Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 06:09

General

  • Target

    0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe

  • Size

    72KB

  • MD5

    939f7121aa8ca10ca3e19def80283c20

  • SHA1

    a4dcfec3ec730873d7a3724292c366248262fd46

  • SHA256

    0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0

  • SHA512

    74644988d344607288c32c16f38efe287d29f9e076d1a27e0e0cc972d43e1d5db4e26e2062e9b25ad5ae74ef935075431518db0f7e6d1ebaae18e721c4121058

  • SSDEEP

    768:pWkHJRYeNipY/M9i4dC9nGCaT/tqaYSHfuf4fRSaaa0DDDDDDF/10mEu/1H58uU/:M4Y0J1vi1qgW10mFyPgUN3QivEtA

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\SysWOW64\Oqfdnhfk.exe
      C:\Windows\system32\Oqfdnhfk.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\SysWOW64\Ogpmjb32.exe
        C:\Windows\system32\Ogpmjb32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\SysWOW64\Ojoign32.exe
          C:\Windows\system32\Ojoign32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Windows\SysWOW64\Olmeci32.exe
            C:\Windows\system32\Olmeci32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2124
            • C:\Windows\SysWOW64\Oddmdf32.exe
              C:\Windows\system32\Oddmdf32.exe
              6⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3876
              • C:\Windows\SysWOW64\Ofeilobp.exe
                C:\Windows\system32\Ofeilobp.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:616
                • C:\Windows\SysWOW64\Pnlaml32.exe
                  C:\Windows\system32\Pnlaml32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3080
                  • C:\Windows\SysWOW64\Pdfjifjo.exe
                    C:\Windows\system32\Pdfjifjo.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1916
                    • C:\Windows\SysWOW64\Pgefeajb.exe
                      C:\Windows\system32\Pgefeajb.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2096
                      • C:\Windows\SysWOW64\Pnonbk32.exe
                        C:\Windows\system32\Pnonbk32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4972
                        • C:\Windows\SysWOW64\Pmannhhj.exe
                          C:\Windows\system32\Pmannhhj.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of WriteProcessMemory
                          PID:2512
                          • C:\Windows\SysWOW64\Pdifoehl.exe
                            C:\Windows\system32\Pdifoehl.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2904
                            • C:\Windows\SysWOW64\Pnakhkol.exe
                              C:\Windows\system32\Pnakhkol.exe
                              14⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4112
                              • C:\Windows\SysWOW64\Pmdkch32.exe
                                C:\Windows\system32\Pmdkch32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4236
                                • C:\Windows\SysWOW64\Pgioqq32.exe
                                  C:\Windows\system32\Pgioqq32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:772
                                  • C:\Windows\SysWOW64\Pjhlml32.exe
                                    C:\Windows\system32\Pjhlml32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:4588
                                    • C:\Windows\SysWOW64\Pdmpje32.exe
                                      C:\Windows\system32\Pdmpje32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:3676
                                      • C:\Windows\SysWOW64\Pjjhbl32.exe
                                        C:\Windows\system32\Pjjhbl32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:5048
                                        • C:\Windows\SysWOW64\Pmidog32.exe
                                          C:\Windows\system32\Pmidog32.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:1768
                                          • C:\Windows\SysWOW64\Pcbmka32.exe
                                            C:\Windows\system32\Pcbmka32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:3044
                                            • C:\Windows\SysWOW64\Pjmehkqk.exe
                                              C:\Windows\system32\Pjmehkqk.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of WriteProcessMemory
                                              PID:1552
                                              • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                C:\Windows\system32\Qmkadgpo.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:2856
                                                • C:\Windows\SysWOW64\Qdbiedpa.exe
                                                  C:\Windows\system32\Qdbiedpa.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:760
                                                  • C:\Windows\SysWOW64\Ajckij32.exe
                                                    C:\Windows\system32\Ajckij32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1660
                                                    • C:\Windows\SysWOW64\Aqncedbp.exe
                                                      C:\Windows\system32\Aqncedbp.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:4468
                                                      • C:\Windows\SysWOW64\Aeiofcji.exe
                                                        C:\Windows\system32\Aeiofcji.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • Modifies registry class
                                                        PID:4176
                                                        • C:\Windows\SysWOW64\Agglboim.exe
                                                          C:\Windows\system32\Agglboim.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:4356
                                                          • C:\Windows\SysWOW64\Aqppkd32.exe
                                                            C:\Windows\system32\Aqppkd32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:3656
                                                            • C:\Windows\SysWOW64\Andqdh32.exe
                                                              C:\Windows\system32\Andqdh32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:3232
                                                              • C:\Windows\SysWOW64\Aabmqd32.exe
                                                                C:\Windows\system32\Aabmqd32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2152
                                                                • C:\Windows\SysWOW64\Aglemn32.exe
                                                                  C:\Windows\system32\Aglemn32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1112
                                                                  • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                    C:\Windows\system32\Afoeiklb.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1444
                                                                    • C:\Windows\SysWOW64\Aadifclh.exe
                                                                      C:\Windows\system32\Aadifclh.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:4064
                                                                      • C:\Windows\SysWOW64\Accfbokl.exe
                                                                        C:\Windows\system32\Accfbokl.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1988
                                                                        • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                          C:\Windows\system32\Bjmnoi32.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:4564
                                                                          • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                            C:\Windows\system32\Bmkjkd32.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1200
                                                                            • C:\Windows\SysWOW64\Bebblb32.exe
                                                                              C:\Windows\system32\Bebblb32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:4144
                                                                              • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                C:\Windows\system32\Bfdodjhm.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1080
                                                                                • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                                                  C:\Windows\system32\Bnkgeg32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:2060
                                                                                  • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                                    C:\Windows\system32\Beeoaapl.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1196
                                                                                    • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                      C:\Windows\system32\Bffkij32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      PID:2952
                                                                                      • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                        C:\Windows\system32\Bmpcfdmg.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:1204
                                                                                        • C:\Windows\SysWOW64\Beglgani.exe
                                                                                          C:\Windows\system32\Beglgani.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3712
                                                                                          • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                            C:\Windows\system32\Bgehcmmm.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:4716
                                                                                            • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                                              C:\Windows\system32\Bnpppgdj.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              PID:1576
                                                                                              • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                                C:\Windows\system32\Banllbdn.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4380
                                                                                                • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                  C:\Windows\system32\Bhhdil32.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:776
                                                                                                  • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                    C:\Windows\system32\Bnbmefbg.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:1412
                                                                                                    • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                      C:\Windows\system32\Belebq32.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:2784
                                                                                                      • C:\Windows\SysWOW64\Chjaol32.exe
                                                                                                        C:\Windows\system32\Chjaol32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:2828
                                                                                                        • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                          C:\Windows\system32\Cndikf32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          PID:4268
                                                                                                          • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                            C:\Windows\system32\Cenahpha.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • Modifies registry class
                                                                                                            PID:2732
                                                                                                            • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                              C:\Windows\system32\Chmndlge.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2392
                                                                                                              • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                                                C:\Windows\system32\Cnffqf32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4472
                                                                                                                • C:\Windows\SysWOW64\Caebma32.exe
                                                                                                                  C:\Windows\system32\Caebma32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:1232
                                                                                                                  • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                    C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:2412
                                                                                                                    • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                                                      C:\Windows\system32\Cdcoim32.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:716
                                                                                                                      • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                        C:\Windows\system32\Cfbkeh32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        PID:364
                                                                                                                        • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                                          C:\Windows\system32\Cjmgfgdf.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1208
                                                                                                                          • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                            C:\Windows\system32\Cnicfe32.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:4304
                                                                                                                            • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                                              C:\Windows\system32\Cagobalc.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:384
                                                                                                                              • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                C:\Windows\system32\Ceckcp32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:3968
                                                                                                                                • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                                                  C:\Windows\system32\Cdfkolkf.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:3696
                                                                                                                                  • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                                                    C:\Windows\system32\Cfdhkhjj.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:3556
                                                                                                                                    • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                                      C:\Windows\system32\Cjpckf32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:3496
                                                                                                                                      • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                                                        C:\Windows\system32\Cmnpgb32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:1912
                                                                                                                                        • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                                          C:\Windows\system32\Chcddk32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:2192
                                                                                                                                          • C:\Windows\SysWOW64\Cegdnopg.exe
                                                                                                                                            C:\Windows\system32\Cegdnopg.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:4936
                                                                                                                                            • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                                              C:\Windows\system32\Dopigd32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:212
                                                                                                                                              • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                C:\Windows\system32\Danecp32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:648
                                                                                                                                                • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                                  C:\Windows\system32\Dejacond.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  PID:2020
                                                                                                                                                  • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                                                                                                    C:\Windows\system32\Ddmaok32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:3476
                                                                                                                                                    • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                                      C:\Windows\system32\Dfknkg32.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:3744
                                                                                                                                                      • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                                        C:\Windows\system32\Dmefhako.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:2228
                                                                                                                                                        • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                                                                                          C:\Windows\system32\Dhkjej32.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:808
                                                                                                                                                          • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                            C:\Windows\system32\Dkifae32.exe
                                                                                                                                                            77⤵
                                                                                                                                                              PID:3948
                                                                                                                                                              • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                                C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:1784
                                                                                                                                                                • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                                                                  C:\Windows\system32\Ddakjkqi.exe
                                                                                                                                                                  79⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:4736
                                                                                                                                                                  • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                                    C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                                    80⤵
                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:4100
                                                                                                                                                                    • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                      C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                      81⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:1460
                                                                                                                                                                      • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                        C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                        82⤵
                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:916
                                                                                                                                                                        • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                          C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                          83⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:4748
                                                                                                                                                                          • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                            C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                            84⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:2968
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 404
                                                                                                                                                                              85⤵
                                                                                                                                                                              • Program crash
                                                                                                                                                                              PID:5128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 2968
      1⤵
        PID:2200

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\Aabmqd32.exe

              Filesize

              72KB

              MD5

              153e2ad1a986f61ffb99a13c7a33810b

              SHA1

              1edae70138fc732f2c8d6a986e8cb0e261429fb7

              SHA256

              e2e9ae7fdf5a919760e405579346376aa9258d6142402fa6794492356a18238e

              SHA512

              d34feab26419a5bc2094fd0cfa93f00f1586671a048d20759bbde433faae1839cfc0ecd03bc4a0174258491da7eabe30a4dddc7ec15ee9afebad225be7530317

            • C:\Windows\SysWOW64\Aeiofcji.exe

              Filesize

              72KB

              MD5

              7307f847a8cb159d3af06e0b92161afb

              SHA1

              9cd707ddf60fa3b1404a1ca33fa9343cd5acc1b6

              SHA256

              174e42aba9ca5dd5dedb0ed61df632d44bd1ec5699051f6506aabc7cbca5ce3e

              SHA512

              1125a79264c773b6854153a76007a10d482cba7a7b80768e5f57131e75056c4c7f1e587a673b7e9cbf97aa70105f97a179929b6f61ec17509f513a82b36d8673

            • C:\Windows\SysWOW64\Afoeiklb.exe

              Filesize

              72KB

              MD5

              d8e7702528ff6a0e21dc014c707cedba

              SHA1

              bcaed3148c6992696983e56256ed1aa1f64937fe

              SHA256

              fb9f0639f7f0a1b9304fe952c8a6010c8f1f8e22bc46bed2d2a20347da7c1f39

              SHA512

              bb7deb78398cebd9807a293f6244d7c18e036348611ab76300420e6407672a9dd24a073070dbbf3ead5411c686e2f0d55ce187ded59030777ff16e22a0b55026

            • C:\Windows\SysWOW64\Agglboim.exe

              Filesize

              72KB

              MD5

              2e8b7d0d7c4f9b43b0c4964524470018

              SHA1

              1b07d839f5f38d1d82cd87d03ac5598a1705e933

              SHA256

              2baa5bca410eb08f438afa3b46163bcc070eabaf9a01f6a681415350eda0f30c

              SHA512

              ca38a84be638df5be70fe114bee23fd80edd1435586711ee1144c336640a549fa22e65e15e305470123463d194eee8a4fc1922980a5c69d05f13537e494886da

            • C:\Windows\SysWOW64\Aglemn32.exe

              Filesize

              72KB

              MD5

              e64f79e8c3be407039bd1bda4ae838e7

              SHA1

              54bc203f65de7e740fdef101bf713e4dfcfc7a47

              SHA256

              a3e354fe66808dc8a7030b144b941c8c12e6c24c0f9b1d122afaea67d22d9f2d

              SHA512

              3b3a10960205fe4bd5a2aa896917a01566fadb8f9c3c1facc1bd2188845f9f86d112f45188fe79e22a8b2f44c68de77a92411ce2a4ca8fc652957961e4fc9d64

            • C:\Windows\SysWOW64\Ajckij32.exe

              Filesize

              72KB

              MD5

              033ce720f347786fe39433f1815873f1

              SHA1

              93cf139fa0901143b952783f491a6c8f4022b660

              SHA256

              a285eb07add93c1864fd1ba6dc5cc0161d14cf844637b71a524402980f4f6344

              SHA512

              3e627e3e76199aebbbbafd37dd7a1b3314f801bc4c60e33a24dbc603ecb1b2749a71253efeee8119e5cfc4fbba6c73b603aa0aab50ab4a490a9afd7e06a3bf28

            • C:\Windows\SysWOW64\Andqdh32.exe

              Filesize

              72KB

              MD5

              f2c5da941ef1294deda714d8bba42fed

              SHA1

              09c626653f67c281d5dcacdbea7379eaa374dfb6

              SHA256

              3fb48241ea212a57aec1cde7440a3b2eb2b3ae73df96f12f7d42db50537ed996

              SHA512

              353b04cc9c8d755139b28b5dad766666ac2fc8ae73740f41b85585569383f36ace7352ea3c2cb0383c451645a3bb7efc01b8914b9088bea6120aff59850822ad

            • C:\Windows\SysWOW64\Aqncedbp.exe

              Filesize

              72KB

              MD5

              a23008dc4f416b17fac9e7a302d25026

              SHA1

              782588170f614819c43717f462f69b0b0b196797

              SHA256

              5cebfbb24523e88d3b9b8223c26d3fe652daea39f5825e8f3039feaeb88fa24e

              SHA512

              a33931de690445de0d25212226ebbba7df6ba5499e751cafa13a0cb6248fa0d95442e4e01437b11a1846f5291dec7a2d3c330d83575387d3a674e9ad682b188d

            • C:\Windows\SysWOW64\Aqppkd32.exe

              Filesize

              72KB

              MD5

              09b27a2a59ebc1b0a198229e2d6d6277

              SHA1

              0995d6fdce0310a4153c52b00c1fa35ed77ba455

              SHA256

              da8e3072b9799e0c5e21e2a754d58fe31f6af0152d137d02230ced042d803502

              SHA512

              0091a1f52b0360ccf2009e12033eba6ae0e8c7a040b5496226556afea7bcd8b3024a0b2b49e2ec0aa63f36b7f4d82749499c63c75e860bebee2a52efafc6dcbe

            • C:\Windows\SysWOW64\Chjaol32.exe

              Filesize

              72KB

              MD5

              fe446685d4f0b6d134257ab1ddabe083

              SHA1

              4690f225b440f246babbce5d2cae4e61450e7c14

              SHA256

              4d17305a53b1eb276a6ad5105c1ea0b100fa76054dbb2c445666a1acbb106f0d

              SHA512

              5cab2121115dbc0af5f73e8decbbd865b30bf97d5caf63d56e5fc68c3f211a7694fdd339f3a44f97d4fcbf69511472c3978fc2ede4cc8e922f5721a711025ca6

            • C:\Windows\SysWOW64\Cmnpgb32.exe

              Filesize

              72KB

              MD5

              9c9c889c0c090620ab9682fd54c48b8c

              SHA1

              fb068e93d48fd2a0f17210d350675407ac328b03

              SHA256

              22f86e2da8fe849b6bf126a66b2a3f7160de53aab7d15751e8efb104e28f8980

              SHA512

              da9e2efc27922d7ed7725561d85fcb9db1d68a9bf4ec5b59d3bdc0703c22bb9af3887c4c31d323ab05b688aa09aef9dbe9c6d493518a9f843e8013bc63ee8d77

            • C:\Windows\SysWOW64\Dhkjej32.exe

              Filesize

              72KB

              MD5

              16f165d77e66e8524d03cb4b5bb9f3fc

              SHA1

              bbd9cd592c825f0c985e7e1aaf10d4356182a7a2

              SHA256

              224e4a9cba108cac3b4bd7cbbbb2b1cd4915e3cd127e146cf3b045c041aea536

              SHA512

              b2b62d657bfa6763eef87abec8f50f33e643f30f7d571f0bc0ad7db8d8e0ab30e1e9691acbeac6bac0661d8308237263cbae5fd3fdfc4bfcc6fd7185cd0beecb

            • C:\Windows\SysWOW64\Oddmdf32.exe

              Filesize

              72KB

              MD5

              e678d4f8b3adf07c328d297d333a6e2a

              SHA1

              295d9eb88a06b59e40d2e7e41836329e5285b07a

              SHA256

              60067f00c6aaa1b03d0783b52b5a5ce5e99f870282b25199e575abe779e769be

              SHA512

              b1a4c3d9664313c4a763246a36a896394bf7517e0f58a7a949876187d42e500c5c22b59f22f23e294e70792f1341e5573a33a16dfe316ab511620363ee2524bf

            • C:\Windows\SysWOW64\Ofeilobp.exe

              Filesize

              72KB

              MD5

              d1a7f9eea2f9c68d21cce4414bc17a0e

              SHA1

              26d57cb8948c3b8320c1e8995263bd49c827408c

              SHA256

              56c35d14ec7fa67bd9b5af62382daf79b56d82b9afccff6fc023f9b96e6d1848

              SHA512

              ffed4e5a27010b9938da7cd30635a75eca76beeb6531d5b02e2bc39bd1635b4a1e11a9e559a59ab0a4c5a583d79c868a2c56c072a1a091116af56d337a9aac32

            • C:\Windows\SysWOW64\Ogpmjb32.exe

              Filesize

              72KB

              MD5

              40badb415dd13d2705ecf0680774d460

              SHA1

              2dca83ef329546618254f96f356cbd8cc912b4a1

              SHA256

              c84855a464ff7c2ab1dfd85ebd4e2e3c3bc6d7fdf4985b53b63abef913e5ac5d

              SHA512

              f6592c62b9f74dc38939094310b3f942f4789b8c1805cd85a58d5c4b9641c6b54e0f6f4cafb7300f7a331674a613ddc2feb9b127be488d0fba3e05805a9b23ad

            • C:\Windows\SysWOW64\Ojoign32.exe

              Filesize

              72KB

              MD5

              214482b37b3a5bfb50e37c91bb9350eb

              SHA1

              d815a8ce9ff383cb0b9ee1409b8aea2732f97709

              SHA256

              94b73f02c2b0650ff413f40635f156e56f1832308990ea0650b67bcd00d0af89

              SHA512

              4eacc18a0749f62f3aa415e6609f3b70131efc2c0100da2482d7f45a8e2c82754dc1f04a95a26885d239ecf56b1fef128e41a29f0ab9db81277f60479f0c5e05

            • C:\Windows\SysWOW64\Olmeci32.exe

              Filesize

              72KB

              MD5

              de6aa0cf51626353765ba069ff28bf32

              SHA1

              193708f16a47972197ded5f40159100e499fc441

              SHA256

              e4c9bb757b42706709a10b4828053b9733dadaa7a4b7f64c535d0fc9f4fe97ed

              SHA512

              b1b0d2c22f6f53eb3a64061a4a54097e17b517fde5daf2f44b9f1138ed0adb66c741a0534071810fc12eac9b565e89d4e5e3fcce354328372ef407fc7ecc9301

            • C:\Windows\SysWOW64\Oqfdnhfk.exe

              Filesize

              72KB

              MD5

              26872ab759c09ad711d967788db3d884

              SHA1

              2f36a8d7a34071158baa5d2eae31f220ca91f410

              SHA256

              e1e3633ccad69b37ddf9a14c1b7cc4cda3c681defb449dad9054a5a587440796

              SHA512

              0eb0281d632513b0dfcb2c901793c72df75a2a0f491fdfbb0466292fdd6bbe2ec668b2c456722dad55861cdb1f79baf0a3661625bc1942183ee136c59932e767

            • C:\Windows\SysWOW64\Pcbmka32.exe

              Filesize

              72KB

              MD5

              0d44ea9a371becc30cfa354827c4d602

              SHA1

              689d5d92896f4554d3a72b1d44777e52907788c2

              SHA256

              ab2ae71790e58187b8f6e11cd21f1bbd59b6d7d75d212e73833d03943ae5dd2b

              SHA512

              1e4899db2e89720a912462f1f1ad352400a4b7dd383f0751c3674dcb95cbe5e1c945e064ef2c6aa98cabbcaeb45ec5176234a432d3abf111f48b471281038617

            • C:\Windows\SysWOW64\Pdfjifjo.exe

              Filesize

              72KB

              MD5

              e933367e2284d3b3c98942fb0033dbde

              SHA1

              4cc4246d5397e2ab43d7b5533a426413b39ae862

              SHA256

              a0fc0fa2f9babfb78efca56a58fdc56888ca5c580eda6c7061b0f551e5827e10

              SHA512

              a168bb4e9f7a52fd8d82730f9a14f901e2c2f05b5934403c397f1d7803e420f27fcd07535aceed1a6e5f22de70c4db3e6177429ec81ad02ca6d5ad953c111736

            • C:\Windows\SysWOW64\Pdifoehl.exe

              Filesize

              72KB

              MD5

              8ac59940c2754a574da49a2cef2a98d8

              SHA1

              84f46232de221e7f6b6fdd0a34c9e322157f652f

              SHA256

              1b3a9e9cfb0478161ebcf747a34a17015c17f294aa8aa975a5db23cb37c254c7

              SHA512

              55f3936315344333a1c2e5ae7fa5b3e904f79c4e2b225e444db17ad2312b05bb190ffb531e170531235dd2cf5504c9f746ccae7ad1a3466385859bc38fc64ec5

            • C:\Windows\SysWOW64\Pdmpje32.exe

              Filesize

              72KB

              MD5

              29f22bd38b97e9a9e61a009dcc0242b5

              SHA1

              fbb400414a9fb6105f74da3ea43f30302198745f

              SHA256

              569af4831ed3c64ba02d1ecb09d400a222d6d53ef87fe26d3a24d6df64abfe4e

              SHA512

              7deb944b98200c85df4c825a46c38e0559ccff430acc41043d2a84b6bf6fef8246310b3435a93da5f74f3c51316739d5cfe872a836eedeecd0c16ef415c2ab04

            • C:\Windows\SysWOW64\Pgefeajb.exe

              Filesize

              72KB

              MD5

              4820836928d2b473cd6823eb259911a3

              SHA1

              3e91abdcb019230a4daf5cbd10cdae6818493afd

              SHA256

              1cedb714083729765c77a9b31c29e0ea50ece4bc4eed5e3823e0f560042e4028

              SHA512

              f347c450bdf3d31189554e87e02d2190b288bdfc762a8d5c5a0e78edd1036e76bbfe6efaef36b33b83490e341964d280a45bb722eab0f1dbd3442c51a53dbd8c

            • C:\Windows\SysWOW64\Pgioqq32.exe

              Filesize

              72KB

              MD5

              e1697f93ca33ca21c0b8227d041dbdd8

              SHA1

              5ddb1f899cd5a92b8dd40d09763612f984b24764

              SHA256

              3ce2dd810e58cf82ff00967d57d8b52fdb884008ffddad049a584ee199f06ebd

              SHA512

              6185734b0cac87c0127ba47ad497fd8ba1d2d6cb56d4fb2e3e994c4332ac1985a9ca1e6d8f41e2bbc19ffb7d091b898bae7a94688297675d060ff6b345630186

            • C:\Windows\SysWOW64\Pjhlml32.exe

              Filesize

              72KB

              MD5

              2e52dbe3e9dc629a6b902795061f19cb

              SHA1

              77a7bd5d22ed97d5a2e6658cc59edd1c1d806d06

              SHA256

              2aa0d9ce4eabbf52997d94b86abe1e53d8170c669ef7e69b726b03018ebfb640

              SHA512

              de5bb09af369080d7bc9e7bed6cc02be98286ee4788cd0fc335688ae8a3143940399e5214c8f1bf9abd3602ebf69f00d094d1c2ca9e7ea83eb8d113e59842818

            • C:\Windows\SysWOW64\Pjjhbl32.exe

              Filesize

              72KB

              MD5

              3ef7e09dab5067a072030062e9501df2

              SHA1

              b8ea6b8ec733d6e25fbf2467ef3d61292ef1c7ab

              SHA256

              a67f6e0561fbd9d4f9f75b8d2fc481eb8af30efbbb5d87f1f2dfd2b54bce636f

              SHA512

              8b60c2c02f6c45b6ac55cee7feddec206bdebb95e47c0863ea879dfbfbe8e6d4617b9bf1a26e089057a56e244f7fac2035abc2ccc5a4a05a2935fb900284c4f6

            • C:\Windows\SysWOW64\Pjmehkqk.exe

              Filesize

              72KB

              MD5

              f1a2636f983b357347d0617d57f5bd57

              SHA1

              18fb514b98fad8e9e27be1deffdff87164604b70

              SHA256

              ef474a85e7acd9eb979668d7a930e25af019f22ffd239f3bd4d7b68f4adcbf71

              SHA512

              aadf296ccd6d10b4de3b5ff4eba7ecaf1a04456bc4deeb1199259395cdc3d59bf67f0893c57421a5542327f6ed7cf5c9dc4d697cf4160cd20792aed92266dd44

            • C:\Windows\SysWOW64\Pmannhhj.exe

              Filesize

              72KB

              MD5

              eac07f8bb2af33c8b739a4f7e67c2daa

              SHA1

              0304dbab4984e45fe473c92940f50d7a88edf322

              SHA256

              fb54249727f4a4e98f1393face467386fbb5f8a2f06b20d8fb57ece43aec68af

              SHA512

              9cdf229d88ed822ab8bd04217b798f18054f52b790de04442260bf76f7de394cda0bc1b24e03ca3d1552dd279e806aa667e5aa158134d3ec3f6aeb9a0c5a1076

            • C:\Windows\SysWOW64\Pmdkch32.exe

              Filesize

              72KB

              MD5

              2c244276df1797b270e6dc26b56cc7a3

              SHA1

              caa34b2833204dfc10bd5236f8de155a537bfa28

              SHA256

              1d3968430eba3f05e4c811aa484e2787ea439e0af82d21ede853c33adbafea9d

              SHA512

              ca5ca22a66062181ff6bc10e661453559e65ac754492d6cccf1b8a4bf71c2714b96411d9e3d82c73559f7f174342b69e508ba4a1aecbbb4405c5a4becd119c57

            • C:\Windows\SysWOW64\Pmidog32.exe

              Filesize

              72KB

              MD5

              4d2fbccf7477b614719cd99de8884e30

              SHA1

              f9d95a888effb6523cb45c2bf6fc46be30a3f67b

              SHA256

              f9f5517fe544c7bf2c0beef5856b2af39180ca1241a1cb73edf7a7979c2cbe13

              SHA512

              414221e2584737578400ff01cb2093f1ab57fc2c3259ef1973e81ba69458d89d2ef02969130c90bacb4038fd255d45689e87a3dc2309fec11a75732a424e4377

            • C:\Windows\SysWOW64\Pnakhkol.exe

              Filesize

              72KB

              MD5

              9945063951ebe61ed38caa85759a3ab8

              SHA1

              b3aa6b896c89c1f8b3d0a32c142c3803297c198b

              SHA256

              11dd1b6c567b97d0f121a80c14c130e0f84bcbee2281bb173572b781896b187c

              SHA512

              ff4ab50b9dd8c9221eb76f4003ff94f12948c95197ae3a36fc37fbe724e89903ffda1916e9d76583f8679117800180cae85b8daafc240854baead8290444a726

            • C:\Windows\SysWOW64\Pnlaml32.exe

              Filesize

              72KB

              MD5

              fcf6825bd2d4d33e04b032c932b07a48

              SHA1

              fa0babb3647f852e250bd1ca04b6a492bf3c86d2

              SHA256

              4be080352983535cc4df6317567e74604729f4a6affa844a19619efd2112cff3

              SHA512

              cda0e1a58e5ca84d890795b5c6fa713983f73a7de1fdb817872f20c771e586025508d243dc66fe8fb3b5100522ab35a695e5c09a7fbfd7e83b3fdc472c246dc3

            • C:\Windows\SysWOW64\Pnonbk32.exe

              Filesize

              72KB

              MD5

              84249c89c4491524bb2e2ba62fcaa185

              SHA1

              1343daf374d1007f407e09060d7aeba013ca9e50

              SHA256

              d768dd7cd28be5d3dc764addd2fb97cde12aea9d82ad1463bd45254ef9cf6a46

              SHA512

              8ae41dcfc3663704303fb913201558d0a33d4b9bb562ad9268fdf43280eb816466307e3d6e0e98fa64bfefa8d3d814376c26fc53f4e6c12eb9b00dd366411276

            • C:\Windows\SysWOW64\Qdbiedpa.exe

              Filesize

              72KB

              MD5

              13980af571e02e5924a47b411c178794

              SHA1

              94354d71bd25c407c1c20351f4f41b60079e78b6

              SHA256

              c702e2502fff58da86f246512de343deb0f50b2a275047414c209ce814f59f5b

              SHA512

              7e886333573764121022eaa5736ea24804668af61cc73ac245f20e27b7275a8c8777accde1127a80a558afaf24329112028a5de80e45fd847f1da69233957883

            • C:\Windows\SysWOW64\Qmkadgpo.exe

              Filesize

              72KB

              MD5

              a3cda09d4f13e34074bfeec38b07832d

              SHA1

              d31283f406eab4b9fc6088956eb5b9bf13906af1

              SHA256

              6aac4e7b701d46ec5c463998139aa9ef9967bde6d5922654e11b9196843e81fa

              SHA512

              f4e7f367d2f87eeb35a37a2e8a4e14dcb1a7356e92d064972c592330f834fd60595f903d7982b60b3b3763e7f4a405753662442a2bc7b832a390e0b15e2e4a2f

            • memory/616-134-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/616-47-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/760-284-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/760-198-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/772-219-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/772-126-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/776-381-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1056-23-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1056-107-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1080-387-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1080-319-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1112-273-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1196-333-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1196-401-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1200-373-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1200-305-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1204-415-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1204-346-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1412-388-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1444-345-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1444-278-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1552-184-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1576-367-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1660-291-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1660-206-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1768-162-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1768-251-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1916-63-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1916-151-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1988-292-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/1988-359-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2060-326-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2060-394-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2096-71-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2096-161-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2124-115-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2124-31-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2152-260-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2152-332-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2392-423-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2512-183-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2512-89-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2732-416-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2784-395-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2828-402-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2856-189-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2856-277-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2904-187-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2904-99-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2952-408-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/2952-339-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3044-259-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3044-171-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3080-55-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3080-142-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3136-97-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3136-16-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3232-252-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3232-325-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3628-7-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3628-88-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3656-318-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3656-242-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3676-144-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3676-233-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3712-422-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3712-353-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3876-39-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/3876-125-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4040-0-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4040-79-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4064-352-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4064-285-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4112-108-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4112-197-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4144-312-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4144-380-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4176-225-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4176-304-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4236-117-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4236-205-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4268-409-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4356-234-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4356-311-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4380-374-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4468-220-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4564-366-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4564-298-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4588-135-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4588-224-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4716-360-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4716-429-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4972-81-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/4972-169-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/5048-241-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

            • memory/5048-152-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB