berbew | 25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fb

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe
Size

97KB
MD5

a77435eec9d8f5d9f1c82e5a1a1297b0
SHA1

c3270bd9acd40d790a90b19321df224d26252a87
SHA256

25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fb
SHA512

e036c282ff9bd0bf89098c2aa62ac4b10f2c89725ac04b1121021a1b5c72fb5cbe5a7d452ecdf21a4bd475bed37e26ec3b1c5801b8ba5e126c43b4abf2ba1cc3
SSDEEP

1536:AG3V9GnKOCJqwxJ8zw7nOscNLdXUwXfzwE57pvJXeYZQ:iKOCsII1NLJPzwm7pJXeKQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfbploob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1800	Eapedd32.exe
3968	Ekhjmiad.exe
3252	Fohoigfh.exe
2540	Febgea32.exe
520	Fllpbldb.exe
4616	Fojlngce.exe
3288	Ffddka32.exe
5064	Fkalchij.exe
2700	Fchddejl.exe
4328	Fhemmlhc.exe
3756	Fkciihgg.exe
3792	Ffimfqgm.exe
692	Flceckoj.exe
1152	Fbpnkama.exe
1400	Fhjfhl32.exe
1328	Gcojed32.exe
4764	Gfngap32.exe
4012	Ghlcnk32.exe
1904	Gofkje32.exe
3452	Gbdgfa32.exe
792	Gdcdbl32.exe
1036	Gkmlofol.exe
5092	Gfbploob.exe
3932	Gkoiefmj.exe
2140	Gfembo32.exe
3320	Gomakdcp.exe
2348	Gfgjgo32.exe
3456	Hkdbpe32.exe
4436	Hbnjmp32.exe
2116	Hmcojh32.exe
2968	Hbpgbo32.exe
2468	Hodgkc32.exe
4480	Heapdjlp.exe
1692	Hmhhehlb.exe
3296	Hcbpab32.exe
4448	Hfqlnm32.exe
5104	Hecmijim.exe
2080	Hbgmcnhf.exe
452	Iefioj32.exe
460	Icgjmapi.exe
3664	Ifefimom.exe
2224	Ikbnacmd.exe
1624	Icifbang.exe
5012	Imakkfdg.exe
2076	Ickchq32.exe
3528	Iemppiab.exe
3816	Ilghlc32.exe
1232	Icnpmp32.exe
2200	Iikhfg32.exe
5088	Jfoiokfb.exe
2976	Jpgmha32.exe
3680	Jbeidl32.exe
696	Jfaedkdp.exe
4008	Jlnnmb32.exe
2376	Jpijnqkp.exe
1240	Jbhfjljd.exe
2900	Jianff32.exe
1768	Jplfcpin.exe
5028	Jbjcolha.exe
1984	Jfhlejnh.exe
4212	Jcllonma.exe
1940	Kiidgeki.exe
400	Kepelfam.exe
3852	Kfoafi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hecmijim.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Qghlmgij.dll	Gfbploob.exe
File created	C:\Windows\SysWOW64\Imakkfdg.exe	Icifbang.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Gcojed32.exe	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Hmhhehlb.exe	Heapdjlp.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Hfqlnm32.exe	Hcbpab32.exe
File opened for modification	C:\Windows\SysWOW64\Jbeidl32.exe	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Gfbploob.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Jfhlejnh.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Gfembo32.exe	Gkoiefmj.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hkdbpe32.exe	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Dhoholen.dll	Eapedd32.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Fbpnkama.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7060	6876	WerFault.exe	269

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffddka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmlofol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gomakdcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhhehlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilghlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhjmiad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpnkama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgjmapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkciihgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hodgkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imakkfdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flceckoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eapedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcojed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icnpmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll"	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1800	2576	25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe	85
PID 2576 wrote to memory of 1800	2576	25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe	85
PID 2576 wrote to memory of 1800	2576	25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe	85
PID 1800 wrote to memory of 3968	1800	Eapedd32.exe	86
PID 1800 wrote to memory of 3968	1800	Eapedd32.exe	86
PID 1800 wrote to memory of 3968	1800	Eapedd32.exe	86
PID 3968 wrote to memory of 3252	3968	Ekhjmiad.exe	87
PID 3968 wrote to memory of 3252	3968	Ekhjmiad.exe	87
PID 3968 wrote to memory of 3252	3968	Ekhjmiad.exe	87
PID 3252 wrote to memory of 2540	3252	Fohoigfh.exe	88
PID 3252 wrote to memory of 2540	3252	Fohoigfh.exe	88
PID 3252 wrote to memory of 2540	3252	Fohoigfh.exe	88
PID 2540 wrote to memory of 520	2540	Febgea32.exe	89
PID 2540 wrote to memory of 520	2540	Febgea32.exe	89
PID 2540 wrote to memory of 520	2540	Febgea32.exe	89
PID 520 wrote to memory of 4616	520	Fllpbldb.exe	90
PID 520 wrote to memory of 4616	520	Fllpbldb.exe	90
PID 520 wrote to memory of 4616	520	Fllpbldb.exe	90
PID 4616 wrote to memory of 3288	4616	Fojlngce.exe	91
PID 4616 wrote to memory of 3288	4616	Fojlngce.exe	91
PID 4616 wrote to memory of 3288	4616	Fojlngce.exe	91
PID 3288 wrote to memory of 5064	3288	Ffddka32.exe	92
PID 3288 wrote to memory of 5064	3288	Ffddka32.exe	92
PID 3288 wrote to memory of 5064	3288	Ffddka32.exe	92
PID 5064 wrote to memory of 2700	5064	Fkalchij.exe	93
PID 5064 wrote to memory of 2700	5064	Fkalchij.exe	93
PID 5064 wrote to memory of 2700	5064	Fkalchij.exe	93
PID 2700 wrote to memory of 4328	2700	Fchddejl.exe	94
PID 2700 wrote to memory of 4328	2700	Fchddejl.exe	94
PID 2700 wrote to memory of 4328	2700	Fchddejl.exe	94
PID 4328 wrote to memory of 3756	4328	Fhemmlhc.exe	95
PID 4328 wrote to memory of 3756	4328	Fhemmlhc.exe	95
PID 4328 wrote to memory of 3756	4328	Fhemmlhc.exe	95
PID 3756 wrote to memory of 3792	3756	Fkciihgg.exe	96
PID 3756 wrote to memory of 3792	3756	Fkciihgg.exe	96
PID 3756 wrote to memory of 3792	3756	Fkciihgg.exe	96
PID 3792 wrote to memory of 692	3792	Ffimfqgm.exe	97
PID 3792 wrote to memory of 692	3792	Ffimfqgm.exe	97
PID 3792 wrote to memory of 692	3792	Ffimfqgm.exe	97
PID 692 wrote to memory of 1152	692	Flceckoj.exe	98
PID 692 wrote to memory of 1152	692	Flceckoj.exe	98
PID 692 wrote to memory of 1152	692	Flceckoj.exe	98
PID 1152 wrote to memory of 1400	1152	Fbpnkama.exe	99
PID 1152 wrote to memory of 1400	1152	Fbpnkama.exe	99
PID 1152 wrote to memory of 1400	1152	Fbpnkama.exe	99
PID 1400 wrote to memory of 1328	1400	Fhjfhl32.exe	100
PID 1400 wrote to memory of 1328	1400	Fhjfhl32.exe	100
PID 1400 wrote to memory of 1328	1400	Fhjfhl32.exe	100
PID 1328 wrote to memory of 4764	1328	Gcojed32.exe	101
PID 1328 wrote to memory of 4764	1328	Gcojed32.exe	101
PID 1328 wrote to memory of 4764	1328	Gcojed32.exe	101
PID 4764 wrote to memory of 4012	4764	Gfngap32.exe	102
PID 4764 wrote to memory of 4012	4764	Gfngap32.exe	102
PID 4764 wrote to memory of 4012	4764	Gfngap32.exe	102
PID 4012 wrote to memory of 1904	4012	Ghlcnk32.exe	103
PID 4012 wrote to memory of 1904	4012	Ghlcnk32.exe	103
PID 4012 wrote to memory of 1904	4012	Ghlcnk32.exe	103
PID 1904 wrote to memory of 3452	1904	Gofkje32.exe	104
PID 1904 wrote to memory of 3452	1904	Gofkje32.exe	104
PID 1904 wrote to memory of 3452	1904	Gofkje32.exe	104
PID 3452 wrote to memory of 792	3452	Gbdgfa32.exe	105
PID 3452 wrote to memory of 792	3452	Gbdgfa32.exe	105
PID 3452 wrote to memory of 792	3452	Gbdgfa32.exe	105
PID 792 wrote to memory of 1036	792	Gdcdbl32.exe	106

C:\Users\Admin\AppData\Local\Temp\25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe
"C:\Users\Admin\AppData\Local\Temp\25b5241aa8301fc6a37ebfe74dfb79f80a12bee04f86891e33b318c04ebba6fbN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\Eapedd32.exe
  C:\Windows\system32\Eapedd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\Ekhjmiad.exe
    C:\Windows\system32\Ekhjmiad.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Fohoigfh.exe
      C:\Windows\system32\Fohoigfh.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        26⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        31⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        32⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        38⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        43⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        46⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        57⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        62⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        69⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4028
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        73⤵
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        74⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        77⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1396
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        87⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        88⤵
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3020
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        90⤵
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        92⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        99⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        101⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        103⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        107⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        108⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        109⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        121⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        122⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        125⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        128⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        129⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        130⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        134⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        137⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        139⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        140⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        142⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        148⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        155⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        156⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        157⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        158⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        159⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        160⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        161⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        162⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        169⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        170⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        171⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6384
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        176⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        180⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        182⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 404
        184⤵
        Program crash
        
        PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6876 -ip 6876
1⤵
PID:6940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
97KB

MD5
586625f826512c2dc714f70d044eee39

SHA1
bf67011e41aea29a0297f4d0295996e05bad412e

SHA256
42d3c023562280357eb0dfa35e8165bf9282057c029a16901bc822b097b6d924

SHA512
b9b2e25ba8a5693b80dff97199a7e491ef9864705b618745afa62435fb1f0dff941c5cbf5afa2122200cb5bf70eda5cf342aa666c293b68f539d34f48f6cb9d4

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
97KB

MD5
a696cc60ccfa5f72ded982754b1cef18

SHA1
f3e537bdc47dd25de7c34f8701cd09e73120fd70

SHA256
47425068f74f17e4017303b19b505a34fdbfbff1f53d09ad7e55d5aa2c4c78dd

SHA512
b00fb4f1a224294503b88574ddb4ab26db37d19c99c8d3a318c0c3a3a44b555f47f440bbb9fce597564e05d64e23c03df3e8fd4109afff844b1e769f81d349a3

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
97KB

MD5
7f8097b1c08e1f84948d449a08defd12

SHA1
04c8bf3e13239fefad5df6c6f4e7a8bc79c246c7

SHA256
e0e66eb1a48e4ff1d39995ecf35d5e0d6108b795b444e82cfbc7d90070150b08

SHA512
16552102a28e4264961ac13431dd4c975254c1e4d563c1d6f42a346d67e89d91888194100d294c6f018bb9b69ea1a99bcd2213beabb21e7d3a6c1db4fd5423b8

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
97KB

MD5
b07ee581782ca9b25ad4a8851ee98c53

SHA1
43c4a8f2d1ae45da51faabfd670958b4253b90e7

SHA256
9236b674c2e48d8200ebf0aaf2d437d172e694f0151e4a7398030646fabfc8a4

SHA512
48b43ac177b463d59cf983653d3013bb69c790ffed10e397192760ca7bd65dc0e2f628b7738bf88bd14d7e18d3f1eb785aa49bb93442972d80b4d80d1dc56c4f

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
97KB

MD5
db14b5d755024aa3366e231211112acf

SHA1
cddc87024477ffab2f99395f69e5cb34b6f5fbb7

SHA256
da285d2d20ee5551456d402038c42020bf6aefea2039956d8bdb957dc74774a7

SHA512
3b58ae00e04533be96695af0d01521025f613af1cebf04e4a6ba0adb343f38cddcedafb5ca471412e208374307493d23a2553d3aa61e5c601b7d6e7cf761ce38

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
97KB

MD5
baf21b73d471b4b916ea69a29ae51f4c

SHA1
2b6dac2f5ba57548f07cac442099ba3fc009b9d0

SHA256
81299d66324762818d554cae411c5246cca25427d83f6ea52082d662bcd1111c

SHA512
8afed7e6b2615a332623f2aafa23e648f99511e4f54b2d678a21698183bbaf1e5e03e49d01997bbf18885888f0cf5189682266ecaeda963d5a31582a4d1935c3

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
97KB

MD5
1d5f3f148a9a5373b0cafbb0cb67eca9

SHA1
fa6d49d99dab408ec01abb7c870d64f5f7a7687c

SHA256
ab64e18513b283770c704c183c87867584307df6cce60f13bf3796f130b15a8e

SHA512
73596587391dfdfa438e41dd1f5cafc07ed2cdcdc04a90f21aa9718c1fe7a40c34a4dd5ed91b496d767b17ab4799289ef74007557f59aa3196ee6eec9bdee902

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
97KB

MD5
2ca33b8577c8fbf2e8ee462dbfcb11a7

SHA1
bd815edaf1442ffcfee0c39b9c634435e20b1199

SHA256
8471bda95819f8cd5117ea23bccb713a37299d341fd51ec105b99c0ab68c05f1

SHA512
6044ce6776c5589bd9ca37c12f6d05697b74e3de38dfebc88750063a2f3d976a5cf61e0f86c3e71d8345395d5b8fdfa662b935d208f859304e7247cde72d5871

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
97KB

MD5
0ab44f2b83ed8eb16d0a9b3596f87ebf

SHA1
90d75d8f2c56f7c9fed2d41a8497939ab05c8fab

SHA256
6f24585340f6b8290a8dc8965ce6bc6501df72b2eb65661ceced04991603af9c

SHA512
c4ee0f4de11b59eeeba7ede86e6e17e642e4fb43f2efdfec68f0d12272c3c8bd69516ba01d85d415e8f8b7fffcae1edd835c3953f0fb569ab3d1d778ebb2246e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
97KB

MD5
34a56c70840b90de79392ee5b6d3c311

SHA1
900344df4ea8dca276666cdf89184d9387402ee7

SHA256
a3489d05f481ac8b4bc66fdf46737baaa0647de3380fd94e6195ccfeb927996c

SHA512
804629479c91f12418a44ab8d01f4c6a487ee4656b3022b90c3909b58ee46d9b8e971df21aa7ca8660aee50dbfa8f4d2f8e4874ed01f96bd60a9bf454e3d718e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
97KB

MD5
ad3d3b4b6acd7851aa0b860142344453

SHA1
6125be411b8ddc3592e3aa8dc0ee4b79d06ee2e2

SHA256
f69cddc27320bfd20eb5a3a4ebf5882b4325a04bb904d875c3846ba2ce9982e4

SHA512
410ac360c7fb1fef61414170c2a7488a34fcaf746758d0521e453d69006e7832ed2ce3feaf1a1748a71081940fd9a4864c6c9e4c0db931ccde31d128b907879c

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
97KB

MD5
fc387abe0bc93e28044bdd9d48062341

SHA1
ead0421197a234565e41c0dc63759953ea4d7bec

SHA256
d6123c9d9393ad599d0360f6c8f1865bc7512ddbe93cc86c891fd73653caf063

SHA512
1ee9dc5f9cd494bba7cd204472042f4aad4b0213042345edd04be64a8ed210f7e6fdbafe7ec7cbf2f0ac3ebecf7eeeb02aa0c59b98657f61e6b3d905b893fe72

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
97KB

MD5
7aa8e68718ef217b2ef467de88854b74

SHA1
dfed9eadd686f21178ab380c178b538c21d90862

SHA256
d599f47def1b49ae5038d9c85f5a367e62a487c9913d877a64431aafb824d8f3

SHA512
8c11fa5c77aca534035453dcc1cca7959000487cfd64b46ee94fe1c21b116fa1c09404747d98e97e8cd1cb014f360569f1aa2386e2ebb7bd7ff6c21dd705ec34

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
97KB

MD5
546482f1fb6f2e1fd838e1e6f8409873

SHA1
3edc091a06231f812aa00050640ac3c670723873

SHA256
bade35ae0c36df188dadd3fdc17a1fc97dee229d822b80b5d11a32a3e4ca8abd

SHA512
8b25863268117888f7f3fa17f2afd28035827ce280fa7e0a426a509830f384b4b6dfd97fcffffed790cc14e0c9721729ce3d1d2cf8048c4571c2c6d193b00529

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
97KB

MD5
bf9d1dfc1cffbb4da42c288f4107cfc2

SHA1
ae87c3b0e5ee69ee8e9b826abce209ff16019126

SHA256
e8dd9abe8df0249ba0ffce8a64468478e4087ecd5875ae18dc71e45d6a5464d3

SHA512
3f7763909f9669104e5cb2bf7281a4df8f85dcd708c1aa5617bde56e5dae39ae9d826b88b6cd78d35d453ae26d8f5148ff99ff9a33d35dbba9378a55c2833b47

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
97KB

MD5
1358d0ee74b3443a9e24ae13b05cb474

SHA1
54fdbff24cd456cf0450548f149743b8347016f3

SHA256
326ea5a6d3879bfd934cf55d18d24f5020cce26793d45b102120d161882671fe

SHA512
416939945bd304153e5f99a0dd693b49e2bd753efe79c2501cf910d6977ef56f57bdfaf77334245e43bcb9ee4ca0add4b9672d0bbf6192ef49157072e3c46a17

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
97KB

MD5
8ebad6a366ee8b2bdaa648c3d9d359a1

SHA1
fad4c838193abb653f17979db9e5ee7312802734

SHA256
7a2aae964f5393eaa1b2f5801b8082c77c4e71ed7da3964fcfefc22bc8ef4a60

SHA512
0bbb771010b82aeb85c4e02f9db40d60a828a26280f3f0ae33d8d60173154a31208cdf3322b0eb6d7cac08bb8104f345b64daa74e540ac0232e868eba8151022

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
97KB

MD5
e19e19687eb11319af83a869b882954f

SHA1
d022ecb1f7cccee9c960e3cb5a254e542c44195c

SHA256
71188146dff12fbfd5d282236425249f04e1dbd2cb0e20956f165f06922c0857

SHA512
b6b9be38e8d6d86e7805863727d25a1bf85241999e83f1622f985913339ab679239a9f6014e4128a9f67ebdf1525c6902812074d72ac21e7b35a4430ac19b7a0

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
97KB

MD5
0617173659c07e1a1f0cb27e9988961a

SHA1
9d11ea373e515fff398b4effd71b565bc8e5e936

SHA256
ff76e71cdb3e9cffe102b6800f88de56135553d75b6bbbe1e60d761299cddbe7

SHA512
897e80b22656d31e5304632dc18a58f977dd1d36fd9bef09e1b8d58aff00b288e02c7963184c0fb97da9f8dc785d8601d781d8d31cefac4fef0858423749bdef

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
97KB

MD5
02c65191e7a849cb4d378c593422b93a

SHA1
acd71d6fabbaab3d6bb19589fc24bee62119d20d

SHA256
5424f6d4ef10fba0fc1adf6898bdabf2de7c49d7c9cdcc667e7d66def6cee9b7

SHA512
20c6119034f8aa10e0ea2b8adbc44891bdad735e30cbaa70831e6b431a7cd2c0f076b3534f4d39548edf1440fc6ad93591bd60971d6095428a7725e8d9858960

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
97KB

MD5
64d7ac3ba2c38f9808a63ba3f562252b

SHA1
1be776777a18cee82fe7e0caecfa32e3165646dd

SHA256
58ac8fde431956d10a71a0089cbec3c9a52d3a43f605b9f3184f9b21be75ecdc

SHA512
86d9989c4cadfe7273c9e347ab7cc46419cc358d8fbe5d6c76fa466bc5d6ba0d5a9949f0fcf4970c32ea347443d838df419502cc64b0bd672d000cf6bea922ea

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
97KB

MD5
79e3af0b1b74675c3109f84571a2af93

SHA1
3ec418c04d6c3259eac28ab1ea794da8098f7bf5

SHA256
91d6892ca61825f8979dfda37fef5ea4012ddcee03d473f57905a9a882fe325c

SHA512
706613844bedabe0754ddac0eaa29b16442870fc30bb4eba962a30a17216183fd15c0859b13a6e7c87f112965407baaa11644a1558c996e8abb7f2f3378435dc

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
97KB

MD5
4b5cf01d2a9d2d2251d2106b8563e43e

SHA1
4742f210005af57639f4d84226ecd677d7f74540

SHA256
4b32dff6b161106bd169801c5ef101b184ddbf77ae0b5ea5d6c84118dd196113

SHA512
ea7bde186cd54ad19abba4f37c8cfeadb796e1838ed6ca9f44881e5f2f0a6bb52873c6f64445ed85436472d454277b68f120d5fbf67a7d4b57c3f5a7e603e392

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
97KB

MD5
08561e14244825f0dfbc48429d0677bd

SHA1
db9c0f0742dc9b93ebf3b3f7868df2f1d9887428

SHA256
b0f22eb29e32be8e1ec458f203f2364d816aa2ff90493677cb4899eb970f6e33

SHA512
7ba15d8e0ee44520d3fec41c5892cb3c7d1fbcaa2799748723e6f26a230e362b0ac9bb23b515269ddafed55e81d096c8ae05b9b235d458abc4238d4ad61e92cd

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
97KB

MD5
f389175e709f4df5468aecbacbf6337a

SHA1
0dfa8940fa82493990f84df720a24f255f69c946

SHA256
da2838ae9c3a12fdc3193e09675aa030564f349749fc1064eb2c140bcf1fd8bc

SHA512
85e2e908eb10657be1edb6803ac4b0535fd6be4d2d2fac9ec4bcf7545044c64a0d411416eb8f15af0520ceb51b6ad37b96bc1e0f0e6eb369d8ee83bc662050c1

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
97KB

MD5
170c8cb063dd940824a65c9ea04b0f02

SHA1
0b6b2c30d4d7837566bf9211a08b4b60f94c84f7

SHA256
d21798f703a36cc2a045f2631482a196dff89826f7e9274c6a7085817eb1a896

SHA512
943fbf8ad1cfd901d43f05444bea1655ce1bb5e93aae09d610ed53620fc8dec3d31646beaaddac08ba19fa75f22596c5ce3ccedb90d01b9a4d332d885834b3e0

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
97KB

MD5
9af92fe415e2130f29d4b6e3fd1c54e0

SHA1
baaba44357358017a7af164a58a5250f25589282

SHA256
41040bc864ca30f815afb055277fd9f8b9c05c4c36caf6baec4564220928ed88

SHA512
2e8eef3072360715ed5f0395b6f260e5db9127edb3b04b4a6dc9bd3109e400daeb71d88dbf07dc51f88ab2c4dafb85dc45d40710e0869bd20935f9f8f361bc23

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
97KB

MD5
dca9d93db470f220fbb9bda34a62307b

SHA1
f92618fb8c5e15a47288b5bbfff88bc24604b328

SHA256
31a7da71f2447c8ba716565cbebf1262aea56dca2e9de04f483dac3124ef5b2c

SHA512
4d655445746f1dee40262d11a7fb42c28224fcb2b6c02617ec148030d27068f183a1e3b450ba0d2bfe031e317078129eb4549686ab07fa0bbb02bd49189215c2

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
97KB

MD5
819b338123bf2014ca43376408b87708

SHA1
73adc3a54b2c7777653415678e58fd2731554324

SHA256
1053516e557cfa05a84d28851270855c95e986a6efe4fe884f3b29064fa071dd

SHA512
80cdf9f781a0c14aeddd3855aadcc75eecdd876b42cc4ccd1d16d0b443067f84e9fb9136031f47bc633bedcbea51b5f428b18a94d3f681d930f1af1882c8d5d3

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
97KB

MD5
7df55eb7511fbb97377affa673a605fa

SHA1
8a7f29094cfe6c17cc3faf63935948f9788f3306

SHA256
bfdcef93e4e2b41819716496b1047af9f890e1f761366940049e664cb26ed628

SHA512
0ab607750cce869a13cbc144ae864aba0e9fc338b34145d5c9e33076ecc2af0e421315a3dcab195859fbfa70ffbfa45b9192c7749d6b57829f790a71a578d3c8

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
97KB

MD5
ca28f189f423949b7e9bfee137b49250

SHA1
a1dd345d17cba7712d5e102445761003ff9eb028

SHA256
87965b849ec8a1e6d3c2f57ece4d78a87d34214c31509af2e8f53cdcf164ff80

SHA512
46f61c5cfdba45ad330c39ee82747fe468cff4a7c6caad285b58dd6276cd3dfd282fc3436a727c7fc2bedfaf5a2c0a32c6bb0e6bffb32464ee875ec409a897cc

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
97KB

MD5
8a29c5ba3334f1379862a86ad1dd43e6

SHA1
82d536390182574085fd6bc875a031b8f2df069e

SHA256
e0758869adb3e881b97cac1a3d02b4ba14fb85d38a18711f877b2a645c072056

SHA512
70d859b5319401f212358b49873aca9fd210bc95052a66e2dfaeb4116a0c0d3d288b965ad2e73d488199bc404f576c45b5be2f9e2cfb3d500cb1376cffb56284

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
97KB

MD5
a22a8bfaa00c4c1072307b54f3c191ff

SHA1
3ae1a5122040377efdb393d968f663217f6c8564

SHA256
5cdfbfb00798d7589dbadabe9357b5b05ccb8ce838fc7bd43fcc8f09ead0195a

SHA512
4b18ae8dd4bd1d3e505544d572cb41dc031eb51c8524868005e1fd032c6f63acf0fef23c758aa346ebfda1e23984db841625e555b66f2e610628541fd71b1f60

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
97KB

MD5
a0306f379c087dec35da9e0b78e76a01

SHA1
e43e68ed59eabaced8c3f6c1bd23e5ec1d9404ee

SHA256
d6d6560fa475bc8b72718732c7d47c46af40c6c064f987ce0db4b2c86a729cfd

SHA512
e97834193c95373c040c1f53891a94c1724df4c3a7003f9875a679a7f8976e43415e3e5a45b85cfb55981e49c2a87d5537b48df2ef5034ebdf0443894aa84807

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
97KB

MD5
37d2fe336eed22577cc47d5a1ee4983e

SHA1
e81947482c66b6bc76a252e472414f3c746135c0

SHA256
5f2b39f5f9517d0e529ff00cc2f29fc7907c1566343c0d3491f50bf4f3f3d1c6

SHA512
f2cbd1e323310f1c7a90ec83f11b2e1e6ac029d9c68278c911701f0ffc427ae2b20cc95f5aa9705354acb8ef39e31c0bc54d95b4376ca2296af1b333f204e7d1

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
97KB

MD5
ea82e5de763f72c8cd46bf0c57028218

SHA1
cdd4fe5c759230335d19823392b3dfdd63106524

SHA256
ef2489ea7de8359ed01e189fb912da4ad01e978aa4681c0690b0d76cf767e399

SHA512
5514f32a23ce99c1a7023aa807597dfb23acd862a52bb30a68498b96966566134251034b20d8e6cbf78d7165a43cf5057e073eb56284c64b2abd0ea3233a8d05

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
97KB

MD5
4722211f0e461d34224890dd8e732033

SHA1
886219bc1d2fc3ce4afb07e8e5ed65d47e52d84a

SHA256
59605476c613fcebfa0d473f1b96e22a572edb1f14e8555054decae171a2753c

SHA512
8051291925cefa2fcc9c296804349149b0c930b375b86d57714a363666516b3176b44864ff952d6b65512da4d161c5a76f36d1777120e6ad5294b2b3e27bc8b0

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
97KB

MD5
84cf2457961eb58ac3e4f56415fe00e9

SHA1
a3ff82bf6b34e3cda3d88f1f2c4599fceb4ef9d7

SHA256
0fb02db6b1bd4356297b3dbec9dace478a06001c62b2a7ddc0a37ac2cca38d60

SHA512
4c81b103b894f98914f4a037fedaa74ab807c247ce801d5f61cbd5930d5b0d7b5d9788c6a691079f759cf0385bf36d34bb1c1c13ec3c02d6a3ce702e277df7d1

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
97KB

MD5
8818eb915161a9cdb033d0fe470c063a

SHA1
5d7f11163806df4d0cbc4e463c89cee4c2c5b796

SHA256
52817a431f7e11ed4392737852c30c71e6cf61dbe4e5520f0d8d9075fa066887

SHA512
94c2ff8f7113019ee9f6bafb412b0c1f9192bb73cfca39ff3b8372a3461f7cb89c447a2187edcf8ab79e44a1ecdfdcce8094f184c77420e42bcfe043f31f4185

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
97KB

MD5
6fded45a3b2a20b82010845836bc37f6

SHA1
63d9a0aa139c5df6ac4d887f2c27170434fc529f

SHA256
791108496ad98e255ddcc8589ce761338d73fb2386989c3c072aacc56c2978f9

SHA512
6229591ba577bed5811721c813878498b17c4fb1e868132a8175943a4d560189e39306ff071769dd313031a1bf447ab09233d41032c46307429541365c1d9c70

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
97KB

MD5
a1392cee97359a7354659a9bacf3eea1

SHA1
3d2ded37d706d32dc96ba218fa9542305a511b7d

SHA256
2d369c9e2c008b620c49e62236c15382d4aa7bbb2a16773c75b763c8e3da932a

SHA512
184c8ef74607c545eec9234caff6fcd7fe2c476fd3fc134ae49c02f9a4e234a23035e6cd411a83937aee70f09a5e450544d5e9c2aa3bd5fae683a8eda8ef68a5

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
97KB

MD5
4dd98696dea267f45aec6d31d3bb1ca6

SHA1
96ed11978a64a355c19c269aee9c54f7a05a0a48

SHA256
04d9ac3268f8393e0bc38c90c5d1fe846c46e365236d9d5c3f080bbc6079195e

SHA512
653f0dc4a35ebf513876929ff69aae520b275147de7a50e8c9b7e5795040f5a414567037bf321f557e4027252ab9830a37eaa2264893c38605b3c5ddeb90cb25

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
97KB

MD5
6bb483f8bfc00e770b361c6ae753500b

SHA1
80d050e60708fe4498071dbdb9635ffe47aae0ae

SHA256
242624a8ef9db3cb73d2844fe623acb7b46dbb9edb3f84d4b1aa1bd981562651

SHA512
a3ca83751aa83849e3c367b0d730a16467e92e0f5e314920b2a1fec042671051360a090b23d63f3175b0638602dd32b5f23288c5be84f737517b9024dc59474a

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
97KB

MD5
829bda62171a8d889413d25a698db516

SHA1
8dbf27911f569d1bca79ea2cb224cbb8aae29513

SHA256
192235f10a1567512fbb95a3a0a7f5e794ad5d4a3173f04b6da2b9a28ed6c07e

SHA512
f46a0f3a5860805638cbedf17449ceb59f47779980c46e2e404f47c90385a44197ed12f06c05f02df82f66cd277d3a6f6378f3e40cd47811224bc0c0be52bb75

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
97KB

MD5
49bcde8b446193cd16bf4ae26389733a

SHA1
02733670188222a611a7917a7ef24807b36adb2c

SHA256
22e65b7a433b38d604b34afcde23dc694262a0cc96fab7753305004f4cefa045

SHA512
4c829b2548aea9e35961f3772f35fda8c6e10b62c8a2194ba427506055480322ed419fbf4cf439a72db602bac6c0a8c80c73c978fab9a83a1365aed750a5e543

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
97KB

MD5
8497c61e13deb8ebeb520a64be6c1cb5

SHA1
93aaa64f28e0756a5f68d910154dfa77853fa28e

SHA256
48933e871d084e15a15242367542fc08b5ce94475d74c7957f9888e3b1986ef5

SHA512
067c27d79b34b3cb09afd1ae5c3743b4be172196e6a3fa73b8d1c5c993fc0ae0de1c5a7b797e602f3cd230f52b3b847b9b71a92fb8ba25870a05ad79eb187e7c

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
97KB

MD5
0468e21ece1b9f4835561615ac8993da

SHA1
fa8c2a01521d1a4491825dab18f8ca2d939065be

SHA256
e7d38b748e0352bb852386e20c9fd3965ef79c76c2c6f51ce6b0aff242e40827

SHA512
bc0f0c1bad6a66a91dea70f15b2c072cc5252f9180aa86190a0cf981e55a908a90fc1d1db51a0bc7de02fc6ee024cf5ad19d7bf6aecbe257811458fcbef33432

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
97KB

MD5
00062abfb262c813147916614d83eec1

SHA1
9141ff52f27c3d02d5d16fe44220a21705213394

SHA256
e96ebbab275170aea2ecccb014e7131826e1d7716759305d523595b55cba665f

SHA512
8fbd90753dfe591ccb739eb2921a9478a2abfc845c1dc87c41fdb479b97e09781355410765725758dc82df91116e9fb44002857b1669514e41ae682a3929518c

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
97KB

MD5
d78e829a0dd4deef6d974262910e565b

SHA1
22432784773a5a571acc12e3f436bcf4834ab2c5

SHA256
407a5938eeacf709d01310b0b3f3b62d98b0b18ca1ce0cf1cd6aa123e4f35167

SHA512
ed9852e65c88329f3f996a946c879d9f443aade79d6263da08c4810d5953ff885424290e0e133c156720a890cf5090b1c03c97035c252967976674437d5ff4f6

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
97KB

MD5
800dc7565a5bf7fe9c088f8bdaaaa4a7

SHA1
711d54fe9db60b6b6ea10c4e1dab2c0613016dd3

SHA256
2f89707c5b35fa2436008ca3887a346add16dd9475770ee23e5e0ee5acf0a248

SHA512
2f711ce1330dc3712a65b405a0c3bd00f3d1eae607233e24773f26afc35f4f44adbbdb7424a7a0d7d401a0f6026354eadb3fc38d7e69a2e7218f50ee299d8650

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
97KB

MD5
60c0d2f1f1df5b3e87d4467bb6079a5d

SHA1
550fcd65e9a8598982fd855b1ae6422e8aaac1ac

SHA256
9ff2189a39925ca8a611c3f1dced2129d97f443cf6940a209461564e51f08fed

SHA512
9c826d6ea1e9ebde319fa7ab08f4c7b7d468da1f5f1751860ecbaa3e4eb49a81dc40cfeeff3e78e24bc59a5d17904bdadf39b54b492d51a4e015ff1427bc01ae

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
97KB

MD5
9a7b3a794b185111d0c931211b2c529a

SHA1
87df963122e86f8225ada808983dc7966ff9ded6

SHA256
3affcbb46fbbf2689ba16ea4a52b4c0e71088f96a8e82a134b3e0b230165106b

SHA512
788360f79f19da2d8b92ce3eb07825254ef8470a7780cfad7f906ee0430f6ca6cca0c9cdf1ff6900ca5d8ab9d58ef37e58e40d52ab2b01e54977ef77409bd025

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
97KB

MD5
abe27bde27a7156c41c66f826787e8f0

SHA1
1efad8f476c00056f266477a34d4a452da315209

SHA256
b5473eed7def47d09bf7031764bdca6e443fa45395b9265ef8f35d7851318827

SHA512
3884b2f8fdc2b375fe48b12cb92a3dc076c227ce8b45531c76b306b75b43e74105d769dec8f1123998d36b95a519938692374a3f5346790d23636058ddf0c830

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
97KB

MD5
fa5d69a9238e7434451bb85e7f3a65e2

SHA1
125ba0aa62d4b09096d5b24c1fd5293bbe122b32

SHA256
b031e9bcfc3b0ab5b0604f37781b300a4eff2ad9c43af23f74f1cae2c1bea7d1

SHA512
247f9f0dcfdc52c9a46b031cb686a07f24ed8ebd5a9a42de1095268c5d64bf7b4cecf27ad99142e8e4c1e0df834f3df534b78a7e767a638754365de9a77ffeda

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
97KB

MD5
f3d3437d5bb1eb4d5b1239b6df368af1

SHA1
4223f9eafa236d96661b2189b7e304718c88c073

SHA256
98b30991950e0120bac6f24c32fab0cd2d6fc4f656ee4616e618224859ab6d9d

SHA512
3008a881a4fceaf495032fdf77379a63a6aad961bf065300fd5ecbd1468f925fe772e08a668d3c634f243c5ac6015693450bb8c6ceb27720af1befd2af925b1c

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
97KB

MD5
100ac4dc502a4b2e304b940bf3423ae9

SHA1
8aba4da17384e86c83a37ca47493ba7e8c0b2df7

SHA256
3acfd748cdd97c22b44d3d6c4c5f1bfb015721cc7f419b97ab92ff2de62d4eee

SHA512
a6a0ad3a79a854d5d27fb325293826b96b176878c617136737cb649954c306d2119c2949508e13ee9478f10677d28289a5d4a83c4bd25683ec6a04e1625be69f

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
97KB

MD5
4b7d3f030fb2351c076758ce5f75df1d

SHA1
2373f07cebd96f25a894fd54b8c6c2e9bdd7d881

SHA256
d4618d15c6465f79efdd74ea7b9afc5c1d423b3807e54e0e9fba2c1529ba4aaf

SHA512
3e6bae82086aea2892d48f6701c0203fc35e843031e502c70c162239e33ba03e623f4077873192cb72a852187c9d0da97325b39a637119ba162d2d9cb74c711b

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
97KB

MD5
48d86fd95c4933af0dcb13da44ae4797

SHA1
73b13800440513db27c452a75be27e47887e0e4f

SHA256
04e56f73be70e95fbaaf978d9f8bbc6aa9150e92e2966370c9e1d9cc3cc8bae0

SHA512
52e320d34867a4d99b9a6f3a7a053c2f41bfdda89106398feee3d991f252b4d7355ed635eed1c92a99c0b4eefb8265ec6fd2e502cfb849299e6de370f2627bf6

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
97KB

MD5
2abc2b78075f0084ec1654cd34c76f58

SHA1
b02341e6f2873109142ca11e97d868368b35bafa

SHA256
4567831e0ba3ca1d33787e1064a9e28f18b4a01731599f4fc742d89df3d4f426

SHA512
e71da439c02ff15703577bc51b8d901f76795d9cd481cc122d71bdbc85afa1d1334c024c3290283a4c41feb92d44969f18257d53de22a97575c2884c44262343

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
97KB

MD5
b5b444e2ed241f1f9aaffeaa9219d7e3

SHA1
c6485bc0e2face9ff62eb21fb91ad8162fa3b22b

SHA256
f8b746d1e3526edb92943ac176891e3caed57df8dd95a2c389b4c968c4a142cc

SHA512
aa7f0f5c505946a910a259f1b981677dce0d091c99e7e2d0c099c4bb7a99431d9ee88f05a897404b8bb43bdbfe075a98abfdce8bfd91d01d7a7fbcfe213e5723

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
97KB

MD5
14eed01349814f23cccf784ab4d38454

SHA1
58e31e03f33bf5d24e9561685257624a7e0b88c1

SHA256
2b8f5b257d88aa438282811eaad03a2cc2d7129dd6670e46130bcd9b92ef2156

SHA512
a2eafb2bda0328b7e72deccc173812b822495dfbcbb1b40f7fae55e8c0d2a520da82f9ac98032546ac574c3bbffb592f6e92d45a5e027c08cc7b503eff835741

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
97KB

MD5
887dddf96226d700e7e5e2e9383a6df7

SHA1
632ef7c4931205f7f3e9e716ffb0736214e654f0

SHA256
41682f369b464bd9e64e8fe03073fb9f79d2ae3c15b83cfbd687f8d3d4bf9960

SHA512
a3fe156038544887c975d1c93f0c0a61404fc9396ddb38ac47d0eec35291f2b74a9f959cfeeefcba01218a38b84e5e3509c3e628ef7b41dd9c9fe96f38e17493

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
97KB

MD5
20d596f815813db649eb7475f6d51390

SHA1
d2e42ddb24f5921d5659aafd7f2e8a24a843da0c

SHA256
3e17d87d30419ed7d0c395f4150abd940cd3939558198c9cbe78b6232fbec01e

SHA512
36a4a040d40d69bb83003c41dbc06cb8a675a8549a76e31f92961139c6e94720fbb4e07749ef3af03c31aec614296fd1feef3d723ff22274a682768d42ae2fb6

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
97KB

MD5
b70f7740d15f887dd6a8689f93730533

SHA1
e6e28bf5d55656e375289cdeeb17c9f5bb260021

SHA256
4bd7c1b1b32d7798d96e0d46f7389c55451d6cd95b25d2597e165e53745cb9a0

SHA512
79762cae7d6002d40a2b0f1c6b583f445bb0834fb3a03c8c4f0480d8c4a633a91ae17eda0095f6b955a4ed00c54ca96dd44bc10e1d6024e675c1e9ae00fbb08a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
97KB

MD5
8305ec5611a6083c6bc978514154945b

SHA1
91abdb5cc891e2f648fa42a91e7f5b3a2eeabc40

SHA256
116a25db5bed708d5ece751aa0f8c35f63938ac164dc9ec0b12d210fe212e3c7

SHA512
02d2a40c475b49f42a0242e03e31225dd7ec563513921622b5a11ebf4e25f30f834c631a1c4a230095258c656448c8b0eb49319415708315883df3766034ad19

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
97KB

MD5
7f976e2494e833aa2aaa9b15403d101b

SHA1
2f3aaafc6ad3e65aa59d3094c57f8b4e9b4170d5

SHA256
78f6228be964289248f03977506d6f0568dc01e0047c415a27513e0372089bb8

SHA512
da1a3c85058498f7ebf642f6844ec59906017253b877dc343761cbdc0f8b36d6f0a8c40c0bfb66a7c55006cf2e301952f83326c3eae0711d75b930eafff18be4

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
97KB

MD5
ea068e21027274a9190b7b7350e33da1

SHA1
6a4d6e51fadbb1a8322702eb880551c918cd8916

SHA256
4edb3edce9b6a957bb241dd811546dcdc522a9b64f735916e9b72f9f1ba2b635

SHA512
aa474e428da3f7bdbc5645df9c2997c96579c3e8221f04f581fb8b821e2b24d7e8ff073174f4812f2540077c3f1010265c05d035c78b97fbc77ab131f48acbb3

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
97KB

MD5
5adfe975258122225692bb3b744a4ea2

SHA1
ecdc6a681fb7b5b583bd404b5b2a96333d2c487c

SHA256
44c6536c2423f8f0009a3e70f95a7c56218f1583671e6b338f6373456299d20a

SHA512
3ff98d6173332812b26befc58be03274952acf6e2d359d97a065bfa1f8ff688317131caf5f05e59637c693d41cf4138f573b96c22dd5a1d783b0e78312d23746

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
97KB

MD5
1de88f9bcefb541e25848a89a6364d06

SHA1
68c20de22dd79c5fb79c6910de3f796c7deab75b

SHA256
0749888c5f00067f778f0283247ae5ec4b56c53528ad2bb027c8ea1f6ed8fc01

SHA512
6473f94ca6e6a79726da2695dbe96fe609d7e36da47f347d1f14400e99aa924baf7b9b9515e32ad90e737a2390d08864abf2f51bf39d0b80114aca3bee0d8626

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
97KB

MD5
1da7d486132e8569d7f2ba56fc40dc59

SHA1
8a230b132191665bf0d3a969e09dfb810d3cda95

SHA256
af33f3b45496c4479065248249846f36ab6bc117636073a6631760aebda08a88

SHA512
b63cd315870ed8b89536a9723957bad3dbb21f414b258cae88a9fd3c7699d3134c3d0d4c078d9aa6eedb4760cfe751a30dd495faaab98507d718c1792f9fdd2c

Download Submit
memory/400-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/460-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/520-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/520-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4644-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5976-1315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads