berbew | cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Size

88KB
MD5

45e26589456fe161cef273dea363921d
SHA1

655a4761aa0de283322fb34dad00448fefe330fd
SHA256

cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a
SHA512

d87780fa60afa63124e0a2d9fc92003d9144b0f3d45718239feb04522100d604e75d9748ba18f1bad9531567ab476dde8aa76fb281103c790ffa22f745ecaf38
SSDEEP

1536:DLNGJMx1xmboaFG5VvGyr/Z+hCg8MJPdXnouy8T:DxG2mFk5lGyr/YCg8MNd3outT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2444	Lfhdlh32.exe
2156	Lmbmibhb.exe
3980	Lpqiemge.exe
2372	Lfkaag32.exe
956	Liimncmf.exe
1696	Lpcfkm32.exe
3588	Lbabgh32.exe
2112	Lepncd32.exe
3784	Lljfpnjg.exe
2100	Ldanqkki.exe
2600	Lgokmgjm.exe
4088	Lmiciaaj.exe
2700	Lphoelqn.exe
4784	Mgagbf32.exe
5036	Mpjlklok.exe
4512	Mibpda32.exe
3328	Mgfqmfde.exe
2208	Mlcifmbl.exe
3276	Mdjagjco.exe
4592	Melnob32.exe
2192	Mlefklpj.exe
3264	Mpablkhc.exe
1608	Mgkjhe32.exe
832	Mlhbal32.exe
4992	Ncbknfed.exe
2572	Nepgjaeg.exe
1392	Nngokoej.exe
404	Ndaggimg.exe
1652	Ncdgcf32.exe
5060	Nebdoa32.exe
2492	Nnjlpo32.exe
924	Nphhmj32.exe
1076	Ncfdie32.exe
3644	Neeqea32.exe
4232	Nnlhfn32.exe
4144	Npjebj32.exe
1220	Ncianepl.exe
4308	Ngdmod32.exe
4256	Nlaegk32.exe
2092	Nggjdc32.exe
3648	Nnqbanmo.exe
3848	Oponmilc.exe
2748	Ogifjcdp.exe
2888	Oncofm32.exe
3700	Odmgcgbi.exe
1060	Ofnckp32.exe
4208	Olhlhjpd.exe
400	Odocigqg.exe
4764	Ofqpqo32.exe
4352	Onhhamgg.exe
836	Oqfdnhfk.exe
1904	Ocdqjceo.exe
4524	Ofcmfodb.exe
532	Onjegled.exe
2008	Oddmdf32.exe
2912	Ogbipa32.exe
4492	Ojaelm32.exe
4348	Pmoahijl.exe
432	Pdfjifjo.exe
5056	Pgefeajb.exe
1156	Pnonbk32.exe
624	Pqmjog32.exe
2116	Pggbkagp.exe
528	Pnakhkol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ogifjcdp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5908	5380	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2444	4052	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	83
PID 4052 wrote to memory of 2444	4052	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	83
PID 4052 wrote to memory of 2444	4052	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	83
PID 2444 wrote to memory of 2156	2444	Lfhdlh32.exe	84
PID 2444 wrote to memory of 2156	2444	Lfhdlh32.exe	84
PID 2444 wrote to memory of 2156	2444	Lfhdlh32.exe	84
PID 2156 wrote to memory of 3980	2156	Lmbmibhb.exe	85
PID 2156 wrote to memory of 3980	2156	Lmbmibhb.exe	85
PID 2156 wrote to memory of 3980	2156	Lmbmibhb.exe	85
PID 3980 wrote to memory of 2372	3980	Lpqiemge.exe	86
PID 3980 wrote to memory of 2372	3980	Lpqiemge.exe	86
PID 3980 wrote to memory of 2372	3980	Lpqiemge.exe	86
PID 2372 wrote to memory of 956	2372	Lfkaag32.exe	87
PID 2372 wrote to memory of 956	2372	Lfkaag32.exe	87
PID 2372 wrote to memory of 956	2372	Lfkaag32.exe	87
PID 956 wrote to memory of 1696	956	Liimncmf.exe	88
PID 956 wrote to memory of 1696	956	Liimncmf.exe	88
PID 956 wrote to memory of 1696	956	Liimncmf.exe	88
PID 1696 wrote to memory of 3588	1696	Lpcfkm32.exe	89
PID 1696 wrote to memory of 3588	1696	Lpcfkm32.exe	89
PID 1696 wrote to memory of 3588	1696	Lpcfkm32.exe	89
PID 3588 wrote to memory of 2112	3588	Lbabgh32.exe	90
PID 3588 wrote to memory of 2112	3588	Lbabgh32.exe	90
PID 3588 wrote to memory of 2112	3588	Lbabgh32.exe	90
PID 2112 wrote to memory of 3784	2112	Lepncd32.exe	91
PID 2112 wrote to memory of 3784	2112	Lepncd32.exe	91
PID 2112 wrote to memory of 3784	2112	Lepncd32.exe	91
PID 3784 wrote to memory of 2100	3784	Lljfpnjg.exe	92
PID 3784 wrote to memory of 2100	3784	Lljfpnjg.exe	92
PID 3784 wrote to memory of 2100	3784	Lljfpnjg.exe	92
PID 2100 wrote to memory of 2600	2100	Ldanqkki.exe	93
PID 2100 wrote to memory of 2600	2100	Ldanqkki.exe	93
PID 2100 wrote to memory of 2600	2100	Ldanqkki.exe	93
PID 2600 wrote to memory of 4088	2600	Lgokmgjm.exe	94
PID 2600 wrote to memory of 4088	2600	Lgokmgjm.exe	94
PID 2600 wrote to memory of 4088	2600	Lgokmgjm.exe	94
PID 4088 wrote to memory of 2700	4088	Lmiciaaj.exe	95
PID 4088 wrote to memory of 2700	4088	Lmiciaaj.exe	95
PID 4088 wrote to memory of 2700	4088	Lmiciaaj.exe	95
PID 2700 wrote to memory of 4784	2700	Lphoelqn.exe	96
PID 2700 wrote to memory of 4784	2700	Lphoelqn.exe	96
PID 2700 wrote to memory of 4784	2700	Lphoelqn.exe	96
PID 4784 wrote to memory of 5036	4784	Mgagbf32.exe	97
PID 4784 wrote to memory of 5036	4784	Mgagbf32.exe	97
PID 4784 wrote to memory of 5036	4784	Mgagbf32.exe	97
PID 5036 wrote to memory of 4512	5036	Mpjlklok.exe	98
PID 5036 wrote to memory of 4512	5036	Mpjlklok.exe	98
PID 5036 wrote to memory of 4512	5036	Mpjlklok.exe	98
PID 4512 wrote to memory of 3328	4512	Mibpda32.exe	99
PID 4512 wrote to memory of 3328	4512	Mibpda32.exe	99
PID 4512 wrote to memory of 3328	4512	Mibpda32.exe	99
PID 3328 wrote to memory of 2208	3328	Mgfqmfde.exe	100
PID 3328 wrote to memory of 2208	3328	Mgfqmfde.exe	100
PID 3328 wrote to memory of 2208	3328	Mgfqmfde.exe	100
PID 2208 wrote to memory of 3276	2208	Mlcifmbl.exe	101
PID 2208 wrote to memory of 3276	2208	Mlcifmbl.exe	101
PID 2208 wrote to memory of 3276	2208	Mlcifmbl.exe	101
PID 3276 wrote to memory of 4592	3276	Mdjagjco.exe	102
PID 3276 wrote to memory of 4592	3276	Mdjagjco.exe	102
PID 3276 wrote to memory of 4592	3276	Mdjagjco.exe	102
PID 4592 wrote to memory of 2192	4592	Melnob32.exe	103
PID 4592 wrote to memory of 2192	4592	Melnob32.exe	103
PID 4592 wrote to memory of 2192	4592	Melnob32.exe	103
PID 2192 wrote to memory of 3264	2192	Mlefklpj.exe	104

C:\Users\Admin\AppData\Local\Temp\cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
"C:\Users\Admin\AppData\Local\Temp\cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\Lfhdlh32.exe
  C:\Windows\system32\Lfhdlh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\Lmbmibhb.exe
    C:\Windows\system32\Lmbmibhb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Lpqiemge.exe
      C:\Windows\system32\Lpqiemge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        36⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        42⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        46⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        50⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        54⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        55⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        66⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4720
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        68⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        70⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1716
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        72⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4724
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        78⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3232
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        83⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4948
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        88⤵
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        90⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3448
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        99⤵
        
        PID:112
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        102⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        103⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        111⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        112⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        113⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        118⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        120⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        121⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        122⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        124⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        130⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        132⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        135⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        143⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        147⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        148⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        151⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        153⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        154⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        155⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        156⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        158⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        159⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        160⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        162⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        163⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        164⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 408
        168⤵
        Program crash
        
        PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5380 -ip 5380
1⤵
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
88KB

MD5
35a3bede2e8aae167a269397764c7947

SHA1
c1045907e06a6d17f4652c15a3d638a8e33cdec6

SHA256
7b604de6a51ce4ebb3ee414c3753c2c5623163ddf100061658092b12281c96de

SHA512
7cb11ad8afbcb8ead0ec5cf452bfe3478b8f6d58c211899b6b99178ce38d7fff7314599e8a15e6b2487b5f700119d0d7d5b8f05c2d8f707e0888febfd21c9119

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
88KB

MD5
7cdaa41726ad0406177c699ec2516c6f

SHA1
82c9af188d51285a02044b7c2e09478a3d5484b9

SHA256
2659ef2359bd57e692e9249171267a4246be702b58247ef7eb7f5073fd7eba18

SHA512
3dcde1a310098b4c0587cd640d6e5ece5a13a08ce2749b7a56ba2858dc10c551b1f2005a3db9a2888f9e4d4dff5cbd416e458b187fd9e15b5ab13f7a06d667db

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
88KB

MD5
492fa5ec9b1be2eb48bea60c224c20d3

SHA1
0e68de0b07d61c17c15739a24ceee0f5e2cbc17f

SHA256
315c645e50d1ac6ac9cf11940cd846990583dc36be64a371773a98631f9521c0

SHA512
2835f54c0afde6e1d3d4cb0f778093d0f8583aaf9717a12c255f52e7bf2457503f8faf2eb29b4146e015bd0a09c0b37e0dc901571eb46023223b9f370d19c34b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
88KB

MD5
2886a671de6714ddd43e54b54b891035

SHA1
d0558ae264c4e1666408e0766084ce7b5fdeb80c

SHA256
f34386bebba899242c8b489dcf2768e79dd0b7b576313195db661f77ef2cd23f

SHA512
7786df086ca0da42a5bb20bbc670b4711f923710c215c869721b1281435cd873ceacba61f40a497d4a505adf83ac87a14dc52da09792146912346262f478599c

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
88KB

MD5
a25c6ea72fb2972be0f9ef5a5827e056

SHA1
839eb50727f08794bcfb11faeb0943a74f2d8057

SHA256
0548ff904101561f240e3f81fb25156f09d006ab49d83d71d71c28f056840fae

SHA512
a8ab96d41db09022a9a97fe456428f882cfa17fac46e8e6608eeec732062c3fe5b681f904348b272ef44466d16efd35f3ff6c1c8a70f6e879b4112467176aedd

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
88KB

MD5
674e9c14e3a9abeb6a5fbc95111c01f6

SHA1
56afb0d527d04bef0d80de82548d0e7baac5e4f4

SHA256
36a2f5d4ea2b2bf7396d2899a43aec8dd4ce5077422c26b944b5b593d8f21521

SHA512
2366e55cc840eb22ef257b38c1a7ab6d515830667c86293c19f95571da56c3293b5cfa164c45121ff2c062a0e570f32e1ae30b4c210de1af5752ae3f88311c3a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
88KB

MD5
61537fb90bb0ffcf40dfc6b9e0ee3817

SHA1
22c4244bbdbd44595319470bdc7262385581fdad

SHA256
0bd579f42c6c9c03c14844c2623844ec3e9c2aa0e61853bb26b39f43cf42679e

SHA512
6c0b8afd3fe96814b44af5c7067953400c926e6daa36ef65fc083b963fa6c694387dbd871a698ad890ba74166d0bbf57fe046ca04e85633990354b44d05a76e0

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
88KB

MD5
abd84bb9f9a6c81cd56c6aa0969d2f91

SHA1
0ef59c239a74f0e9f9f757ce0caba058e90d0160

SHA256
6455e18b547da87df01ce91ce513aa6e239b038e37bb04367e18e7ec5f7137f0

SHA512
cf4604df167ebacc6ad0c77d6a418ba2212b8780975403cd7bb70d90f3bb0a2298ee539bb24b0f3313c81ad5e987b495e11d5ec52861de25bf523c8e0566f93e

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
88KB

MD5
ad1c51e209c8531f4b3a99426a4aa816

SHA1
a568ccbe3a16435ebc39b19e8796d63c9b7243c2

SHA256
5b7466cc101ef881143abf4a49091b4b8fda5f1287423922cf1044069fd3df70

SHA512
ac10420a5019029d29bcda2165ed6dfa20ccbefd62cbbf9b3c88dd49d4ad598b9c01fe9275cf298dc0cc6aab4238bf6f33b90934d83868b4fc1c451fd66c2242

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
88KB

MD5
1b5ec5c0811ff6d39ac2d263d0c59a56

SHA1
cc19e62a0c0a4417746a059953204542efb91f27

SHA256
c5bcd760b55fb6061d3a5d5313a3b650daebad2d301c91653e3aaaeb355d768c

SHA512
9a88940270b3e78955c35c0e455ad8d421afbc9fbed4a59cb14fb3c9acd4f7b814bf61d1bd437dd6fac06a5c466863749578c74df4c44f31bdbb1634114e9526

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
88KB

MD5
e242e915c315061cc4da4c60643dbfef

SHA1
fe2bf268c903a65183d7c21d8a8c6fad98ac08c6

SHA256
55debc33c2a7ed7de52e557ffa00721a8295e2688556ff1f086d2b22759c9954

SHA512
132fd041e9a192480883eaf54a65f5ded911760b15e0f5987a6a1ba0a348e0df4c9a4283607f16df294882a38a5570cdc6b36c30f23afb7cf8334115d9088897

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
88KB

MD5
003fa54ee1b885266bdee59cf96d2fcf

SHA1
6026dc78949d289ce46a5ca2f9678373785c60b9

SHA256
51997a978675a45bbb3cdd0911593880c30c5e90a667e8b277edc039d166c70a

SHA512
66e147c63c0860e4f65191fd8b8b7aaec9b142a721c18d037ce78f39a60115aa23d25cfce6f93f6746ccece5d7c84629468edf7e36ea922d3dc750bef1d71bad

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
88KB

MD5
6473656da23c741efd1579cf6eb9df5d

SHA1
c0ab4e07e91ebc006a021f58d8d838278a472f42

SHA256
74e6686164ce87b50910926326bc465e4e61ac4e4b49ff3429851dd771832217

SHA512
bf7093584a1073352c3e99397afc2955114fa0b3bb0eb5ca7ac270e5d260d49559092ea5f35484b454acb273ecf5b703b006abad38d6630c006cb29887f76bdb

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
88KB

MD5
4a18db5ac9e6947b7937bc4458b32540

SHA1
5c369bee13f1d6821584a888b1be5fadcd8ff5c1

SHA256
a82064c3f87bdaeb54f6f88ced37fbc8d36213b1438330ec882dd61bdc5ce56c

SHA512
32c29cd56f504b3b00179f91f33445118091da803d094d452938df793b92d150c55e67e94500249893d6226225b77ea1c9839fdd5b1dd8eba24771daeab0ed8c

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
88KB

MD5
dd8bbeb0cd0b8e0eeb4df9340202efd2

SHA1
0d06604c5b471ec54f8c8ab3e79b4ea162e292a4

SHA256
daa59e6c0251b0dccecf776b80ad214e16466de01fb700dc944dc8670157d271

SHA512
1cbb7fe2344d5d0e69a9f02bb005c4c3936f91ec28c16f39aa2072ef860b91df4cad9eea0cdb83272e22d89ef3eb6e0a042d83a9d2b8170c0072aaf527bb888c

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
88KB

MD5
a89584a8b9e8a2acadcc123dea16405f

SHA1
dbc66f234243b6ead1739c5498fafbb8b74883de

SHA256
387abfc03b750a4b1864e79736deb8ad29db09d227f5894409df16962de6fa66

SHA512
a63d9a9413ca6ecdc7bbc4b3981a1995312989a8edee39c527e4cfe9f87285578abceb1ccb1d3acd6ca20d4e7ed4d0a19dfff368bbdb21d3c45e77c7ba9a7d78

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
88KB

MD5
f23db1c38362710082ff24918c4b787f

SHA1
a9cb5679ce8701d5d71db09d78422259bb20943a

SHA256
6c3fcd8823a26e52323163d28c7ed4447c4a3003e79794c6f3ff205629804fda

SHA512
5eb77c4a8dc2d4ed5714ace543c1680f606b35cd4d161f80a451e75634abd6b89d6a7902f7e68ebf58ecf2843c952449bc979f7d178c3779cfaf226815ed0987

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
88KB

MD5
1b18805e220f88ca87d797e9ccf625e1

SHA1
ff54a9a9db9ef63599ee61fce9fc64ec826e2e38

SHA256
63cbcf7aff95e65aa276d5bde311f8ae4b417a36afc8d3991aa906344e95784f

SHA512
9dd7ef0a92a35a21a93aa61727a49720414e934ea01eb55affe3998378f482e6e1f3e1c06a768904f493bf568c000eb45d0dcf626e97054f5cfa1aa2ba20ebd1

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
88KB

MD5
1c01927a5640c84e3e5f0f4dc84a6762

SHA1
c258b933f5cfaeec13274135510f66d4ed374e59

SHA256
865b7a66bede99376bf89bea30bf44cce30f24a9007609705e01b9cc04b4ca2c

SHA512
3be14a45fb1a1222f77372a1bfb3571b2c23d683fa62d2bda7f56e6ed9b6dbe91edd25853219961d50881be75aa9a3e139891cb68f342a34d99630fa7b0755b7

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
88KB

MD5
d6bfc6877d3fe75602e78e3c30cd199a

SHA1
b5bd92370a20dcfe42db915b7fda0f1923b0b93a

SHA256
3dfeb82115a47874afef4adc949fb88974bf01646de608f57d7a628d20fa7910

SHA512
ef2c21d05399ad06312a39fd19da648a81045c2357a54bca0a6eb3eb45f4a40b8a35bb0679c0cf9276f777aae746d745f7f06d07c99fdd76f76863df96761b0b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
88KB

MD5
7fb10b2d0ee0cc4066432b5f99e54d4b

SHA1
ca78a65dcc3c536ef84448ee0aaa39738379a744

SHA256
972df92338a1f2d0ebd124d5c78955259a2277fc1a5fa11d493f5d7cc4ef854d

SHA512
4fc7a437075ebaa82c3cee5de1a1a98ada2b431f0d451699d3df4246e1e546082caa9d088b50bcbf6025e7c25f4281f85c9c6dafbd9a080e8ac13afcc0a8cc38

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
88KB

MD5
47b663a8355e31575528acb6596b029d

SHA1
b0e7277f5f4581cfd6f94faa7b33d69101bae143

SHA256
d2c75d9dbf6b3be1de8a7c6fa06680973a01fb152182ac61d3884b81a5efc8f4

SHA512
4567219564b9e44cce4f69be8fae13ceeeca42faa24ddfe9832158dcb87b6c1a6f737e8e18b547576a1981bdb3a4efe7478f2d86672e9512e4ecf6df0c49adfe

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
88KB

MD5
998bca7c2419cb1f6f672986baa6bf51

SHA1
2d02d6a975991599988f47710d65730f4dcf4b7b

SHA256
ce7f8da292ce8c2f27efa4aebda10b5045094e8263f27636f17f75c05593cf28

SHA512
d6e6fc930627da84d30e038f8d4a6275c4e019db30309c037ddbe8b3d2da9e1a9ff10a4953c1af44fb726c095c0eb10fe3bc146913c96e9a4e05f78749701ebf

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
88KB

MD5
313a97aae0cf092eadb9c5ead8e48e60

SHA1
6c31c591b7f071425decb0c7aff5cf77e54af120

SHA256
9f255b7b1e741f47989b7b74e712b711d0451e88f268548121634c0801f87b84

SHA512
1ee8ae0e66499a5c193e20537acf6cf68ae52d759e4872d2cc47a025affdb14e91f7cf8aafe8c0bf2df8a70c2035a62497b09a1deb03cc7e36d219867c9a6f47

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
88KB

MD5
667e935a0ec4015496a5c95534ae792f

SHA1
93c24705ff0e256026b10c949bcef89f37d770a9

SHA256
a271a37a2d72f6dc0ae869621eee1dab7c4a4a74962f349aa0d7d3b99cd3c9ea

SHA512
a204f05a354f9c6f10a6e44d244262b9c52d1acd688f92e5f0c60a3354262e0fc79d85d3d3b4c6ed86dee02022539daf90ddbb11f04be34c77bfe70949fc3251

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
88KB

MD5
fdfea89ef52b054e854e03e26adcdb56

SHA1
a36b047f64dc0d2033e8b9b8b9ad7fcf0f88ef64

SHA256
af24084b768d706e6ded282582314f3ffcad2c1b22ad574448049858ce177c07

SHA512
4a1146601110840613e78b174542762c3dfb7b8454eb82c537e8c8614dd5c51bc29dfef04cf7d567c49f80a323185a7cede412b2a0764c46c1d431e18db32b6e

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
88KB

MD5
7da27ac0dc242d11fad3ec6354b3aeac

SHA1
5d347779b2f53e82e26ff6e2f00a5380b72a95a0

SHA256
21c193637b4d189430e6bb77fe1e7b44327f29354477de85d143999b57a95262

SHA512
5a889f0a60669fd70d159e25d8c9bde08e40a36e81bc610ee53613bcd9ea1f1003a678473bd2a686e0f93d8a1f43a42d5a43eee0492e4435009e9e7ca3b06d54

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
88KB

MD5
279aeabd32cdcbd66dd0b22a15cd1671

SHA1
d477dd1344342c89b9de40900162a08963a48f33

SHA256
39767ac32bbf336b5b0781ff528dacb0c7e300904316d83e23a059b4b021ba61

SHA512
c821f7eb2c823418e34a354a491ec9e571d49c55363c469c5d14898fcc2a8d4ce8af55c19635e616803812f24c5b467198d5fbf49ed22d069199458397f374df

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
88KB

MD5
5acd25a20e6288a4d12b43624fb40f45

SHA1
00e1c50226e322a1176ca1b21f44049228349418

SHA256
1c9b6ec50bd16ccce56730a589b6b04482f3545fab48206b038936b093ed7f67

SHA512
3a5bbb0538e7eb03edf2b005c0affb0e34c10e2baffca1f13d700f7acdcee57f38c15f1a9fc033c83e6bbbeadb5e64b13aa8ed483f09d436ea187eddd6b774db

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
88KB

MD5
b62370aec93bd4ad4ea06cd5ad881217

SHA1
a63ad57c93a87ceed5b8ce3faf5a6cded03c1856

SHA256
2c4e8e8b0039881e1697ead43216928cd90fa72362e26ff35d76db074dcff3fd

SHA512
33fbcbaa87024f23b470011f8347e95efe7c19586b2517a5e33e957887befaa065514c72a77cb45887d6ee4ac6a155dfa0bd6370506c9d6d60cb4e12000aec0b

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
88KB

MD5
1f7260356f2d349091b7c816b3ff56a6

SHA1
7a36c92b409f1d2474ae0d9557a4288f230d5194

SHA256
5ebd946940ce98644cb1414ffa3a2f674c398ebe4963d8c750bc511a5f602830

SHA512
c48eca807951c8248ea01461fcec7a9d747521971a1cbad309675fd779ff3f53cd230c1b936474552953bae13a61ce612d0f3b23bcd327200f744b6563123693

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
88KB

MD5
f0342cc1de39fbb14e4a102fb2c8c103

SHA1
f3924262a876d8cf3461dee3f78f1ef27262a2ce

SHA256
f2986bd22fbef1a2862cf810c5ae7fc04f13adcf97b743b99f3fab091978eb30

SHA512
e6a013cc066a2194c1e91ee86507ec8c4ac7cf7517bc48f329961c569fa61babdb9b71b3cd9000f49f0a94b1af0b3af1940d80112c66609d4bc5cf67bb2da2e7

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
88KB

MD5
c659c8a4b241371be079c4e96d894d5b

SHA1
091d3a321b0bca30e22e9387f827dd55dfd1a25b

SHA256
dede7d5980ff7063ef9560998ee76b9b0b6cdfe64f976f61863f9e1ef75de43d

SHA512
74302b908469188d8924ba80a31786cc1cedb3cbeb205f1553cd66fa7cf9a0a180f1a82e4e49b243ef239969945a0da1f799c47ce07516a685837918034b741d

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
88KB

MD5
f231306e3387eea5298b8def44d589fb

SHA1
a2af82f5066aae3ac5c05865774b584c98a25792

SHA256
643896f25028ec6b5cda3369c8298e2d62528d9bef90710daf1b66e046b2246f

SHA512
a53e9a5e4696ba727af70162210002e5ca0012c92580d371b857b858b6388ae089a8982005a6c7f11f1c173702abaefd8a2ab010a35fda321f4c6384a14b6de9

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
88KB

MD5
f4c8a8129417b67210959b9e4778c18e

SHA1
6b12e1f4b9df8b905f80f17715ca0fabe51034e4

SHA256
4f71abd34771505115778f2464f1127c8d6788eddef755efc1669d3d1723ca69

SHA512
d1a016852b1b79417a50be060b7c525c093f38e46fa72d6d3660c37476fc203c86d153fd11f9285c2794041e1f5cf690111a3b1333d8a165cb14789c9c99bd68

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
88KB

MD5
3bc178abded7ed8431a660e1b60420ae

SHA1
b7f136cf265a0be8b57b4c8b6b6ff9ca6328b80d

SHA256
509f4ca59587133929470e49422b28685602da2864e0eb47e2e2c489a2521621

SHA512
43ffda8f7165b80fceee27c19e8e904dd5a467ae9f3b14b06c6699a747080b027b3d555ec302ded7998c8fb6a913c6022a0e9bb5fa30e3d50ff138f3f4f76359

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
88KB

MD5
1c921be94c941352438091da895a749d

SHA1
651455fe3d9c215470c376b0046aec2f7221ee51

SHA256
efc0e3976c6769d6d834686953dceecd9d0398a02f26c04d89d56a2dc3179a23

SHA512
fe048257addbe86432d18f17394ddfa5e7f297d6a3482a1b717a41e3bf84432ba2efb9e5ac61ac3647c741fa1baffb19474b793efae88b3dbdd9799b0e1e4d01

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
88KB

MD5
204ab567245c8610e2053cde5028839a

SHA1
33d1b7218befc072d1de733a01d923aaddd1af69

SHA256
4d7ca6028a914a1c515aa96befcb4c3d740e6e1dfcbe6501b38ba1919503f761

SHA512
4787f8e67865795c51986554f8f10243bde4a6aed48bd3ef966c28f43aa7a9e65b99955cc5b719b56df2e91d5e1d2fe88660fb5039762f5d1b93834ab4c5ff0c

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
88KB

MD5
a765b67f7edd74d3d5c2b89b50bb0727

SHA1
8b9473c3223f6cff9f7c77f1fc2502167af3eb20

SHA256
3196b89bf3746e77a58e48893d3873248a3d3fcd740b0bf77612df6590d6e700

SHA512
8730ac5e3538cfbf6bccc8170758d8c383badf571d3e387c3aa169475a26dd710496fc7e734707034201104a5094b43dff94a1663010fc59772649e59f796ad5

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
88KB

MD5
f98c7b8ed063a02c0941974fa5b0788b

SHA1
20adf3fd742276936f45a57597dc042ed54270a7

SHA256
bc60d03204148f69424081e6454c6c149a34f4bcc36bd14ce43e59fe97f9a620

SHA512
a9ce4054994d6142a8ba848ccc1185f054ca5af0bd3fd65150409c0da2cbe366bb9acd8d3f67037db22705549cd2e7de77b11d69b7ebd0f7b62b94ad0df5cda2

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
88KB

MD5
3a3b526f9c9698ecfc72614a7b1d52f9

SHA1
1e12c9db3b8902e4d07a180231f49f3737c89b71

SHA256
9f4eaf9b5b4862006556b1e999a7f3292aa8381abfd9eb2024c650e45fea72dc

SHA512
c8faefb5a25504aeef3c3463c4edf343d093845d89aee71f724b60b860a750ea52f28faf1c349f8b1a019ebf406cfc5d27b4da1fae03a4cbcf6067972d5b5230

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
88KB

MD5
59394f9107bb51f4fb17159a13c77a17

SHA1
ea2ade035f1ec8f483cd20b5937a8d005088b88c

SHA256
e57fe3b063ce6e9f8fc10283960321b402cef8a2811881835650820a7633229c

SHA512
74e3ca2cda81adabb1dd8ea660970f486428bafaf4208dcc208a354b5d0934da29add66dacb0acd8f206ab0cd89391f99667b6845f926dc3c2c1a5e99e443bc5

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
88KB

MD5
f5c55cf09f01680db8bc8fe31e4cd191

SHA1
a850df84538d9fedee6595a19bc497532570f8d0

SHA256
7d013b8e3fcbfaf1faea38e7448bb1e3fbc074d591fb5d84460e9ba8aa332eab

SHA512
0266b74b05c84e9a1de0718adae618ea93b2eca3df7502d576d78bfe37ca45a0a4af2d80f05343ebc2aa318c2dacd5a3db7f73e2a20ae507adc5c7ed952a3ff5

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
88KB

MD5
49203f38005f0c8fa36efbf474d89461

SHA1
ef3be436b157401a09055fba16c9dbedf5931251

SHA256
b6f161393673875f437c310f94c05f70729eb19ce79a336ba8f008823a7a257e

SHA512
457639d07ba668ec057f03e9c231c78e96b71e38e23578bb540a6edd7f95ad07bbf7664b1eb3e647d040cb7ce83b9650d85373bd7383fc67eedba173827f6e2c

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
88KB

MD5
88d2c363b8ecf5c598cf0379d04b0388

SHA1
ed6580304ca4a84191492b3355e3ec5883a4c30a

SHA256
9b500afd099d9eb374e6362572bc3727cae243d75a45e572991d79a863c75251

SHA512
ba29fce1abfa23625a37e8f618ec8b0cf77bcbc54e2f583b2490e7e53866615c34f559b32531ef33f693cdda6865ae4ab75c20fae2c6e5223f6d30f3dce72d69

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
88KB

MD5
130a4e48b195e98c837b0ea45c8b91a8

SHA1
83561636f93e8d0563e6d254bd918b4940d145dc

SHA256
42e2a7b2f03ffe7661b5dae0aec63bd16ccfe0ba316704d85606b7500f47e174

SHA512
02f0f8d62df9657fbefbc4f07d35def7f5dce22ab5a7f4866c988ec60c1d822b4df4e02a29b36e50aac4c42cf33eccfdb9601315921a55787e85d6dc383fe95d

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
88KB

MD5
5a63ece2554501ea21e779ad675518dc

SHA1
d93133a6e006b6bdf1e83e4b0b8392d63a2337e9

SHA256
ad426f418eab9dea3020bfe9109cebb0443e61459635fececc59eca9cd16721c

SHA512
251e043875d99b19552a510cf4af7251f38b9f0d568a74a9ccfb45d9a9623ac243299b5ef1b508d7d13ec74fb02429ac1c8dc483f6fe4824efccd97b1c827684

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
88KB

MD5
387775fa6a9e4eeb6bc491a9469cb89c

SHA1
4d6ea0340a3167dcb583424b37d68ce24eb1c64b

SHA256
b82a1c644acd2387f297cf353d19300396fed01da32870b4663ddac912e72d5b

SHA512
bb39ed6d58142bc2d264422b29e84702e93f0569dccd0d496185284b39cdb930714078f7265b339085cad5d2720da00b74d4ad39902a145cf2aac4abd296f5a1

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
88KB

MD5
948b2064a7feb887cef5abd3edf03f5c

SHA1
cb5e8548e6b39d5206428e80708d0405b85626f7

SHA256
dbdcd93eb227a50c72c77cef8c5b62320d63a2e18dce7c518921e8d83b197a4f

SHA512
4b99f3170cb68d2870d19035207d44c14d438e4fdf9b195bc23c84c10b41ad53744c94afc7b06b46b8327725b03fea020691692448a83191c22e972139b076dc

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
88KB

MD5
8f5f97157f0e68e2b544c4ddfcd6259f

SHA1
9ee7901a421d696b37de0383911ab90c4395834b

SHA256
8b60615891e83fe0fb7ed94e8af681a9d7e85e3255de3d783b6492409f1d48b2

SHA512
81f7a16d21e431df406e92c4f6d6e06111b16a7488f9fd31028c650c75b06b446edc4ebcd2e42d2a72a74e63b5ac470004d4a974de59d54f560b59d2e1b4ee84

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
88KB

MD5
0ad9bc715183290ca0021f55f138723a

SHA1
e305a65c326fa388fbe0b701205435d47332ee0d

SHA256
696112ad6005a26fde46a0a9049afb68ae92e7011f62cddb2efe80651651ad36

SHA512
88eea86eb3df2bb51261613365a6811c5402df87bb15a07746d58af7f954e2306689f500f843c5c709caf1592356839a5b4382fc89f78882368f9795408a8f99

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
88KB

MD5
96eb754d520dcb392625898d1a0f5435

SHA1
f4dadffa1567b3e6143a0e8109649ef0ddaa4b9a

SHA256
a31a88faf432cfab8fc20175eb2e752eee8759f663f202965f8d9160ae200211

SHA512
e1795444ee4771eaf04f0cd06e7b4e75495a4dcd1d72b41b5747f2b91f64b784b670e514a5992ce9724e89c521b1c2cd826d23bcf09054e275547c8508570665

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
88KB

MD5
6fb7e522ed3bc6a7293ecd8a5261f4bf

SHA1
6cc62308fcdfc8379bb1c56f02d7e40af1382f9d

SHA256
e340fce63a997953db7c0babb06f8b1258fcad87ee6f7344df427173cacf46fb

SHA512
735cd5d9efbbc009a563519604bb5ad78212333f35bc20b6929ab3473ddad5d030399661bf05646808151a24a44d85ce5b820ec961be27904de115d928b4ea2e

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
88KB

MD5
de21159d36b71b3dc8f5f3fe2dab4845

SHA1
22aa87938e0109e1b4c16c2da089511140b6890c

SHA256
2cb6671115a91c3d2ce6128c325622234d777d999526e2d17aa0eeecbaec06e0

SHA512
802e11f1f7746e79f546301fb1428bb477d3f28e3d25122e0a7c7f2ffb90167dec1b169fc60d23b07ab922b9d68a7850fd685f974e0dcfc8495da5a180147379

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
88KB

MD5
313f3fac5fa7600894a1ba37f95ec8b8

SHA1
1a3ae95f882e9874cea86448c13999b19c98f657

SHA256
9820fba11fbb5b48bb0c8f4cc504553269cabbb463edff35ace5f5b6b6b5cc4e

SHA512
5f3fb572f27093c4e1ceb26fe9cd8c3059bf51f1d4263631d42ba14dbd0d895cdd81106b1e427a2c79d83ca9d5b25287f6d07c11eef34a6357235ad073ffcbae

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
88KB

MD5
827d7851de115760f0beb7881d42d26b

SHA1
c41d656402aa9cc60bdfd6b83e1dd378431a1e7b

SHA256
ed9228cb67d9cda483701d7b8af4b40005d7931182222acbe8d8a1e5ec77ad82

SHA512
d960a5e74b56769ee3bbe707c8b511507afcfd8f180f71dc944f5edfff591ebc09f0188173ae6d2c1380c49289778aae7bab6bc2414e8eb5712f82aeda5958f2

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
88KB

MD5
eefcdae286d9278791869d88a608b40a

SHA1
0a56a852db3cc02091d8b88937567015f4737ac8

SHA256
7beaa7c448ee3150366bcf13a6f6f5ca4bdf6a22098e6464b1587e9e715f63cb

SHA512
410edeed83892049577cd9ccfb1fb2a9ddcb033c44b5e08bceb5fcd96673242b369ca385c00d08f94af1a3d3f0dde9892cbd3939faf336fb0f0849b0451af18f

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
88KB

MD5
62c73cdc99f227c263dbf27d648c2824

SHA1
a3b6135659ad11583fa352d6539ef1a227155da1

SHA256
6eededef17b7498f68594e49427b8200d2d77d8ce2c18fee9416ef132babe690

SHA512
7d6b13dffb31a25ee6c4aa18c3b352e40424d9172bbe25ad9ec1cc51fd95d34616b419d2c987c5d26239b6cbf8e665c9e79f177aaa2d7444ead67ec529b45e0f

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
88KB

MD5
67faceec35eff3d8bc05a5a7ebad31d7

SHA1
8cb6c0b0242998569291a12fc1426f667ef4f458

SHA256
02b5ce34902eb6b57279ae8cf1092ba2cf84f07ab3bb76e03165fa53b3082d50

SHA512
8f3f001b4b3c31a216278be1308189a247753ec681420cd8cd7803441eb053613247e6f9519c4a97e73f722925b03d4dd8033dda5639b4259223cf61c35b459d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
88KB

MD5
a90a891abe683610f32928a8ce94d0eb

SHA1
e2798891d4a97b6284ac71970c71f39ef3189dfd

SHA256
b417e88f9439cb0bb8c9ee351464efbb4bb4782ec4ab0052aa878dd752c672be

SHA512
5172ba2ea0fb7f12d1d693e5a6ea79fe1e7343fb9da0a32f26d2c051f2f7c94f3a49ea5d78dd561f5995d3d574bf2479835032c5583cdd8e3b51c4c2038a7991

Download Submit
C:\Windows\SysWOW64\Oolpjdob.dll

Filesize
7KB

MD5
1d30957483533aff0dcf2b2a806a05c3

SHA1
12706b06491def90cf1a4c63c52a3c3f788a9dfe

SHA256
b8c8a4f06c292df14b6372a4519fc5d54964dc81007294f35afefea3297a71ee

SHA512
5efa638b906cc4178350ec6c47fd43b787dd4749946e6b5cb089446f90b8351729345ea72118b57a02d9fe052d2fcd56ebf32db3370354c6a9f8edbc8852f410

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
88KB

MD5
e86372c2254da4f295d1d8bed09bdffd

SHA1
67165575b4e07158f11629a1516ebb94dc312e33

SHA256
8551528424eb441d24228058d17398c241a4835e62f29039d680e1fd6534631b

SHA512
5550af4266d72e4af0dda4870e1a00f2337a1127aa5991d1dcd6821951f05971dfdc9b871acc8a930002b44366d972abbfbe43425233b1fb2cd9526e0506d769

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
88KB

MD5
b201b852c2329d1169e7c0f25cf9ff56

SHA1
f2ab1c221def90af567152dc29466f97bd7428b8

SHA256
8f9275760053062728ad985c9af61fcbf391672da89c41b810d5d08d55599ef3

SHA512
be1722f96b1137b09ec1aa860b6cc76b341b2f0ec66f8557e4e4fc8fd2b13bac4114f2ca0b01549a025bce78775f8331c28ae353953275d900eb76d8546b56eb

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
88KB

MD5
5180e10d3a0241fd481f3bba0988acd6

SHA1
5d2db4f6afab1d99ae1bc96c27c72c1345fd766d

SHA256
eb29c7813599161f9f1f89a6e05caab5053fce480074106004041c6675c0eab8

SHA512
83b57a71640965889fdf9e49fff45c960dedc68948cee396929222ee92713c8be9a2c925fd77156540c3499d6749d0b6a2ffba314f9a37d39cf44c2f33ac0074

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
88KB

MD5
a7a4fab6446bd80f0edeb97b61b5a56e

SHA1
1e9c208165030d6e7bf39d2a9805a087a7546c30

SHA256
46342aa718c7340443519197f8cddf5b0834c7cdd68a0bfcec698b00c6b4dcfc

SHA512
36df0b1c8666bbcc29876a8f7220c59be50c62f7d55406abd1ac860e41c8060380749dc49fda78bed38234b3707479170d11fccbc70e2f19efc494d072558f3b

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
88KB

MD5
0a618179eef2791a38e718acbebdfa5e

SHA1
23d532751285b0aa480d54c53dd52818e0f997f3

SHA256
5db3139b52a632165b1ca67dbbcfc13b4ca6513b0a138f2cb005c2180de7c185

SHA512
9ea25ad4dfa4142904abb356a3b0cd583182cb44f5ffa3e451c5c53c53f3ff58462df9d92046eb2e60f152065a5bbcf7c6d0501f6d986896a768da6b5c88cfe4

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
88KB

MD5
3f7a0499794cdbe069a6b1f212f780fa

SHA1
a27eeebfd241d5283cccfbce757a7298f53f36af

SHA256
9f2b3b3ee8e36bd642865b583a222ca51893a9da99d7a8826e2bc469bb578fde

SHA512
a170dda7c647f18b982134405db80c3e41ea5623b4bd4c6ee3eb195e8760d4925ec12acc975cddef437562df8e9d668aea256870114378156fa6164b48488a23

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
88KB

MD5
c967c8908d051a430dc92d66a747be6f

SHA1
e9b9cd67e74252e31b11d0adab80b2cb85613118

SHA256
5196f90083f689f0fb3fae637f25499969e7ab166094dc507bd05b47512e8393

SHA512
05a35c3106e056c52002764e8d076aada42d8485957e1e4e77bedd7160d0ff2f8c08ed1ecb8871105f4487b6539d59510cd9738d879e9219a4ac68c861c2ea63

Download Submit
memory/400-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-1245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5580-1161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5708-1160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads