berbew | 957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe
Size

923KB
MD5

df1da58db7fc7dc482d49d16f4a92266
SHA1

571fec1b774b0e2ec05fa9ee96fd0cf5e26ad5f3
SHA256

957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981
SHA512

691a3f7a6cb02ac17e35f1dd872d30b2631b96932e5bffb2c52641893ef2e31d4a88b5a405883bdfdecaae656e36158e28182ce49301ee6d7bb1fd350ff40f0e
SSDEEP

6144:Dg4LfrcNPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKrj:DBjj/Ng1/Nmr/Ng1/Nblt01PBNkEoIa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdjkhdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqmmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijnbcmkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakgefqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oplelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijehdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfook32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfofol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mimgeigj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdeqfhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaddn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomdoof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knhjjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkiicmdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhjjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lonpma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjlhcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgqkbb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfokinhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nncbdomg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplaki32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2160	Gkpfmnlb.exe
2032	Gbjojh32.exe
2696	Hkiicmdh.exe
2836	Hjofdi32.exe
2764	Hpnkbpdd.exe
2772	Hboddk32.exe
2676	Ijnbcmkk.exe
3056	Iakgefqe.exe
1588	Ijehdl32.exe
1860	Jfofol32.exe
2016	Jlnklcej.exe
1200	Jampjian.exe
1296	Kaompi32.exe
2552	Knhjjj32.exe
1196	Lonpma32.exe
284	Locjhqpa.exe
2004	Lgqkbb32.exe
2352	Lbfook32.exe
1728	Mjaddn32.exe
1696	Mdghaf32.exe
1760	Mgedmb32.exe
1332	Mmbmeifk.exe
2540	Mmdjkhdh.exe
2128	Mgjnhaco.exe
888	Mmgfqh32.exe
2064	Mfokinhf.exe
2976	Mimgeigj.exe
2328	Npjlhcmd.exe
2748	Nfdddm32.exe
2712	Nlqmmd32.exe
2852	Nidmfh32.exe
2916	Njhfcp32.exe
2656	Nncbdomg.exe
272	Onfoin32.exe
2664	Oadkej32.exe
1856	Ojmpooah.exe
2020	Ojomdoof.exe
1356	Oplelf32.exe
1832	Offmipej.exe
2480	Ofhjopbg.exe
2472	Ohiffh32.exe
1544	Oemgplgo.exe
2964	Plgolf32.exe
1676	Phnpagdp.exe
2452	Pohhna32.exe
656	Pdeqfhjd.exe
648	Pgcmbcih.exe
1888	Pplaki32.exe
1684	Phcilf32.exe
2544	Paknelgk.exe
2932	Pdjjag32.exe
2096	Pleofj32.exe
2864	Qdlggg32.exe
2872	Qndkpmkm.exe
1500	Qpbglhjq.exe
2724	Qjklenpa.exe
664	Alihaioe.exe
2008	Aebmjo32.exe
1532	Ahpifj32.exe
1652	Acfmcc32.exe
2704	Afdiondb.exe
2276	Achjibcl.exe
2200	Aakjdo32.exe
1908	Aoojnc32.exe

Loads dropped DLL 64 IoCs

pid	Process
2980	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe
2980	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe
2160	Gkpfmnlb.exe
2160	Gkpfmnlb.exe
2032	Gbjojh32.exe
2032	Gbjojh32.exe
2696	Hkiicmdh.exe
2696	Hkiicmdh.exe
2836	Hjofdi32.exe
2836	Hjofdi32.exe
2764	Hpnkbpdd.exe
2764	Hpnkbpdd.exe
2772	Hboddk32.exe
2772	Hboddk32.exe
2676	Ijnbcmkk.exe
2676	Ijnbcmkk.exe
3056	Iakgefqe.exe
3056	Iakgefqe.exe
1588	Ijehdl32.exe
1588	Ijehdl32.exe
1860	Jfofol32.exe
1860	Jfofol32.exe
2016	Jlnklcej.exe
2016	Jlnklcej.exe
1200	Jampjian.exe
1200	Jampjian.exe
1296	Kaompi32.exe
1296	Kaompi32.exe
2552	Knhjjj32.exe
2552	Knhjjj32.exe
1196	Lonpma32.exe
1196	Lonpma32.exe
284	Locjhqpa.exe
284	Locjhqpa.exe
2004	Lgqkbb32.exe
2004	Lgqkbb32.exe
2352	Lbfook32.exe
2352	Lbfook32.exe
1728	Mjaddn32.exe
1728	Mjaddn32.exe
1696	Mdghaf32.exe
1696	Mdghaf32.exe
1760	Mgedmb32.exe
1760	Mgedmb32.exe
1332	Mmbmeifk.exe
1332	Mmbmeifk.exe
2540	Mmdjkhdh.exe
2540	Mmdjkhdh.exe
2128	Mgjnhaco.exe
2128	Mgjnhaco.exe
888	Mmgfqh32.exe
888	Mmgfqh32.exe
2064	Mfokinhf.exe
2064	Mfokinhf.exe
2976	Mimgeigj.exe
2976	Mimgeigj.exe
2328	Npjlhcmd.exe
2328	Npjlhcmd.exe
2748	Nfdddm32.exe
2748	Nfdddm32.exe
2712	Nlqmmd32.exe
2712	Nlqmmd32.exe
2852	Nidmfh32.exe
2852	Nidmfh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhdkmd32.dll	Knhjjj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjaddn32.exe	Lbfook32.exe
File created	C:\Windows\SysWOW64\Pdeqfhjd.exe	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Ojomdoof.exe	Ojmpooah.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Aacinhhc.dll	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Mfokinhf.exe	Mmgfqh32.exe
File created	C:\Windows\SysWOW64\Kgbioq32.dll	Mmgfqh32.exe
File created	C:\Windows\SysWOW64\Iakgefqe.exe	Ijnbcmkk.exe
File created	C:\Windows\SysWOW64\Mmbmeifk.exe	Mgedmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ojmpooah.exe	Oadkej32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Dpdidmdg.dll	Nlqmmd32.exe
File opened for modification	C:\Windows\SysWOW64\Onfoin32.exe	Nncbdomg.exe
File opened for modification	C:\Windows\SysWOW64\Pleofj32.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Hlmgamof.dll	Ijehdl32.exe
File created	C:\Windows\SysWOW64\Pipnmn32.dll	Jfofol32.exe
File created	C:\Windows\SysWOW64\Mmdjkhdh.exe	Mmbmeifk.exe
File created	C:\Windows\SysWOW64\Mgjnhaco.exe	Mmdjkhdh.exe
File opened for modification	C:\Windows\SysWOW64\Plgolf32.exe	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Jiepeo32.dll	Hkiicmdh.exe
File created	C:\Windows\SysWOW64\Knhjjj32.exe	Kaompi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgedmb32.exe	Mdghaf32.exe
File created	C:\Windows\SysWOW64\Hcelfiph.dll	Mmdjkhdh.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pplaki32.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Pacnfacn.dll	Iakgefqe.exe
File created	C:\Windows\SysWOW64\Dddnjc32.dll	Kaompi32.exe
File created	C:\Windows\SysWOW64\Npjlhcmd.exe	Mimgeigj.exe
File created	C:\Windows\SysWOW64\Nidmfh32.exe	Nlqmmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomdoof.exe	Ojmpooah.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Mimgeigj.exe	Mfokinhf.exe
File opened for modification	C:\Windows\SysWOW64\Mimgeigj.exe	Mfokinhf.exe
File opened for modification	C:\Windows\SysWOW64\Nncbdomg.exe	Njhfcp32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Icmongda.dll	Hboddk32.exe
File opened for modification	C:\Windows\SysWOW64\Knhjjj32.exe	Kaompi32.exe
File opened for modification	C:\Windows\SysWOW64\Njhfcp32.exe	Nidmfh32.exe
File created	C:\Windows\SysWOW64\Nncbdomg.exe	Njhfcp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Hboddk32.exe	Hpnkbpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lonpma32.exe	Knhjjj32.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Pdeqfhjd.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Hjofdi32.exe	Hkiicmdh.exe
File opened for modification	C:\Windows\SysWOW64\Ijehdl32.exe	Iakgefqe.exe
File opened for modification	C:\Windows\SysWOW64\Acfmcc32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Lonpma32.exe	Knhjjj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	1480	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjofdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaompi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgqkbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkpfmnlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hboddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knhjjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oadkej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomdoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijnbcmkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijehdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfofol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakgefqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfook32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmgfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offmipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnklcej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqmmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jampjian.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mimgeigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohiffh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbjojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjnhaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbmeifk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohiffh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjofdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll"	Ijnbcmkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knhjjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll"	Mjaddn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaompi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pleofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll"	Locjhqpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaddn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaompi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkiicmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmdjkhdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njhfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plgolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjojh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfokinhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijnbcmkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdeqfhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijehdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqliblhd.dll"	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfofol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmapnj.dll"	Mfokinhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfdddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnklcej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbfook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjfphd.dll"	Mgedmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjlhcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2160	2980	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe	30
PID 2980 wrote to memory of 2160	2980	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe	30
PID 2980 wrote to memory of 2160	2980	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe	30
PID 2980 wrote to memory of 2160	2980	957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe	30
PID 2160 wrote to memory of 2032	2160	Gkpfmnlb.exe	31
PID 2160 wrote to memory of 2032	2160	Gkpfmnlb.exe	31
PID 2160 wrote to memory of 2032	2160	Gkpfmnlb.exe	31
PID 2160 wrote to memory of 2032	2160	Gkpfmnlb.exe	31
PID 2032 wrote to memory of 2696	2032	Gbjojh32.exe	32
PID 2032 wrote to memory of 2696	2032	Gbjojh32.exe	32
PID 2032 wrote to memory of 2696	2032	Gbjojh32.exe	32
PID 2032 wrote to memory of 2696	2032	Gbjojh32.exe	32
PID 2696 wrote to memory of 2836	2696	Hkiicmdh.exe	33
PID 2696 wrote to memory of 2836	2696	Hkiicmdh.exe	33
PID 2696 wrote to memory of 2836	2696	Hkiicmdh.exe	33
PID 2696 wrote to memory of 2836	2696	Hkiicmdh.exe	33
PID 2836 wrote to memory of 2764	2836	Hjofdi32.exe	34
PID 2836 wrote to memory of 2764	2836	Hjofdi32.exe	34
PID 2836 wrote to memory of 2764	2836	Hjofdi32.exe	34
PID 2836 wrote to memory of 2764	2836	Hjofdi32.exe	34
PID 2764 wrote to memory of 2772	2764	Hpnkbpdd.exe	35
PID 2764 wrote to memory of 2772	2764	Hpnkbpdd.exe	35
PID 2764 wrote to memory of 2772	2764	Hpnkbpdd.exe	35
PID 2764 wrote to memory of 2772	2764	Hpnkbpdd.exe	35
PID 2772 wrote to memory of 2676	2772	Hboddk32.exe	36
PID 2772 wrote to memory of 2676	2772	Hboddk32.exe	36
PID 2772 wrote to memory of 2676	2772	Hboddk32.exe	36
PID 2772 wrote to memory of 2676	2772	Hboddk32.exe	36
PID 2676 wrote to memory of 3056	2676	Ijnbcmkk.exe	37
PID 2676 wrote to memory of 3056	2676	Ijnbcmkk.exe	37
PID 2676 wrote to memory of 3056	2676	Ijnbcmkk.exe	37
PID 2676 wrote to memory of 3056	2676	Ijnbcmkk.exe	37
PID 3056 wrote to memory of 1588	3056	Iakgefqe.exe	38
PID 3056 wrote to memory of 1588	3056	Iakgefqe.exe	38
PID 3056 wrote to memory of 1588	3056	Iakgefqe.exe	38
PID 3056 wrote to memory of 1588	3056	Iakgefqe.exe	38
PID 1588 wrote to memory of 1860	1588	Ijehdl32.exe	39
PID 1588 wrote to memory of 1860	1588	Ijehdl32.exe	39
PID 1588 wrote to memory of 1860	1588	Ijehdl32.exe	39
PID 1588 wrote to memory of 1860	1588	Ijehdl32.exe	39
PID 1860 wrote to memory of 2016	1860	Jfofol32.exe	40
PID 1860 wrote to memory of 2016	1860	Jfofol32.exe	40
PID 1860 wrote to memory of 2016	1860	Jfofol32.exe	40
PID 1860 wrote to memory of 2016	1860	Jfofol32.exe	40
PID 2016 wrote to memory of 1200	2016	Jlnklcej.exe	41
PID 2016 wrote to memory of 1200	2016	Jlnklcej.exe	41
PID 2016 wrote to memory of 1200	2016	Jlnklcej.exe	41
PID 2016 wrote to memory of 1200	2016	Jlnklcej.exe	41
PID 1200 wrote to memory of 1296	1200	Jampjian.exe	42
PID 1200 wrote to memory of 1296	1200	Jampjian.exe	42
PID 1200 wrote to memory of 1296	1200	Jampjian.exe	42
PID 1200 wrote to memory of 1296	1200	Jampjian.exe	42
PID 1296 wrote to memory of 2552	1296	Kaompi32.exe	43
PID 1296 wrote to memory of 2552	1296	Kaompi32.exe	43
PID 1296 wrote to memory of 2552	1296	Kaompi32.exe	43
PID 1296 wrote to memory of 2552	1296	Kaompi32.exe	43
PID 2552 wrote to memory of 1196	2552	Knhjjj32.exe	44
PID 2552 wrote to memory of 1196	2552	Knhjjj32.exe	44
PID 2552 wrote to memory of 1196	2552	Knhjjj32.exe	44
PID 2552 wrote to memory of 1196	2552	Knhjjj32.exe	44
PID 1196 wrote to memory of 284	1196	Lonpma32.exe	45
PID 1196 wrote to memory of 284	1196	Lonpma32.exe	45
PID 1196 wrote to memory of 284	1196	Lonpma32.exe	45
PID 1196 wrote to memory of 284	1196	Lonpma32.exe	45

C:\Users\Admin\AppData\Local\Temp\957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe
"C:\Users\Admin\AppData\Local\Temp\957c9ab1c43ff81fc20f218903f1ff120396dd7e520617d209f56e1d6d622981.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\Gkpfmnlb.exe
  C:\Windows\system32\Gkpfmnlb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Gbjojh32.exe
    C:\Windows\system32\Gbjojh32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\Hkiicmdh.exe
      C:\Windows\system32\Hkiicmdh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Hjofdi32.exe
        
        C:\Windows\system32\Hjofdi32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\Hpnkbpdd.exe
        
        C:\Windows\system32\Hpnkbpdd.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Hboddk32.exe
        
        C:\Windows\system32\Hboddk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ijnbcmkk.exe
        
        C:\Windows\system32\Ijnbcmkk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Iakgefqe.exe
        
        C:\Windows\system32\Iakgefqe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Ijehdl32.exe
        
        C:\Windows\system32\Ijehdl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Jfofol32.exe
        
        C:\Windows\system32\Jfofol32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Jlnklcej.exe
        
        C:\Windows\system32\Jlnklcej.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Jampjian.exe
        
        C:\Windows\system32\Jampjian.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Kaompi32.exe
        
        C:\Windows\system32\Kaompi32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Knhjjj32.exe
        
        C:\Windows\system32\Knhjjj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Lonpma32.exe
        
        C:\Windows\system32\Lonpma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Locjhqpa.exe
        
        C:\Windows\system32\Locjhqpa.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:284
        
        C:\Windows\SysWOW64\Lgqkbb32.exe
        
        C:\Windows\system32\Lgqkbb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Lbfook32.exe
        
        C:\Windows\system32\Lbfook32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Mjaddn32.exe
        
        C:\Windows\system32\Mjaddn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Mdghaf32.exe
        
        C:\Windows\system32\Mdghaf32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Mgedmb32.exe
        
        C:\Windows\system32\Mgedmb32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Mmbmeifk.exe
        
        C:\Windows\system32\Mmbmeifk.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Mmdjkhdh.exe
        
        C:\Windows\system32\Mmdjkhdh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Mgjnhaco.exe
        
        C:\Windows\system32\Mgjnhaco.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Mmgfqh32.exe
        
        C:\Windows\system32\Mmgfqh32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Mfokinhf.exe
        
        C:\Windows\system32\Mfokinhf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Mimgeigj.exe
        
        C:\Windows\system32\Mimgeigj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Npjlhcmd.exe
        
        C:\Windows\system32\Npjlhcmd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Nfdddm32.exe
        
        C:\Windows\system32\Nfdddm32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Nlqmmd32.exe
        
        C:\Windows\system32\Nlqmmd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Nidmfh32.exe
        
        C:\Windows\system32\Nidmfh32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Njhfcp32.exe
        
        C:\Windows\system32\Njhfcp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Nncbdomg.exe
        
        C:\Windows\system32\Nncbdomg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Onfoin32.exe
        
        C:\Windows\system32\Onfoin32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:272
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Ojmpooah.exe
        
        C:\Windows\system32\Ojmpooah.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Ojomdoof.exe
        
        C:\Windows\system32\Ojomdoof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Oplelf32.exe
        
        C:\Windows\system32\Oplelf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Offmipej.exe
        
        C:\Windows\system32\Offmipej.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Ofhjopbg.exe
        
        C:\Windows\system32\Ofhjopbg.exe
        41⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Ohiffh32.exe
        
        C:\Windows\system32\Ohiffh32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Oemgplgo.exe
        
        C:\Windows\system32\Oemgplgo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Plgolf32.exe
        
        C:\Windows\system32\Plgolf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pdeqfhjd.exe
        
        C:\Windows\system32\Pdeqfhjd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        68⤵
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 144
        93⤵
        Program crash
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
923KB

MD5
4ecfb34b4dd4030799e00aa4c2f871ee

SHA1
85b01820802c908a56dea6049ad579de976d4479

SHA256
3811f04b2a9d73ee1ff44d15e13571c4f43f4f82345f231e9221c4dd7dd60045

SHA512
62fbd55c91407685330e00146dfe4e1d4d62d744ecccff4bc44b6519f399369e29458aa3a1ffff53f19c7b9f71fc62f7f172a930aae0ebdf384e82f8beded6a6

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
923KB

MD5
147391852dc21d22c1d67adf9bbf7756

SHA1
f941e2e7ac227da0207991f536302e4439069847

SHA256
575860077f8f40649af2de34279f90516a544f08855645d1067ab2dcd9d5e887

SHA512
1f9ca3ea2cb57301b3a9da8cc95018a27432764009360a9161eaac1b1c863ea6870a64e215b480054e3f1690a372ee64a7f27bd6c520cd74d0294a32f1ff9315

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
923KB

MD5
13d33ab817e4c074782cbc0c15a0b902

SHA1
77cf7d5972d98341c92cf28b8f95c40f8285853f

SHA256
db4bd74940c8e125ecd0ecea955fec429fa80055f71bdd506361684daf1b5d8c

SHA512
57429adfa0384583c53fb98b488a8f068cd540a9dcdf82990123b88c9b48aa00f1287e17b3daa0eb6e91fda223b4ec065940cf7750e4b18ab9f616e5d8ea4899

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
923KB

MD5
ad8a6826332154e8abc5e979e7c04a0c

SHA1
c5970dedfac75550e5681908db7bb9acb3a066f6

SHA256
b6507333c085ac2fe0366095bced059c66d6c6d56e814e7cadff3717da62e85e

SHA512
fdccc9b27fb84ca46bd710a5f3b1faef65574507b284e0079a7024309f51a780f301c040b24434cdbd958036e8fdf7f64416e94518ef0e242e0a9be8eee900ee

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
923KB

MD5
6c666b4622809df6816cfa02c6f3c846

SHA1
79db3c04226b384515495d35f30d7e4e7cc14c32

SHA256
aaaf4ec98e297633776da2f914bfff556dc15e4dc6d981b0bc5d0cd143c9d040

SHA512
763d35a67ff5c703d1c3d75b8b5dd2954a1a42b704213248ce0f6cbca0077bc43dd801152b2bfd8bd1080e9ea1c19708bc57ed090e79498f4dac124f6685dfbb

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
923KB

MD5
54155e8e10129911c99d99985deef2f0

SHA1
65f078c03b776b2fa302d8a55fd3f30076735b4a

SHA256
1f4fa7227af082dca3050e965f50e0ef3bc7deac0a5609cb769eba00024116bc

SHA512
feb57e298468994dbf9c763f53cd81df2c857b7322fd5d6aad93ee09409fbd51e88eed874573365acd8de2eae56f7c23be10d78a3a3167f15cf1236299f1cb1c

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
923KB

MD5
7f36b003e78e11e08b20ffad8ca36356

SHA1
bc109eb4e2e12ac7d7173baa8345e0f7dc622d7f

SHA256
5683526c8e11c8eff5a339d9d26ce9903db0a26be1ca3f98fe3d5e3c1ed568ac

SHA512
ed93e9afe2de34f1e9989d2995793d6b20f25d6494d2db109126c6dcc8417d5061f47feb0495e128e818336ba18b6104cabfe4898b93a2818cb218df56d5e5dd

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
923KB

MD5
5b223acfb46faaa3a81c91e6d63b420b

SHA1
73688697262d656e8adfac7766128afcbd536415

SHA256
e4d46f0f772e5b87dccaf96753b1bc8ffb1bc05b94af83091941eb153feb9592

SHA512
224247b3eb245c645247e8c1a29b770fd320b36f85eb2aa589b1de7f45abd69a08b3e40ba17250e50ec99cb231e434b2f120bc68e74200884a37091242325183

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
923KB

MD5
e3ea3f64dda2036f4f063feae711d105

SHA1
7cce997d80267ed387787e25747c7dbe1a88dae5

SHA256
fce87d28f5445f9d7a301c74fa67341fad77368cb06e75177e38852e79d2e23e

SHA512
385ecdee57e036b5c303cc11655a5861a76c6c52b27ecfc89c8dd263d1cbd744841f69cf25253254a77a11f62e3405748e60c80d5cdac8cbac71c5d11804aa25

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
923KB

MD5
ca6f485df57598459d39b7b8ffea7e9f

SHA1
ad5c1685cdc9a808d84d6297067d2bed2a766c9c

SHA256
6fa0de947329bde61505ed5298a2b83983c521f10943afd34a215454a569218a

SHA512
6b307923c560bbab6afed74b33883c77b41b849f27b6b903972ea72f2586249f393ed804c481b6a3438572e872818b34b391d0651f88d9e78d53afb93363fd02

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
923KB

MD5
363af6d05fe97a0d81e88ac80f415d83

SHA1
c6c17f180e33d887a1aaa79cb85494ea0942cd10

SHA256
c3219edfbe913a0b1e63ad18b9da2d30a3b3446d295c7f608358f326a7069f5c

SHA512
337fce0ade110f27879f615101289e3530438dae0519080830cf60de897dbb73a41a10ad53bae3deeeb90bc16051a0abe018aa7462e1ddf64f0f989da71d3266

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
923KB

MD5
4e1287bd39da5752a215b0cfc92fe026

SHA1
8d7e1e8ffa83149900080d0a8b1ca8ff7ab869ca

SHA256
ed906c2cc36cacd6c4f16a03f8d7a71cea4d273371178c8e453453e524226ffa

SHA512
f751e24d135f989c0884819ed91f057f8246dbfe7d9736858cb24067783cb0ad00e0a58a4cc532b386d19c6bcbc0a7f5b1cf441cc7540d26e23740cd8acb8826

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
923KB

MD5
bf0a06ee46f8ccbdea8b03f4aa520243

SHA1
9f73af1e0f1f5d23d419828361dd748ba5194629

SHA256
18a17bd15079583ecc90d24e03b2f3c623152a4f6c9b386ef4b70e828ddb94b3

SHA512
cb15604b289634966470a0636ec1ef55c01442028adcbe40296b0c65fe3fcb649dd34eef0ab9d10a14af1c0a3229b42682db625f0b5802b25710afa93590a075

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
923KB

MD5
c676b059235a41077064194a509bd260

SHA1
b5fc6982c1571495a7d3b6afa78be3e1f09a7616

SHA256
3f94116d4360e71520a25418a356fa258b26bcd8bffc9921d29e6aa45c9dcd56

SHA512
aedd9dfc3a9cf2d604dbc2e6e4289d931a1ae566e4bebb8c16e83d3f0bd225f4222c52e6d9b5ac53502e41c9046737f9d079cfe12a0de00994e9337f9b48d881

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
923KB

MD5
e232229138d10ceafc9e18190337868f

SHA1
c4a018cc018acfa4655e339f309c79bcd284d178

SHA256
d77660d1ed20c44710337ba6dd047e7e87fa9c6554d2a1800d987f7a29886bd0

SHA512
36140c4b56ee273fa7fb0e4d7dd5c793431732716d711ac8d47acc6a0c92e33a16b907b3bbac79ddaabe88adbcdf12a23c31ea8e6f4270480ab89ad185c3d620

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
923KB

MD5
1d4477434731cfa6aef585db65925aad

SHA1
a292ab41b58dc67ba6383fef6ea26ce17182c504

SHA256
fb36ca8f61eabbb06f92ee57ed4046aa92b499c8bd21af71215c4c59d2405be0

SHA512
d843c9a11abb5ebf481ea17db4f90aeb63a69d8edf249cfb210bd86213911407a7a005d72df8d09c2c67455bba26219cd2f3c5cec644738c3fcf1cf966f1a748

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
923KB

MD5
523c50ed60d7fd03ca7d76264e1bdcb3

SHA1
746bd301f174d76cf44320608eabad589342d474

SHA256
2df29c8e7a2425cef2ef213febd3d052d4090e464c456429366dd04c6a3906c0

SHA512
4ac1f94f9218ca647c4b4988311fcb5936504d65935db91a8848e7f032fcf9bd89e51d6e3633a6291d50aa3184a7486e17229f3ee764295412461cd91ba106c6

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
923KB

MD5
26759787aa4d3b730a01b26b088b0634

SHA1
2c6e9dc38f4b238a411806f26ed92db9c7837560

SHA256
134644780bd9186e5d7b46fe095079e096780f85ddd5d44c60b3b8fad65a2ea9

SHA512
d6f0eb1a7dcdfe9eef65a012cb9721fa40baf355ef0d8bc9926fd368351771b2d283fc616e476bb03ace25a1c342c064b6d7fca072b78f92d79ea0403105d714

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
923KB

MD5
31f02a704c02a53a3c9a441ea5d94b2c

SHA1
73ae021b94fa5a36fa14d58e880069ac3030b11d

SHA256
4ff7568bb3feb897fb66e07e2989aafc04ed60a8b03d2dc007badd7b3be4813c

SHA512
3c1e46bd48b639eee4ec31e8d8103a065c34cd29cb4fb2c1768ba21f4d7e6edcc1670200b7da21daff66ed780d243331ff4da63beaeca13d832602771626d003

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
923KB

MD5
d2c8d212e6ee6cb83689e11409af504b

SHA1
c44fdfdcc74bee5ca5047616d91ec1b691de6305

SHA256
2ab554548f1fe5937084f31f37fff433a68a2c5504e2ea54112cb4cd48611e17

SHA512
3b6acb3978b4c58a17d241dfcbdbe47169d9ba35cd85a8e5f2a6038b7a54d91374e324c36becfc70e3a0835933d065b23b24a8574d2fb4bc8b81a8647bacf267

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
923KB

MD5
d732903e248db30e9ab80f4855b5ed7b

SHA1
476bd42552ae5a7549c92876cdfffd54ff366463

SHA256
31714320be82f0a2dee2bccea2ea0cd4ef4dc8ff0cd3f1edf69aa44ca70e4e1f

SHA512
6cb57592831591cbafdbf398f9817659ba1ca0db36e6e0056b3e30f51a3910783acab87cf4c111ded49dae2ba302b5340d2c43730f926692bb01bb0ed57392f4

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
923KB

MD5
bb360809c4d8cee29d161f08b3e7e701

SHA1
9fe816831c3c29bb167a226e76026292a2cc8515

SHA256
42162920b194569e5b01dd11e47ee94266bcb638a0e792a3eb1a2a5f7e69e2db

SHA512
2f57de1446929f12735bcdea1180de246ae3030f5cc1cb170a5b1478e003f5f40c986ce28c4341be9076a53257878aa6762efb007ab01e3a56a50527b22bd2e0

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
923KB

MD5
ee410e8960e34d85f1b54b3ccffa0a22

SHA1
8d6247c707249b39aa2ff1b8821aeaaddf194d54

SHA256
72bf60fee8dcaa782ee078b274cd32312af0c13652194ee7c5bab71b6093a1b0

SHA512
c2048c358bfc3b8a83635cb9b7f352806cffa5467345b24b6a4a1688b2666bd0911d6e345a38a5e4373e63c17104d3a0ec2d9cc197a77a77284f10262528ea81

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
923KB

MD5
068b77a4a17552a68015b0d9f516c8d4

SHA1
1eecad17a62cfc9dc24da6abd170d3a605f2ff7e

SHA256
2ad6ac82a113e78d1deac4780a26e2ceea40f9edabafdb45facea355de901821

SHA512
7f03884dc1e08db452b37391e6da2accfd5913df8bed4157ab6d0ef6df55ad8b3d8e201e5dbde8b61468e7baaef4f53159c55965891d7a1f3549f996e1daf330

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
923KB

MD5
dca488c99adf1f5d7dc22623cd57f711

SHA1
c2720d5b967108675014459c88b66ad9a9659d79

SHA256
b54b5b2414a723d05b558894b7d7c158b81adb839b9d8986b8efe8bfe01024c8

SHA512
add7a6dc28d65c31a1ffa66374fb180c0db1b896fd0010c6f46442d6e495c03caa5c4bd408b1fec63fddd30a614f74703050390b28c2178119a942d6ad373ea3

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
923KB

MD5
996d26b9437d556c5226befa8d3f291d

SHA1
646459ff76d9f95cb40286a9673c8c6e4ff3afe6

SHA256
d381c9cce5356667b896258322ae9a05d798684bfe62a68c7081179b9164f7ed

SHA512
6ff849d629fa99d5d9add64d3a6e7dc1cb3e98aad1395d4ad43d1d227a3cda5c3c28ce77ca623c343efa65dd90e00aaed94d2be04d3bb2a539b31bc9fcace778

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
923KB

MD5
ace43edd52f553bddba92c7d368f6ae5

SHA1
e9c6e22fcef6a1bcba4d34ab52065b5f543c1a79

SHA256
ee3d47299ad4038d8583475aa8e2cab4f745b662ff88d7d601826ef5eb4b25e8

SHA512
bd081eaa0f1e9d207d7a3be2c3a4a4e440a2638533682c5597998aefbc33f5ab9f29a6bb23ecc7b8fd7118a9d9da600783e7117714485cd18fe71fff03cb06ad

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
923KB

MD5
622d6c438c99bf538b65f3a77feb4b53

SHA1
ac00d08d8277dd6d39283508417f910b903a8c61

SHA256
fd82ed536ef22ad94922914e69170f69f2815929d4dc0e1bd72fc45ef754875e

SHA512
ec856749a925af8352ea552a9130179d6bfabe799ee8e64812e004f28055b08922d60f0f1e83f89796a440ce6a83141cf6cfe4e7c1bfe66bb8e64779aa5365c9

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
923KB

MD5
41097de03561d8d80ecac989b1aac1c5

SHA1
83c653ffcec0562d5a1776d31a2eb7f535a348a5

SHA256
4504ff10d8331485715bc8fddc64b5202cd94705cb7855a78f6d295d09bc5b38

SHA512
47308490ba1779ab94ef9bd63bfa76c9f9a46649deb9dc9a2b5661c13b22106487dc2abd4112085d3628c0f5927ebead52a260c833e8eebcd74828fce9d4fba5

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
923KB

MD5
8534f438b827b3132d4f2fe929ece752

SHA1
a8a48340cce153192c0f7a20c385d08160e0b46f

SHA256
4e3ef4a1cea90bf5844eb49e386233a0d5a32de511b7fc9dc82e478efab09fb5

SHA512
57a26b5262cd8a1109895773a0e84f4743a6f7f97b8fcd0c58ca12a6320c40e187baba7e77439ee9ea61fb10600171a7af1b2570f82745b71c794a9a013c7971

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
923KB

MD5
2f0f0d2d8271d441ff46cce27453ba02

SHA1
cf876a278051d7f3dbcc7e9105af125235648b68

SHA256
dd1fc26acb15f7abd5b20da677d3295fc90c94cf04a85562a848dabe38ca196d

SHA512
b58b92728500bc37afa685a225d9debb9dbdc57c893b8a92cae3d3ce038a79787377f5a1d0d7fb5b1cde1922be3e60e56006d3ddc13468ec861f91c05a3b6443

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
923KB

MD5
e4c0f4db4bfb5ae6dd755d43e5ad61f9

SHA1
e41b71b5690b34167dcec514c29d48b610499ff6

SHA256
f7b8babe060b69d19e054dc43abbd2ca3041464ba1223797d7d84a9a54b10325

SHA512
fe3c8ced3010d94631cc6a272d57a859da6fcda4802c97af4d4b5e215670b3edfa2807f581c247019dd64227a27f794ff2efe7ba44dd3e72b2efe097429a451e

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
923KB

MD5
ec839090e8565fe40d2c008557e812e0

SHA1
15e61746b488d1b6f68205721f0fec5c380a38a2

SHA256
03624655664b15db4e2b34e4721e8a548bf1a0240c2cb7ce0301d5be44f2d550

SHA512
1b98cca76b6e4533f67b2421e5a67858cf734a06128bc1a9706945dc255743497d50cb68b2ebb4b53bd4ec4b19d404c1dd04241a6b8dc1769c9cecfcb9b600e1

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
923KB

MD5
0f0bdc5eb36d9e8c15d4381191dd3fa8

SHA1
77f2e493b47d061c3373700c33dee655667f5294

SHA256
599f75e62554293a20e27f05d414e9972394805b6d403447f30846b7bbc7b6b7

SHA512
7e98a34f371d91aa91b70e3a70ab17f5ae48ac4ac409fbb964fdda4bf4b76ed8ae8aab4d1b96b3acd2781c6be3221f00da1d14450c600a6f0abc900d75ef05b1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
923KB

MD5
da95fcf771e7b81da6e87c09f3ee2222

SHA1
9e9c0e1a7617b734affe61d484d29c3fcae096a7

SHA256
dfd06460364bed9bd2c59e08d73cdd3e804306c80e71dcf151fbe51764c25636

SHA512
acda3dd9f673a2138a0f003657d8392027aced6503d6ce67848d339eb332b04926edadc002ddd647ede982b05224a28d139ec4e3c6bda6896be3fed408433eaf

Download Submit
C:\Windows\SysWOW64\Gbjojh32.exe

Filesize
923KB

MD5
581449a8ce44052175f0be1dd5465ab9

SHA1
c7fdd864464e2280c2b33ee37bdc8e4bfc5d625a

SHA256
36572bb9c6efeb76b75d0c3f49af31fa5488c4ac56c1a9cadc37f2ac51eceeef

SHA512
a0f8b6052c898a0e271da9744ef3cb6a0a04fc0fbe79fcd72f1a7b6834acd93c3302c77a0f2e7c9e26b795d2f5c5e19dd4a76fee3c908cc1f96cfb71afe694fb

Download Submit
C:\Windows\SysWOW64\Gkpfmnlb.exe

Filesize
923KB

MD5
f767bce5a317e459240e2aab2c2cfd26

SHA1
637169fdf2334056c9ba49f42bdce216f6d02ac4

SHA256
0358d00f004896dadf88b5f0dcd8d6727aa75ad67100aa2f4c6ae05cb7dfd598

SHA512
ebbe337cfcbbf7990109ec58be454b447170e2d6407ed7c312851f32694169303df52141b5bf6ab897ecdfb7813f26037af8f0a27d70a58d559d490784f66b0a

Download Submit
C:\Windows\SysWOW64\Hboddk32.exe

Filesize
923KB

MD5
b21c3d03c5de6d8815aa29ac87d0f837

SHA1
cc74f22b3f74456dc42efd30c971ecc0c99dfae3

SHA256
206ee8fbc7baa3c4a826ff2c263f6a6513c493904c87749f4a6c67ff8e7b8b9c

SHA512
ae2dea0f25dce0936b008295cf86e84d37a8c8e243c4cf3b240b8167476cd80d1974abf05735279a45f975c600b941dfda360593f1fdbba0d00b626a114b4297

Download Submit
C:\Windows\SysWOW64\Lbfook32.exe

Filesize
923KB

MD5
85fd51ee4277a03ff6479ef81cc79f29

SHA1
2a2675d05644cd4a6c544ce241bef84e2d86fbd7

SHA256
d8572a041160cd00818b97a805b9df65678df4aef454d85420931b1c68576056

SHA512
3491956f34fa6582dfc962984690523850ec4b815bb3570edd946f5090cb7abfbd0435d650b859a74c031cfa66491a6fe087714e8acaf7f5a7dcdd35c414fff4

Download Submit
C:\Windows\SysWOW64\Lgqkbb32.exe

Filesize
923KB

MD5
612d4a0cf94a73977a231f27b28409b7

SHA1
38b2631fc8dedfc448cee279fab5c840492f3f36

SHA256
26682490d4dbf495a9e67d87bdfe9ce079e7da938cba8d9a5808c694a78e95a6

SHA512
784789a6374e5ddb62f706163324f87d3460c64f03c197efa774d348ca04a87b01122f10274689fd8fb7dc9fde643398037739cb7df75466f4d61a03f01b2d92

Download Submit
C:\Windows\SysWOW64\Locjhqpa.exe

Filesize
923KB

MD5
334e6d095d910b37b92d29cd4bab5c69

SHA1
ebefb55ea9c8b636a284def5e891db032f7f1a7f

SHA256
eea846b43fdf14dde558203789ae9bd264d20530cd97fe78a0fa9e691dc2b7a7

SHA512
8ddf1c7bf66dfcc971b461c0211380fa2cf93064bee783331f2c9540b1e6ef2402509e920488502343b975138a74e0fad8eb2b83c845dba3256181e7924934c1

Download Submit
C:\Windows\SysWOW64\Mdghaf32.exe

Filesize
923KB

MD5
aad04a66f5984efbc75aae7382b814d1

SHA1
116332812af123578748d5d413cb084fc584c6a4

SHA256
4fc5e5ff192b150e3d22b8254084c9f2a243e6334abe4824174ed6bdca01840f

SHA512
e7a13b77f74b8125f3839a0b3e64abd173353fa0a85ac96b03061b50093a171bd916c406ca68e0d44d5f25db37827171abfb931c34c45e10111d1855134f02fc

Download Submit
C:\Windows\SysWOW64\Mfokinhf.exe

Filesize
923KB

MD5
ecd4a3124d10af9f750cde9bed67075f

SHA1
790b18a573d75f8287118646fda09370d71aec36

SHA256
43af74151ff8b933a2b7af817bb8a674b57bb446e21586ce71bd797e1d75fb2e

SHA512
45e7ea0ca39b77f54afa16c7a650ea88e76ccee1fd63dde4326c5493f7a7c7281bf676a11a71c10a5415ce41f65efefdfbbbc543f092847b2b5e9a2cc2ff2ac4

Download Submit
C:\Windows\SysWOW64\Mgedmb32.exe

Filesize
923KB

MD5
82a6316fc26c15b2bcdbe2be99619174

SHA1
c7e70c62c5ebb0aa7cec09a7367ceb27709978d7

SHA256
072e2142a810ddea60d53232435ba17c7ab8095d2590def4e158e75e6a6670e7

SHA512
a53838a9485edee698b14a2353f6bccf019ce4171d01c0c565b55b10f1b69a848679fb34318177596701bafcb8c28d78a042082a721d486ea5d2bf8585301e85

Download Submit
C:\Windows\SysWOW64\Mgjnhaco.exe

Filesize
923KB

MD5
32e94cc1790e3ae01cdd13dd41d5a3bc

SHA1
97d36b578e05cdf4eebaf29de3ec7e8be5b74a08

SHA256
8a72c52c93d6cd50ab220a7ab7b14f9f0e96caa5509359dc40d30f0a72a4b9bb

SHA512
b13c9a9b7a29a3917f50f9fd7bd9c7ab9091d517ca2358c80b36152e008852c6c2c5096921c590849e447427063680f039c3c2207842fe9bd2ca09e0b07e4173

Download Submit
C:\Windows\SysWOW64\Mimgeigj.exe

Filesize
923KB

MD5
379ab325417fc1c48ce23da923b69294

SHA1
d1bf0fd911075a8a22cfdd6450ab3f943f658fc0

SHA256
7e42f509798605dc6c7b1e5858a5cd0c9331385ee1598253e66ebce98034be53

SHA512
6599d427cbbe84f6c5536bd64dfe64e3d23b521297fec61de763ab634f4657acfff2e2b79cffcf2d6c5abf565a6f4dc829f6954432db8aab65a467e55df6551e

Download Submit
C:\Windows\SysWOW64\Mjaddn32.exe

Filesize
923KB

MD5
64361d1f93c6afb97fb632c0d00567e2

SHA1
11e5aeab4b312a6b2c08e68fbcde3475402baa02

SHA256
03c5ea13912b673b8fce80e5df57ed8168d16c59d85b2099effb56f7b794a183

SHA512
f7436882aea4ff29cd56838eb463e762d56db11355fdcdfff097a79433387af8fcbdbbbb919462e3bdf18b97d08e713a1b939dd2aef7a9e03b6e071ac48c3ca6

Download Submit
C:\Windows\SysWOW64\Mmbmeifk.exe

Filesize
923KB

MD5
dfa7166396366f0d1392412d6a1775dc

SHA1
8bc22e4429ed3cc174e2949592f003823477101b

SHA256
ae7453edf0c6a97aecce267259954395cbe914bd6db8dadae848a214f2f46718

SHA512
99d5ac91704712aabbecc444f4ec79c6ab6507b2160e440be75e711bfbc953cb42df92d50f76ead045da54536191f7e24c08cb60a5e3e16db9f1cadf9bbb056e

Download Submit
C:\Windows\SysWOW64\Mmdjkhdh.exe

Filesize
923KB

MD5
2a5f80cecc109079c08de9992c4335bb

SHA1
dcebbb4fead45f99409c8578de42ca1141e1050f

SHA256
7cde1760397cef4991317a24dbfc95d63a5dd51cdab8ca92d7ed0eec4fdba445

SHA512
9cc37e7d4c43dd4e448329168afbe39deb28e91e8c041f2db18135883aaca1c2ac69971b6904e397ee0938f4311f63fe393118cc95a6f3e624d5589f30b192c2

Download Submit
C:\Windows\SysWOW64\Mmgfqh32.exe

Filesize
923KB

MD5
3e69ae1b84a6bf1adc2351408d1add17

SHA1
b484c4fc2c145aa98b37213983c6b0f098b82b7b

SHA256
dfbf9ded9266e777e77997de1b28f3d6d06ca4eea66b67ae14ea8625fdef8481

SHA512
a44af1a3f7eb03027dc36fb924d0296d5ddf476c25390295fc1dbd9fc9cbced64224a3ad88ed4eab3fb6b90a55187efb3ef40ae220f95c52e9a66e12b636d956

Download Submit
C:\Windows\SysWOW64\Nfdddm32.exe

Filesize
923KB

MD5
bc8cb60c2a41b6791ec6d0403f82364c

SHA1
6b002cd0d33518e9208d41ce10653646de5b5894

SHA256
fc46fb3d0bca7f1645de68cbf1c8577cdd7c3381ae5dde6048c72ece82cbab36

SHA512
37e9101ae4acdf0775cf77ba80087efc236b8acffab734f789d5059a98be1e9aa5950405cadfb78863fa16bf2c06ad341260307ba85330047f5bcbe5d37db771

Download Submit
C:\Windows\SysWOW64\Nidmfh32.exe

Filesize
923KB

MD5
3a43e6812d498464993d381c9ad34c68

SHA1
d26f9ac83f1458d340236aac70a0357664b75a45

SHA256
9c0b76c77a0ab37d7f3cd79a43050b01feb9c6e17d77f8811cab6be21d991be3

SHA512
1f86157cb2317c6d11d45866abaae1a0c59ad0a3795d6703c35af358bbd7c3c96da619795968935eeca5a4b38954c172c4242071eac55cae68350c69485b8082

Download Submit
C:\Windows\SysWOW64\Njhfcp32.exe

Filesize
923KB

MD5
ac44b22744175693c873f0cb39a67b44

SHA1
de318c7b6c6a601684ed4ec733e5c90eaf618659

SHA256
453aaae1ef7134e93ebbb7756d616d7a71aec9c1f85cc3f90ecb2dd7d5e8cec9

SHA512
722f8c4782eac3f2677a86240bfc45331d9b954433cb0425db5d57328067494ec0e4b53d9d8bbedb54db7a3140bb912c3735b2505fd582b6c75d51459851a80f

Download Submit
C:\Windows\SysWOW64\Nlqmmd32.exe

Filesize
923KB

MD5
6c95fa5f0d1ddad4129ed2ac6c04436a

SHA1
1591541b4f73180714d13f1f56604fdba7692d5f

SHA256
c8927f96511218e8d34576ce26c3fb01e982450b76052788f3271445bb4dd44d

SHA512
ca7f2ea4def8ab1fd1fc1a08a628ad381c1f14eaf1b482de3ede13a7f8911ee884e0894ee86f004bece52976b99a8f2b7d3d94ce75d797d9fd7e7204cfb6b8f0

Download Submit
C:\Windows\SysWOW64\Nncbdomg.exe

Filesize
923KB

MD5
352bb77bfaeb1e270dc4da48177ce22c

SHA1
9c9b54a044febe4487d24f5903059eca67d4bee5

SHA256
7ec2c9b697026b665a235c51dd3f7388c2071397484bc51349ce6b0f01dd8daf

SHA512
63c147dafd8898df7060d878fbd38f6dfcc866e99059d50cae45b567ced98bc4e7e24707d41e271e8a6c008fd61e1360cb4ff865487313a8b4dcf35879328816

Download Submit
C:\Windows\SysWOW64\Npjlhcmd.exe

Filesize
923KB

MD5
50d882b82ddf395493c6f3121a797f39

SHA1
58185f5d56379b58c348069832516fc7b6f3bcf3

SHA256
121ac663ae08e08b58255e28c05bf136f4def6cdb7e89a0667a606fa01e0691d

SHA512
c11b42813ad14603a3f821cd1cb71f59d375c9821caefe425b59f4ae41e63304d6be4241654b4655645adaf475d7c24b2df74cc6a1b2e506f58fa3a299aa156e

Download Submit
C:\Windows\SysWOW64\Oadkej32.exe

Filesize
923KB

MD5
c2ffe0f2488b7c7e6cb7393b211f02eb

SHA1
1b5e0cb5a87fd448f6f1dfc7fe2c556dc8d0599d

SHA256
9d90b26a4b4dedea35a614af0e033c59f46e26d74fae19b91636d15862e0b492

SHA512
52227f8829f98e7c3008dcd768bd05781145a14993b8a961239a059bb6d6725a8f93e1d589e27f49f3fa2ba682b7d447d61a89522b603739e682b9f04fef7a99

Download Submit
C:\Windows\SysWOW64\Oemgplgo.exe

Filesize
923KB

MD5
c835cb5c855eda772ab2eb6b238684b9

SHA1
1554eeb97e79017141cf97ca1f3f13d1de9e7526

SHA256
8cb1b6642eefa0f0379d5e1a82d3f1c14d383d70c471902754ef3710a833651b

SHA512
a5680af2c23d9fe8d18353529675ba452c68fbfd5ce6e0ad5ff8d23760fd456b94c16a765ad7933f35ff1d7a0280501dbaa1001905a563c9f677ba6024af7b98

Download Submit
C:\Windows\SysWOW64\Offmipej.exe

Filesize
923KB

MD5
7fa963b7c4c53c3d1cf6bcaf134fd1d6

SHA1
20bea70d889762ac25e1d97de95c3a8834295414

SHA256
12b1aa45c00802124f2ab9a21ec284fa3f7f31fab8536d706a39be9ab87bce83

SHA512
7b58e63cce0e3c2a0be38778e912750c9d3db9980e3166a549d1c6bac7082766d11e52a949c4a49649e9c56fd6f0ca5b6a2ab4807d25d35f6ec4826f56acfe36

Download Submit
C:\Windows\SysWOW64\Ofhjopbg.exe

Filesize
923KB

MD5
57234c4036ff118983a013b22e00c298

SHA1
6d50f7848bd02653ad8f86c1d61a907c24374619

SHA256
0cad540a3d16443d99a0d8c6233c6a71d0c451bd9ab0ad79580c8f6c90c2e439

SHA512
e54186783868ef70d56285eb552b814a533b854b9c6dc72c94f5d62e1f1f7de814cadfdf674e85340a0a068adba8263bfcc4100d5d3d6fafea35f50367a1af00

Download Submit
C:\Windows\SysWOW64\Ohiffh32.exe

Filesize
923KB

MD5
77a2fc0a3e6c63c3d78b54d92da28ccf

SHA1
e6d2ee1f7793774576bd4d7fba6939fbb57258fb

SHA256
eaa161fd5e996401698b78e2affe03a06ab71af85f0b94bcb4d20ba1972754df

SHA512
6457fb9ea75904d7f49d0f0b215fd2ea0069a22775703b8ca71850ab32a87bf1818aef0fe0d9cad2bb5bfceb823dddd618a9dd42082a3450f4524eb3c3510300

Download Submit
C:\Windows\SysWOW64\Ojmpooah.exe

Filesize
923KB

MD5
ea2506c28dd4eca3148f4b727dd692cf

SHA1
3b2c53e6e07beee2e013c8c93d82bd04558d703c

SHA256
ef62cadab66e648b468d2b6076f944782fb8e5a3791082a8704fc491afd6d45a

SHA512
fe6cf39238279971236f6aa8dfe864908a77f6651a218f790fe91de49f3d8cb576c0d5351dfffc90b89e3087624ddb53ec6c46582294a936b07c6a864ec68534

Download Submit
C:\Windows\SysWOW64\Ojomdoof.exe

Filesize
923KB

MD5
e678b6265c41cc5ac98d7e26cffd3d20

SHA1
dcbff65ff0f159fa7923a5dcf3cdcc8876a719f1

SHA256
3b81a3063a1ed1ba081f3a84c29400d8170b258a3f58cc002f25e3fd6b95f4c3

SHA512
3519a14968203b502649f4da41726b8dfe4bc0a6a9965f7977d62054ef603060985de03a687cf5f5ba1ec896e70d4ed349abc666724e0555065ac0381a7291e7

Download Submit
C:\Windows\SysWOW64\Onfoin32.exe

Filesize
923KB

MD5
2a062beb563b0ffa9b134434d6cbc727

SHA1
91ac015225794e4f82c0fdc8885c0a82fe841b7e

SHA256
8617cd972916529b20b6312f721fd3a7137cee439bf12aba89a7052c3beacf65

SHA512
3c5f4943bc3600b1cf1c528065b3f6f3809446376bbbce9c2e7be10047fa791156ad0ae7ff2ff279aa197c295908c66b85d0c71949e173662410e18a65d1c914

Download Submit
C:\Windows\SysWOW64\Oplelf32.exe

Filesize
923KB

MD5
3f04226d72a1b2612c80fd8ecd2b32c7

SHA1
688033a8268d86205276dd6970fb7f662a995950

SHA256
926d0dc43aaff5a990610ae273866f3ea707f87c7ac34181543a60e3263697a8

SHA512
4610661a073478edbaf7e81c0f19348078a844144687246d930344f1a50a0f3151dab7423cd6e37db7ab738ffdb9b6f9daa4fde775ef1209c2ef3af631d9bd5a

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
923KB

MD5
250d53885e866f14e4487560167ce381

SHA1
92d6fd03d77eae8de1938eec9dcc8c0e87c9540c

SHA256
328df54d65be99bfbb426f7a6fc27faf802c513a2e556b287fbb0df60012b7a8

SHA512
248e9c50e04bc544619bf524889b6c527d65fc21f8f2518047c4867920b229ebf874ebd9bf6d0b8162e77a37fafe6fbb47988961a02c8afefe4318ff78fef30d

Download Submit
C:\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
923KB

MD5
60e28c5d81d6bf7736857ef1eb56e09d

SHA1
d59b144558c2a6eb83acdc5542f28713da355ec3

SHA256
f56668af08ee66e029ee2465a03393aeaacf2586d97598139d830ab3f6cf3776

SHA512
056cb472de08f9304e4f74dfcab3e262f8647e1ca7079d0c3253238a09a7b91c566513ce8485d32dcf7f81b9f46d89cf7141083f6d9c2abb348d8e0f5abc9874

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
923KB

MD5
9135661d8e10d4d24bba5dcfe79ed40c

SHA1
71fde9da4f5d5e75c04f0f737740659445ca348b

SHA256
a410153ab9c91721a16cbe4d760d19355072b977669cc164ad124055843d7916

SHA512
fa8d9898aec861f86cbec42e369b051fd58259b48c7c35b8f582012f593986299195c9ccf93e938aa1bc428bc1952537e3d387ff209db02edc45a9860597da81

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
923KB

MD5
6ab66c52273f2f8a38c89fd6e9af91c1

SHA1
36d2708b6321bdc6bc642c474461d389344b620d

SHA256
2259769a114c47bce83ad6a96d3516d394119d647c3e6110c9c228c376a4ad5f

SHA512
e915aed0cdbd38f3e956d4caaaa8467e27781f17219ba8f18aa142958b6024ef47b4a193571a7e434c3b236c1edcdfb119806417f2985eaa873b29995e29dbed

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
923KB

MD5
5971ddffca879e3bfb8188a6f08baac6

SHA1
f3ebb0115da37d78d904f938e34246eaba1fb10f

SHA256
d85539a5f04ccea9fa843f2c1ce65f084629304a9b3e2c488e138b4e34304716

SHA512
60e29804e147aa2d263bc148e55d7073488c15711069a09ea5177e450dd9266c3653f0c3f8aab29f09b1fb9f605a0fad8c1d013eb624daa1f54473e99a0bd46e

Download Submit
C:\Windows\SysWOW64\Phnpagdp.exe

Filesize
923KB

MD5
b8331e1bf19286929302e1ed32823b69

SHA1
0c51d262a879edadf3a7015f15d77cdd6bfac1b0

SHA256
862580617781810c8e77e462cc75bd5449d4d30e8b2a939d4eb802c885e78af8

SHA512
157dddf4da296a1eedcd8ca8a672f42d6e33d6b3acb9fe8f3c0db449149e16c49552e23d82194fdeac8d7f513a93bc68ae198c8796225bb534caa0994fafb85f

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
923KB

MD5
3cd65fb299d6223f4b61450af4323ca1

SHA1
1405a206db96a3f978bd73afe16f918dd2c6f9db

SHA256
cbc9c89dd2875a2b4485f86c79c4f2377e3a41c99ad481ed9d3d32a408026c0b

SHA512
69d4dab36921750214b417a0be2546f4109b597b27b1d3d2ff3df613aadd366e8ef43a4e5b90fa47e0314da592a09eb4b0c45072377b21bc4ceab83f088236a5

Download Submit
C:\Windows\SysWOW64\Plgolf32.exe

Filesize
923KB

MD5
f88345b566f95c27aae1e8f28a59f516

SHA1
7d5bcfeaf537e494c57e475b9ca75f0c0ac88fdd

SHA256
e71761452b886acbdc07b523d9102db742e41521e358fa24ce2d9a966ac386ec

SHA512
3a799eac97d96603c173170ac67938a41e847f65dbbbe10fdaf6c1dfcea3c2ee2ce5f2704c3f31a472f59d55849f1bdb9594cf2cc2f95e7f265f7742f2b567f6

Download Submit
C:\Windows\SysWOW64\Pohhna32.exe

Filesize
923KB

MD5
428b52ec5e63e563e1b72f90cb9f6d63

SHA1
7bf7160d73e2d1c843cc7f44d035a3a7bb413213

SHA256
5ebb008fb250086b8c68e11aea33646ec65d9675e202f2e3075d0d1518c59b90

SHA512
4bdf8e364749d3d9a69feb4724e03bc289eb3a14f16a3dcec31694f12ec758d2b9f37bea784859137fe873e4d282e410303fb56c048e06e520d81b79e1dd45f5

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
923KB

MD5
a5dbb36b4a66fe06666da934a811a727

SHA1
659fa3e5693d7e19f3c2e86302f5f75ad7d6311f

SHA256
129a19a9a511a201a9bcefed5b5bd9a6f93263d677e7017eb15deda94fcf97dd

SHA512
98fcd02d607072271c6deb9737f39fd0e9a154d03e95a96d83eb93ad75741296a25234d61679dda34f34e28d1390787d3bd59e1ee381fc9da5de175014150324

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
923KB

MD5
65c31b06c23165037afdfdab1c90dd1a

SHA1
6ef1cac63832a1ec20866b64442e96b3c87ada67

SHA256
e3c4fe69af218fa2e4da82c3037da6fffdfb605d4cee00c09e138ab6b324b1b5

SHA512
fda421f80efea6a5481ae5e10d9c8f11769f40f5d35e8a707815c92b718f9d14f2c520c8a13961303a1514ed3df313793c45f3e46ae9d23147feff1a4d3bd496

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
923KB

MD5
84350e6537a15c9f094696c4f2855e84

SHA1
f7324612880037d104c6ba24f7824ffc0b8e959c

SHA256
b233672de941f6b417de1d2cf4060457b69d758a6c4d504d809d5643946e0952

SHA512
9712a317b36e01cd8399f0772643a7d849c62a5532aad957d2f4d3654c8f5743fe9fd569435acb8f4fd629b75fc3d8726263e80c8fe31474a15f91411b65812e

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
923KB

MD5
d24a3f1648cf8c9cb07c51b042450d6c

SHA1
d9c231c8a33abb7dfd3f1e444ea007a64c04a222

SHA256
fcd424fab24238b2d6a24b995efcb2ee90b07afc32a337aa3098785f1aa1d9a1

SHA512
3ff52549dda334e352f5019632fd9b5d7faedca26de675c421806efea77a9970999a2e0a48a33b2156587e7157d9b02336b9ee2825f0b9f6a343c69f99d66077

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
923KB

MD5
02f2d455b11bc9a2ab4a864dc4407a9e

SHA1
daf1609002fd4ba3543a112e224ecc688d7d479d

SHA256
139ac41b3478fd34b0984513ef08bf1ff76b562f65e018f98ee14fd3458d9d29

SHA512
79f471d7cf6ed3d6a516a98415b9d97a11e9d3af0c313c838dfbc278efc056d0373620028794f3f1d43a0f4c825f2f346955da24b1969bb6335bacb5a320489e

Download Submit
\Windows\SysWOW64\Hjofdi32.exe

Filesize
923KB

MD5
39a2f19cc4efaf944a700ac4a9d69293

SHA1
87f3bf2077a3bb0dc05fea6923231c3df7edbccb

SHA256
eb1013111221ccb5da3a261606b82a5f6e52a8e256bc5cdf4fceeaa5176b5881

SHA512
a802b3c6454c69fa5451a30d72895e6a83b6d32f73185e9dc89333c56bfb218c76e44a30a2362710187e1f9cd810f26d76e789194214225ec9165e5241f22ca5

Download Submit
\Windows\SysWOW64\Hkiicmdh.exe

Filesize
923KB

MD5
23dc1271bcb42b8346b1555336d89e8b

SHA1
b9441355507ff937f2e7b77048950c4a7c56f9ac

SHA256
d4de0ebdd133b977e0beeb9355c8ef3082bb37a4fd5d6a19e990592dca1ee2b0

SHA512
17f0569d2fb933be44e867bc341ea92c7850d775c2c4c24432441ee7df760e0ea1c04932184aec97b1839deb0e19741b09c7eaf9e9b3a171508f30c8d1a93f6b

Download Submit
\Windows\SysWOW64\Hpnkbpdd.exe

Filesize
923KB

MD5
b601907c05149e175a1f11f6d5f3964a

SHA1
678b6c3cb2dc3f10529629654e8078662556d997

SHA256
78d83bde2f42cb50afd851af6680f07358cea836a972b14fede48cc4a5abee32

SHA512
861439badf3c94b7acea4ec08e686ddd61ecd16fa3218af265760d411b784f1f56281a0b3656132784c517526b0b62b4e63c3179223c51905968892bd374d31b

Download Submit
\Windows\SysWOW64\Iakgefqe.exe

Filesize
923KB

MD5
a45e938be0cd2857d7b1a0a7e5bffe37

SHA1
69979c5e8f1203c14e7a8031fb1e4c16c98e39a3

SHA256
db84a95b2b1b916701a839955fa7e19aa84c15cf0dfc2a289305aa21d96708c9

SHA512
f78b71aa3d26118c1c2ad71d14db00d5589f33738c5653740bbde1aac1850afc12e7b94fadf3a41aec617d81252b65b05592282df869cbeac1bee37286953df3

Download Submit
\Windows\SysWOW64\Ijehdl32.exe

Filesize
923KB

MD5
c06dfdf68c11ec8a8b5be9c414d467eb

SHA1
38037849715b3e02ebec8560240dd7d7de7e8b57

SHA256
1e9c89d4576622737e0f2123725044ee91b0dbe998003ecc68753f768c247968

SHA512
a72aa321b4285615134daee071fdc9d2439d151fcfbb476f8b99099f5d8ff7a8c264602453cb0bd47ab7c1c210b25ed54e8aa3bb84857796946fa1fffe2bdf16

Download Submit
\Windows\SysWOW64\Ijnbcmkk.exe

Filesize
923KB

MD5
61554efac485efa25c074d2677667f71

SHA1
8649659a6c48c62262b8011a0b61e46ff6f8ac65

SHA256
5f7143fb587b8e573b0895f93ed384ff3a2ff3e292146c12e836ce28c0ed7003

SHA512
8300821c9468e3cee8073153a648f3902533660e90fa4284db4b16f651a07917a84eb0920effd58294900baf92a0411aa836fe2f884e3caed87aadde0db54830

Download Submit
\Windows\SysWOW64\Jampjian.exe

Filesize
923KB

MD5
2ba2b593c1a9c5161d3d8efaf0c0a58b

SHA1
4149f88a94e915a9c4a8406c29a500dd44bab73e

SHA256
7ce1244bf45fc60e93648c2b32edafce36ac59321d99e0b29e01e0291d325e1b

SHA512
813a173c15a2e6ceccad9c277360c7460a9ceb3db2e413fca21ccd64539a0b0e5af648055fee42b07c204959bfb3892876f9b4fc707a8ac0fe884402b0b9bec1

Download Submit
\Windows\SysWOW64\Jfofol32.exe

Filesize
923KB

MD5
819d65ef0487fdc3a5c23bec3577c145

SHA1
e899497a3dd5137f2a2154ea3cf5b3f5a424dd19

SHA256
c559684ab612bbc9da133bfae2ba40e4c73e53c38de5248474bfc5b3aeba54fb

SHA512
81079dc2d2222eac0ad1a995d9df816f75b68333d2b4c07ba30a36e90ba7513210a85c0eee8a1fb59c36ca1d58974a7eabc94537a55106d899554e8950f0f93b

Download Submit
\Windows\SysWOW64\Jlnklcej.exe

Filesize
923KB

MD5
9d73e64cd4d4e14497dcbe618d07eec0

SHA1
1c297942596c89b40c345b85e4180bd0ba2bcfed

SHA256
1c29d47708801147f515dfe49c8afc9cbffdb0cba764f8f18aca44d7f8883e82

SHA512
d31c4c6d98fea50e2c12ee08da232f7ad3ee24124ed20543a84480a7976ce20a685070d219ef52d46f6958bca6c22888731acf94e6fd3c86204d61714daa645a

Download Submit
\Windows\SysWOW64\Kaompi32.exe

Filesize
923KB

MD5
cb71bb0c8de551262497e971b4c624a9

SHA1
d8be50a3be231b39971ce48b19b52341bdbf1db1

SHA256
168dda57aae7cb28f49e0a08ea03b9c795de2227997a8d29a45f9da3c6996c44

SHA512
22ce05c7970c72462b6db27a6bf8dc40c7db9ba0a0a9a7d21d8b9527c35ec13e21def1d7df9dde258a56dfe70951b4bd5cfefbfa156ed12d204b0b32079807c2

Download Submit
\Windows\SysWOW64\Knhjjj32.exe

Filesize
923KB

MD5
523dc7eecb5b8e36c8247807f6703ca2

SHA1
2958345a9ea8cb93fbd0740c97f30102ec7ff6a8

SHA256
1ab6f5a08508f91d4e70597da5001d30b665888a64f1bade4a077eb55d973e5b

SHA512
9215b59a2d284223ac1a97bef2af3833764da7b6adf9776d3f7ceb1254cffc76a5ec757298ba1d1fcdd380142f38c68cae00788ef7b522aadf3f2ea7e4d189e6

Download Submit
\Windows\SysWOW64\Lonpma32.exe

Filesize
923KB

MD5
644e6d1028ec24374d3030252604b260

SHA1
276df9ce6904adad20848f15a1a814248949b30b

SHA256
a262f44bb29a2bdfb265590f3e7f09de5b91a9114d33ac542d022282a024c594

SHA512
0d78bd87894f0b47d48f9be69a11c7a375c32175ea7de215a745a5f0fbd679ea8e0ada56c27b4a96899ce30e0c5af1adf717abd513bdaa21456ec49255ed9fbd

Download Submit
memory/272-416-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/272-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/284-226-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/284-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-316-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/888-317-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1120-1100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-216-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1196-217-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1196-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-498-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1200-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-171-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1200-177-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1200-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-286-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1332-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-282-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1356-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-1098-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-428-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1588-429-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1588-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-133-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1588-134-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1688-1122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-263-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1696-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-1089-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-468-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1856-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-450-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1860-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-143-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1940-1129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-447-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2020-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-357-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2032-35-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2032-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-328-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2064-327-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2108-1094-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-305-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2128-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-306-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2160-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-26-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2328-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-347-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2352-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-245-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2472-493-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2472-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-482-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2540-295-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2552-198-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2552-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-404-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2656-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-49-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2696-369-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2712-370-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2712-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-400-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2772-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-90-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2772-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-62-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2836-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-393-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2916-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-335-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2976-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-17-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2980-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-340-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2980-18-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/3056-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-115-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/3056-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads