjbhj.exe
968	Alhmjbhj.exe
2992	Abbeflpf.exe
2992	Abbeflpf.exe
1736	Bilmcf32.exe
1736	Bilmcf32.exe
904	Bpfeppop.exe
904	Bpfeppop.exe
1944	Bnielm32.exe
1944	Bnielm32.exe
1804	Becnhgmg.exe
1804	Becnhgmg.exe
2636	Bnkbam32.exe
2636	Bnkbam32.exe
2792	Biafnecn.exe
2792	Biafnecn.exe
892	Bhdgjb32.exe
892	Bhdgjb32.exe
2884	Behgcf32.exe
2884	Behgcf32.exe
2520	Bdkgocpm.exe
2520	Bdkgocpm.exe
536	Boplllob.exe
536	Boplllob.exe
2416	Bdmddc32.exe
2416	Bdmddc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3008	2936	WerFault.exe	64

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bfkpqn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2756	2848	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	30
PID 2848 wrote to memory of 2756	2848	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	30
PID 2848 wrote to memory of 2756	2848	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	30
PID 2848 wrote to memory of 2756	2848	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	30
PID 2756 wrote to memory of 2892	2756	Pjbjhgde.exe	31
PID 2756 wrote to memory of 2892	2756	Pjbjhgde.exe	31
PID 2756 wrote to memory of 2892	2756	Pjbjhgde.exe	31
PID 2756 wrote to memory of 2892	2756	Pjbjhgde.exe	31
PID 2892 wrote to memory of 2684	2892	Pkdgpo32.exe	32
PID 2892 wrote to memory of 2684	2892	Pkdgpo32.exe	32
PID 2892 wrote to memory of 2684	2892	Pkdgpo32.exe	32
PID 2892 wrote to memory of 2684	2892	Pkdgpo32.exe	32
PID 2684 wrote to memory of 2296	2684	Pckoam32.exe	33
PID 2684 wrote to memory of 2296	2684	Pckoam32.exe	33
PID 2684 wrote to memory of 2296	2684	Pckoam32.exe	33
PID 2684 wrote to memory of 2296	2684	Pckoam32.exe	33
PID 2296 wrote to memory of 772	2296	Pbnoliap.exe	34
PID 2296 wrote to memory of 772	2296	Pbnoliap.exe	34
PID 2296 wrote to memory of 772	2296	Pbnoliap.exe	34
PID 2296 wrote to memory of 772	2296	Pbnoliap.exe	34
PID 772 wrote to memory of 632	772	Qflhbhgg.exe	35
PID 772 wrote to memory of 632	772	Qflhbhgg.exe	35
PID 772 wrote to memory of 632	772	Qflhbhgg.exe	35
PID 772 wrote to memory of 632	772	Qflhbhgg.exe	35
PID 632 wrote to memory of 2120	632	Qgmdjp32.exe	36
PID 632 wrote to memory of 2120	632	Qgmdjp32.exe	36
PID 632 wrote to memory of 2120	632	Qgmdjp32.exe	36
PID 632 wrote to memory of 2120	632	Qgmdjp32.exe	36
PID 2120 wrote to memory of 2912	2120	Qodlkm32.exe	37
PID 2120 wrote to memory of 2912	2120	Qodlkm32.exe	37
PID 2120 wrote to memory of 2912	2120	Qodlkm32.exe	37
PID 2120 wrote to memory of 2912	2120	Qodlkm32.exe	37
PID 2912 wrote to memory of 1204	2912	Aniimjbo.exe	38
PID 2912 wrote to memory of 1204	2912	Aniimjbo.exe	38
PID 2912 wrote to memory of 1204	2912	Aniimjbo.exe	38
PID 2912 wrote to memory of 1204	2912	Aniimjbo.exe	38
PID 1204 wrote to memory of 2964	1204	Aecaidjl.exe	39
PID 1204 wrote to memory of 2964	1204	Aecaidjl.exe	39
PID 1204 wrote to memory of 2964	1204	Aecaidjl.exe	39
PID 1204 wrote to memory of 2964	1204	Aecaidjl.exe	39
PID 2964 wrote to memory of 2612	2964	Akmjfn32.exe	40
PID 2964 wrote to memory of 2612	2964	Akmjfn32.exe	40
PID 2964 wrote to memory of 2612	2964	Akmjfn32.exe	40
PID 2964 wrote to memory of 2612	2964	Akmjfn32.exe	40
PID 2612 wrote to memory of 2020	2612	Ajpjakhc.exe	41
PID 2612 wrote to memory of 2020	2612	Ajpjakhc.exe	41
PID 2612 wrote to memory of 2020	2612	Ajpjakhc.exe	41
PID 2612 wrote to memory of 2020	2612	Ajpjakhc.exe	41
PID 2020 wrote to memory of 3068	2020	Aeenochi.exe	42
PID 2020 wrote to memory of 3068	2020	Aeenochi.exe	42
PID 2020 wrote to memory of 3068	2020	Aeenochi.exe	42
PID 2020 wrote to memory of 3068	2020	Aeenochi.exe	42
PID 3068 wrote to memory of 2192	3068	Ajbggjfq.exe	43
PID 3068 wrote to memory of 2192	3068	Ajbggjfq.exe	43
PID 3068 wrote to memory of 2192	3068	Ajbggjfq.exe	43
PID 3068 wrote to memory of 2192	3068	Ajbggjfq.exe	43
PID 2192 wrote to memory of 2308	2192	Ackkppma.exe	44
PID 2192 wrote to memory of 2308	2192	Ackkppma.exe	44
PID 2192 wrote to memory of 2308	2192	Ackkppma.exe	44
PID 2192 wrote to memory of 2308	2192	Ackkppma.exe	44
PID 2308 wrote to memory of 800	2308	Ajecmj32.exe	45
PID 2308 wrote to memory of 800	2308	Ajecmj32.exe	45
PID 2308 wrote to memory of 800	2308	Ajecmj32.exe	45
PID 2308 wrote to memory of 800	2308	Ajecmj32.exe	45

C:\Users\Admin\AppData\Local\Temp\64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
"C:\Users\Admin\AppData\Local\Temp\64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Pjbjhgde.exe
  C:\Windows\system32\Pjbjhgde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\Pkdgpo32.exe
    C:\Windows\system32\Pkdgpo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Pckoam32.exe
      C:\Windows\system32\Pckoam32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 140
        37⤵
        Program crash
        
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
64KB

MD5
1f74f0c0116865747cf6acc86c15b694

SHA1
e579bd65075aa780f8de3b2711bf0a7f946c1d29

SHA256
88510937fdcbf80c806552628f38426f799fe02b608c8632dff267b412c6c361

SHA512
4b5700bf7d4859723d792206a441b29a6a38e6c7b86b0e69dd6ff0d1fda9d610681b7a5954a5a2c283601f8f80d9469fa85f9f4e9833c13d7f2c25e26cdcf83b

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
64KB

MD5
8214bda14cbd701771dd89503bec4303

SHA1
cdac351848b813de09fe0c3f4b3b586693a938d7

SHA256
a980a2ac48fb3911c05d7240595e0354fab4ecf591562a6c13d213e251b3ba57

SHA512
422900f2f0474a8faa51d0cfe063c0876fbfa6d17e3372bc0ed4ac2c24fd18f4f1d851c4d6e28bcb6e5db4d30d2dffbd7301685acc01ac3a3c850c244a646b79

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
64KB

MD5
58471fdbb49f05abab4b6960a9010131

SHA1
e48dc49934fc8f8ec5c666b6c85819b655df4481

SHA256
8d98f20468c61b26b28a91b4625c139017f3705239e9cd4ffa50b7d06799ad4e

SHA512
46148785c2aef6ccff182b4db98aa682538e109cff356b45bcc864049d3803780142242da1fb27919cc2f88ab070f5d12cccc3c4b97ff699e9009519abc2054d

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
64KB

MD5
2f0b68c5b77c37dd5fec87c6beea4785

SHA1
1ce15ec3378bd61ae03435d91a3094f31f0c0f8c

SHA256
7d6a041e0dddb44142c25231fa4fbc105c8b05fbfa43f12874069d98dd3ae3c1

SHA512
592d0d5893c2608ee4622d59722e33909c0a841a0e335ebe344652487992fd266814cd74f78da4908349281b57bcf8931a622b3b9b5238fa5d93e7c16cdad4be

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
64KB

MD5
cc0a7a10d799946ec709121ac17f2a31

SHA1
ce34003a1b2e0cede287502f5511aa80851f38c8

SHA256
61ef031fdd455bb32bc74d8c70e5cce14c493288edff878d7f6cb239ca5b2de6

SHA512
c35e7f56c0bea4bd34627637449e564b9c287a7af4826ff3959c798d6f46c8d9064db94d21e4e68653d14a3f9454e993a69caaed8471b461ce6b2def63b929d0

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
64KB

MD5
1255e69bede0bbd35fe847af69cf52e8

SHA1
3805645017257cb25d234c3ea16558e3c71b14da

SHA256
c1a036aa216288b8cda3bbc47f65d0ec4992d1feed095f80c7ec90e2bcd244e5

SHA512
31517a59d177aaac9ecba38638f4e1b942227c5ad427bbce4aada157dcacac53cdc54795a8643cc0633d03e32683a91681cca44a78eb5609f6bd238b98653314

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
64KB

MD5
13df68ec87b05e07c1272e98b18ae266

SHA1
a872a09f70b268f77942262bfd95f5c4600fb497

SHA256
5c31d85575f1de02332f33769a71b2a554e0a2f6e853fbf366925910861281f5

SHA512
acb08f3036dafd9f892d6560c05d3857137db9e263bb1742722ce0808d378845d02931aafb52996518d23eb4384bff31bf1adcd59a6211a0757950fc8aa9bab9

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
64KB

MD5
a0dfd961e35bbb1e8bc42400b785de5f

SHA1
dd5f140b834aa770e0abac994bcb51bbd5326b78

SHA256
0f2f8821d2b79e169b5e6ec052e720854a4affaeafc1fc3e231c607f732af24e

SHA512
aef159576ccb8347ed40c8a8c8970a3e92dc85f03f4a1f0dd407af3b5d322a9eb416a44137442c4aefe0afd487b408899b4dcafba73891468297900e96c77888

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
64KB

MD5
bf9851563ef2cb5f6c13bd6a215a17ea

SHA1
9dda17c5c6d218b92048c775b175bc6b261151ca

SHA256
3ad701ce90e9f3851de819d69657511dbf9ffd8e64126ea5bdf97ef0d1f109f7

SHA512
c3fa6d326d18ff6a46bcf0c845ff696bb1b727d9aae4be8fdbd97fd1d525fffc1afbbfb4d1e60a00b3ff37ede03473dc034c4c7cb1f57f48ededdebe132975da

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
64KB

MD5
8a72bcc0df4d4d362f2653fe37cb0238

SHA1
399d4302882fb9ca4d6a211d5922f07b2decb354

SHA256
00e0e1c9d51cab9ebfad6aebb970867d460f91c2db0ddffb21425e8317b48b0d

SHA512
131d59bb020d16542bc04e7d3e10adee48c3180ca2fd7fce8f5f270d7d066831bd8a3bcd36fc2d3346959af60da030c61d8cf170570c0535bc5bae307c920df4

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
64KB

MD5
323599bd12461bd4b4768bb8ac591dce

SHA1
8d4083546c0c2db0539fe7761be81fc40b6fa658

SHA256
53229a39e45a554dfc7f35e3bdb931f4fef9d9800cc31f06f13163ee2b739300

SHA512
fe69baf4b43081000d42d2ab345c76609141067f61ed8ddd84c58740dea51ad736fa542e855f5afbc8d4fd494536ab49fe4a4135ffc5274043bcec54ad417b8a

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
64KB

MD5
0f16f0f3640fdfbb7d83f824b0915bcf

SHA1
d1ff47f557d9566a1a6570ed2608ad254488d77e

SHA256
557a63d1d2aec7a675d94d3f32e03fe2a7848f37ee2b217a45fe653ccc0128de

SHA512
3e72916f6f83fed8d013839c3f5628cc4a99636d2ac3320f9413c175577ed027b059d62aadc7c63775e3e24599ceb8366274bfa6aeee0969691959cfe53732c8

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
64KB

MD5
41a03ce7049510cd8a1d1f56bb979a4f

SHA1
d57291ac2294bf51331d8b1087eaa05dead1c695

SHA256
e6b9c383305b7760ae5a8c0057beb56719396f5c1d2582fdda246d87d94add54

SHA512
e876fc3fa065b1bcaf1192ae58c6f1c13e69ee479ef6e2eb3f509ff650256acc2792b4bb7e3de32539981f6bb465b3d51097b682032d59565f693b2e805c9e8a

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
64KB

MD5
faeef0c38db467b008ffab67c3243d1f

SHA1
ba4c379e8c07672c18cff6bdb706909eea587b55

SHA256
4d00773a741811b02d06c1d395dad688f4bd1688148bcd2ef53599bb87813e02

SHA512
91c2dd2ff603daf110d754ff3968c8ac031a1b034081a5045311478498b10b6b000d45e4480ce137baf0f1fcbc0e1cb3932a81be44cf1d5b3c1e4f33fdafcec6

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
64KB

MD5
a888ac30a47b0775fa3118912ffb13ea

SHA1
7f31e1f1ab32f5a3b41553dfc0a3888162c4484a

SHA256
68ad789fa77b859d8c9322f2f123b0f7a993b5be70fbeb4f330e103e16bd42bd

SHA512
e6efd08efb267e77bfc216f8513a14d109849f993d0bf98b2f5878fe2ff696950b8b3307108b1ba8671f9120a8a3a7b66eb814749d9487d7297553463813eb68

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
64KB

MD5
1bcc9015d456bfc2124b206a00b08ab9

SHA1
bcede6db9e6ae61ab1f335bbd3b0ef5eca543b34

SHA256
060e73417955335192bcf687b1c8c3b28d3f4fb19acd7fe34834774e772ba3c7

SHA512
f431a932d7a5041223263963c7987d003e346188c997f3d02d0166fd27601081e2efa6b8ed37844ea8a8d7ed8eaa8d94ab6f94f7872e9cadfd9cc28bde3ed2a5

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
64KB

MD5
34009fed071dc801480d1cea5c9988f5

SHA1
256953825fff1091bfc0879be053e4b75aa44ff6

SHA256
a247bded7e9b64f011991e4105a86f020718203121cab7fd5a27befa1cdff522

SHA512
0b4db1c6bdf576224564e46ff1f6e8d7a11d876984ce3ab08a46c2700373e7daa1c2c88a2d73efa95f98d30eb96c7d1626441d8443b4273b9257fe5acda57fdb

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
64KB

MD5
4bf339dc2cdc0fe523c4ed4c39f9cb3a

SHA1
354ffa9373e9b905c4834f45bfd08e01bad6164c

SHA256
66da06ff0ce4256117bea2699d8e4fffbc64aa1922acd9c8e121d61838627b79

SHA512
950c20e97ce08126408cf78719293ffeb4af1d4caf35dd3de1eef4da2a0cd343ace69163856ef9bd3f42d30e59d7f340c2a13feb5e50c4edd71cf2403922bd5f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
6a130fa4cfdad4404ff0e9512489551f

SHA1
ed258048096e82c8f833164bd24edff7ee3a11ad

SHA256
ffebf43f7d6577a71d54ad8546e1be13c9f286c44562418ab877e105fbb27195

SHA512
f4587f00381345f46f43bff84e90bcf8703f1b3c35b265e16d553a01dc26a4e8d43bfa83927299485f8a3a82f17027ef30d0e757c1121a50413889ce4fbf0a7f

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
64KB

MD5
253bf6c426fd235613c10aa869d99245

SHA1
d11135506049cadfb85ace0410e87d720e99d783

SHA256
0f4418dcf908187cca34fbd04c83e110b282dd103735690141191521fa854ae1

SHA512
8161c04725ab25dd645dc995458ae3be6875e0b5b317b1eca1d431413443c47bc9bf2bce4de18c466559b0e1ed82839b718e82a695614742c3a09519219d9aa3

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
64KB

MD5
ba0cc295198112178d30c42a5bef3159

SHA1
53f192704c1feb433c88bc96300ef6e39a99a090

SHA256
5dbbd49916bd857c3a6c791757cfeeb50e13c3ec0362926d63727469db8ae8b1

SHA512
f65716662d3639dfc3d0077275b4000e13cf1af189be9d1fd76e3ebb185e48a8a3fe797634d1c00af92449fa2d52ab9f9931f991a79d119432c4a4b3c6d80885

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
64KB

MD5
43d25afd43485b3a87f8b39cd325494d

SHA1
d625e78840a2529978a7903b5f393d78a49ba0c9

SHA256
3fca89cc0d1e623c8fc85621c3535dee0f428d188c0046f9a0ec82e834c06d80

SHA512
751aad2e9df98f2af7830ff63f3672c0f7c718491fffe44618e3f1e72e56691b82110b6a212a239e0dc5f258044fff43328bc2521629e0d724b452e06b70de68

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
64KB

MD5
ee67ca45896ae3f00c0dfe7b4e6b86b2

SHA1
7a8600f753f9f9a2b15657bf099f5a043ba96702

SHA256
9d70729f9a00e4d553149efd54d2170e9b02bd761742b0293ed04ec98ffeaebd

SHA512
f60836b0c9452ee4a9b096d5e08f038bd4c29042deef1aff02db76a9763f22b92134bdf713c40983cd7833c52363cb26c5761126bc4691c167655efdfc01480c

Download Submit
\Windows\SysWOW64\Aaolidlk.exe

Filesize
64KB

MD5
17dab2001cb73f3d003e4cbfe6da8fd5

SHA1
98702ce64c0efa85d0bebcb0a808702e76444f9e

SHA256
4b11107d51b18b15ee93369628e15416360352691080fda4bb3da5b0758ba225

SHA512
e0fa4caff51c274ca6bef5d4572ab8db3aa9c599af4a13ceea44f4778d26e71354cfe681dcac837c4d0d47db0df5c704c4ac624d3403706401c678c096105029

Download Submit
\Windows\SysWOW64\Ackkppma.exe

Filesize
64KB

MD5
2fbf768b6dd48169e4dfcc82b9e67e92

SHA1
d41e81489bb0f2c95235273b5995c4da108ff9b8

SHA256
064d9fd0ba0f5e1b19c5e293eedd9e11b97c6848acd67b8ba091e8237027b080

SHA512
2beefe5d7d0e0d9def5fc71768c399cda0b83c444548b465546bf6fac4b5db69d745e85167d1f3bc322ab6003b408bab68f444e8fe9ae27b78417221044fb940

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
64KB

MD5
f505cadcfc715a8a3002dbc5a6b78a47

SHA1
d5d31edaa2421339540d1bc901244410f848c84d

SHA256
0c54d2cf4993050bca7bd8a4551300230632c2d7a2da2810332cb58e9260a903

SHA512
9adc8788755bc9330df4d6dca3f1658102491047d87f5d56283a0092c1a0fe77f0e42698fa7b24497a6d576c11c4691f275ecd3f3792f5be6cca566296630951

Download Submit
\Windows\SysWOW64\Aeenochi.exe

Filesize
64KB

MD5
0b2c22da67820a64b335b071b1a30274

SHA1
66c86f14c227ababe9a557557c5a74938be5caf6

SHA256
538f0457fc7b1eeaafe8a6a6ca25826a1711dea5e864170b37344b8fed18ec60

SHA512
e398435efecf7c212988873fc4cf3f842d12a9f0945f2fdffb9e3f631c0dc34c0797a6cb8acca657313fa4ff12906344912c9f2964b47d6ba9731a4937edce51

Download Submit
\Windows\SysWOW64\Ajbggjfq.exe

Filesize
64KB

MD5
110a256eee8967659374febb4b3c76fa

SHA1
22c8007fc2a7eed60f5d36ea9183b2206eb0d60d

SHA256
66383be444c944fe9ef6432b78ec5b42d77dc67da2107427950e769f2de4dd45

SHA512
92ddbfa2b4ad2b76317b23140175e8a73dfc5c06dcf4ce72c5e194950b8ca4c0313a98de5d0137d2154939d75860cf9621939bd238318c5fe2489dfbb51a84db

Download Submit
\Windows\SysWOW64\Ajecmj32.exe

Filesize
64KB

MD5
41336b1d283fbfff0715b5bf707702a1

SHA1
20f13875658434a217f73da7153440f5e506a7ca

SHA256
39b38bcf61c494faf3234a15dcfe639b2c14257c65e1a8a6c7e724e85e965683

SHA512
e82a028d9748e5e2c3b7e24734ef5b721c2f9a81cb308b0545acf12f4d8bff65fe6d7d57f1c18ce4a75d73c35812810248d4e8a07dc9f9e0651187043d366fc0

Download Submit
\Windows\SysWOW64\Akmjfn32.exe

Filesize
64KB

MD5
40e0380943a3bc3561bb7887a1c359bc

SHA1
3016dcdbaf351c0d55fc52018eee2f6bd95ae272

SHA256
19ec06f716126afad678eb3a12757b08a8a9da12272901ce6c716c89e78bf328

SHA512
d339b49b310cdc56f510c187b8e7a373eff5254654e7c429d3d762aa1565de5359a5c4504d7ad18a694cd0485c695f37bd730df1b76e0793e1c03411a284f369

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
64KB

MD5
71e47ba35678ec8155d1d875a0d1af75

SHA1
e8a6634e52ae19114be52e5fe75e3afb0d50a9a7

SHA256
77bf3832c55e1e94efc792569af0d24e04daa4460e9256b9ef9f34f2fcf1a140

SHA512
4b4f1ea748a9bf1a0fb640acf2041980af7be6006b1c654405c60a3c54fae4d50e20ebf4593d7108c1d677a54aa6f11b0bbeaf3a1dbe8381196d9f4618d6fc0e

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
64KB

MD5
83badef5218350f12f11dbc61c52b403

SHA1
de68dd1c6acd40cfd63d0fa290786a1f4b837f42

SHA256
ef9231cdf5fb2d67f3a84be6bf960a4307b8cb36c6693933faf08fee5653dc1f

SHA512
fc33aba55379e480dc6a16e6fff69413dc935a446bf117162bc2a72bf8b79944742068de1479d62afe699e3a8f98eaf542352a1ce79da6411fdb4e3af6d487c3

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
64KB

MD5
b3d16a9b3f55feb31983e98be157f6a2

SHA1
7b3d1d51682d5c676c9f06ad8900fffb552dc1cd

SHA256
8d97d8a7b9400cc0f070cebc4ac4395a4d937514caf05ff8c5759bb082e2bca3

SHA512
98e2d5f192a2f367c9477354e26070889e4ef61e70b81e64d551fac90856b1951b092acb9a91d04b13b6e5cd225a066e5f7dc83f765b58595b9611f8d9d7de32

Download Submit
\Windows\SysWOW64\Qgmdjp32.exe

Filesize
64KB

MD5
ca1cc6754adbf180e89ff3bbca403f7c

SHA1
e448ba2dc490419036a5928830b6f6424951224d

SHA256
5115725ccd77e3ed8c60957ed6535949ea48f5c76b968faf5f648b36f0b63ce8

SHA512
45705ef1542626fec27d797834d5c387b1350bad757e80ec0c1682a3734503648f5454b3b72aee1f243764a13e39f97eec9aa0b240a888352b915510b9af8c49

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
64KB

MD5
edab7bac0b026bc0cde0d896aea30af3

SHA1
fec8088b953281ec0471d8e096d0b60a2ab3b014

SHA256
169ea49164a972e004bda5d583da97ca41aa0b55be765d49d56a01d02d5d8b7b

SHA512
dde64715e10b32fb0446674c61f32c80b8d4a223fa4c06986349c8ecc7859ba11b105720430dedfaf74e12314a97848194a23cac3d638cdcd57ea048395eec05

Download Submit
memory/536-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-80-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/772-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-413-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/772-81-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/772-402-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/800-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-222-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/892-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-334-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/892-335-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/904-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-285-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/968-249-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/968-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-231-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1520-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-401-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1736-274-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1736-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-273-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1736-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-298-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1804-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-302-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1944-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-287-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2020-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-104-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2120-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-197-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2192-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-66-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2296-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-390-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2296-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-377-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2416-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-353-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2520-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-357-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2532-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-161-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2612-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-156-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2636-313-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2636-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-312-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2684-379-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2684-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-48-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2684-378-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2756-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-320-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2792-324-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2792-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-30-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2848-24-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2848-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-364-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2884-346-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2884-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-342-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2892-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-183-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3068-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads