Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 15:37

General

  • Target

    9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe

  • Size

    64KB

  • MD5

    d141f63c13fc6b16154520ed376bad60

  • SHA1

    a914c2c4315e01b8e7a5293c45275be481fef65a

  • SHA256

    9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666

  • SHA512

    cbdf835708c79077a38f48d0c7ce94f6779a92c4bdcd7d5d5f78c8e7b373693813e2d90d5a5e79597a6e8be8b515f22957cfc3e8e447969ce6c2f7b31421f99e

  • SSDEEP

    1536:AmDhOY9ZE2vGT2FCvZgEmK2aQfb+qeWy9rPFW2iwTbWv:Aa97vQ29ER2aQj+bXJFW2VTbWv

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe
    "C:\Users\Admin\AppData\Local\Temp\9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\Pmdkch32.exe
      C:\Windows\system32\Pmdkch32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\Pdkcde32.exe
        C:\Windows\system32\Pdkcde32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Windows\SysWOW64\Pflplnlg.exe
          C:\Windows\system32\Pflplnlg.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:452
          • C:\Windows\SysWOW64\Pncgmkmj.exe
            C:\Windows\system32\Pncgmkmj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Windows\SysWOW64\Pdmpje32.exe
              C:\Windows\system32\Pdmpje32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3340
              • C:\Windows\SysWOW64\Pgllfp32.exe
                C:\Windows\system32\Pgllfp32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:524
                • C:\Windows\SysWOW64\Pjjhbl32.exe
                  C:\Windows\system32\Pjjhbl32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3700
                  • C:\Windows\SysWOW64\Pqdqof32.exe
                    C:\Windows\system32\Pqdqof32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1632
                    • C:\Windows\SysWOW64\Pcbmka32.exe
                      C:\Windows\system32\Pcbmka32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1652
                      • C:\Windows\SysWOW64\Pjmehkqk.exe
                        C:\Windows\system32\Pjmehkqk.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2208
                        • C:\Windows\SysWOW64\Qmkadgpo.exe
                          C:\Windows\system32\Qmkadgpo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4672
                          • C:\Windows\SysWOW64\Qdbiedpa.exe
                            C:\Windows\system32\Qdbiedpa.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4780
                            • C:\Windows\SysWOW64\Qfcfml32.exe
                              C:\Windows\system32\Qfcfml32.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2804
                              • C:\Windows\SysWOW64\Qmmnjfnl.exe
                                C:\Windows\system32\Qmmnjfnl.exe
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:3752
                                • C:\Windows\SysWOW64\Qddfkd32.exe
                                  C:\Windows\system32\Qddfkd32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:5056
                                  • C:\Windows\SysWOW64\Qffbbldm.exe
                                    C:\Windows\system32\Qffbbldm.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:1828
                                    • C:\Windows\SysWOW64\Ampkof32.exe
                                      C:\Windows\system32\Ampkof32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:3060
                                      • C:\Windows\SysWOW64\Adgbpc32.exe
                                        C:\Windows\system32\Adgbpc32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4044
                                        • C:\Windows\SysWOW64\Ageolo32.exe
                                          C:\Windows\system32\Ageolo32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:4884
                                          • C:\Windows\SysWOW64\Anogiicl.exe
                                            C:\Windows\system32\Anogiicl.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:2984
                                            • C:\Windows\SysWOW64\Aqncedbp.exe
                                              C:\Windows\system32\Aqncedbp.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of WriteProcessMemory
                                              PID:2248
                                              • C:\Windows\SysWOW64\Aclpap32.exe
                                                C:\Windows\system32\Aclpap32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                PID:688
                                                • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                  C:\Windows\system32\Ajfhnjhq.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  PID:3908
                                                  • C:\Windows\SysWOW64\Aqppkd32.exe
                                                    C:\Windows\system32\Aqppkd32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:4752
                                                    • C:\Windows\SysWOW64\Afmhck32.exe
                                                      C:\Windows\system32\Afmhck32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:3208
                                                      • C:\Windows\SysWOW64\Andqdh32.exe
                                                        C:\Windows\system32\Andqdh32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:4180
                                                        • C:\Windows\SysWOW64\Amgapeea.exe
                                                          C:\Windows\system32\Amgapeea.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:2300
                                                          • C:\Windows\SysWOW64\Afoeiklb.exe
                                                            C:\Windows\system32\Afoeiklb.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            PID:3900
                                                            • C:\Windows\SysWOW64\Aminee32.exe
                                                              C:\Windows\system32\Aminee32.exe
                                                              30⤵
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4740
                                                              • C:\Windows\SysWOW64\Aepefb32.exe
                                                                C:\Windows\system32\Aepefb32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:1160
                                                                • C:\Windows\SysWOW64\Bfabnjjp.exe
                                                                  C:\Windows\system32\Bfabnjjp.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:736
                                                                  • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                    C:\Windows\system32\Bmkjkd32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    PID:2640
                                                                    • C:\Windows\SysWOW64\Bebblb32.exe
                                                                      C:\Windows\system32\Bebblb32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1964
                                                                      • C:\Windows\SysWOW64\Bganhm32.exe
                                                                        C:\Windows\system32\Bganhm32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:3144
                                                                        • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                          C:\Windows\system32\Bfdodjhm.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          PID:3756
                                                                          • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                                            C:\Windows\system32\Bnkgeg32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:2648
                                                                            • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                              C:\Windows\system32\Beeoaapl.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3080
                                                                              • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                C:\Windows\system32\Bffkij32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1540
                                                                                • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                                                  C:\Windows\system32\Bjagjhnc.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4852
                                                                                  • C:\Windows\SysWOW64\Beglgani.exe
                                                                                    C:\Windows\system32\Beglgani.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4464
                                                                                    • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                      C:\Windows\system32\Bgehcmmm.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1492
                                                                                      • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                        C:\Windows\system32\Bjddphlq.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1100
                                                                                        • C:\Windows\SysWOW64\Bmbplc32.exe
                                                                                          C:\Windows\system32\Bmbplc32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:2128
                                                                                          • C:\Windows\SysWOW64\Beihma32.exe
                                                                                            C:\Windows\system32\Beihma32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:4736
                                                                                            • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                              C:\Windows\system32\Bhhdil32.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1972
                                                                                              • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                                C:\Windows\system32\Bjfaeh32.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                PID:3584
                                                                                                • C:\Windows\SysWOW64\Bmemac32.exe
                                                                                                  C:\Windows\system32\Bmemac32.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:3648
                                                                                                  • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                    C:\Windows\system32\Belebq32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    PID:888
                                                                                                    • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                      C:\Windows\system32\Cfmajipb.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3392
                                                                                                      • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                        C:\Windows\system32\Cndikf32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:4276
                                                                                                        • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                          C:\Windows\system32\Cenahpha.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:3680
                                                                                                          • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                            C:\Windows\system32\Chmndlge.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:964
                                                                                                            • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                                              C:\Windows\system32\Cfpnph32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:2460
                                                                                                              • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                                                C:\Windows\system32\Cnffqf32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:3348
                                                                                                                • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                                  C:\Windows\system32\Chokikeb.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:4012
                                                                                                                  • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                                    C:\Windows\system32\Cagobalc.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:5012
                                                                                                                    • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                      C:\Windows\system32\Chagok32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      PID:3536
                                                                                                                      • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                        C:\Windows\system32\Cjpckf32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2888
                                                                                                                        • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                          C:\Windows\system32\Cajlhqjp.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • Modifies registry class
                                                                                                                          PID:1372
                                                                                                                          • C:\Windows\SysWOW64\Cdhhdlid.exe
                                                                                                                            C:\Windows\system32\Cdhhdlid.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:1248
                                                                                                                            • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                              C:\Windows\system32\Cffdpghg.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4888
                                                                                                                              • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                                C:\Windows\system32\Cnnlaehj.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:1588
                                                                                                                                • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                  C:\Windows\system32\Calhnpgn.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:4476
                                                                                                                                  • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                    C:\Windows\system32\Ddjejl32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:824
                                                                                                                                    • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                                      C:\Windows\system32\Dhfajjoj.exe
                                                                                                                                      66⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:3476
                                                                                                                                      • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                                        C:\Windows\system32\Djdmffnn.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:4356
                                                                                                                                        • C:\Windows\SysWOW64\Dmcibama.exe
                                                                                                                                          C:\Windows\system32\Dmcibama.exe
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:1936
                                                                                                                                          • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                            C:\Windows\system32\Dejacond.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2916
                                                                                                                                            • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                                                                                              C:\Windows\system32\Dhhnpjmh.exe
                                                                                                                                              70⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:4008
                                                                                                                                              • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:5040
                                                                                                                                                • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                                  C:\Windows\system32\Dmefhako.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  PID:4468
                                                                                                                                                  • C:\Windows\SysWOW64\Delnin32.exe
                                                                                                                                                    C:\Windows\system32\Delnin32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:3172
                                                                                                                                                    • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                      C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:2260
                                                                                                                                                      • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                        C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:4532
                                                                                                                                                        • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                                                                          C:\Windows\system32\Dodbbdbb.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:436
                                                                                                                                                          • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                            C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:4936
                                                                                                                                                            • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                                              C:\Windows\system32\Deokon32.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:4624
                                                                                                                                                              • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                                C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:5084
                                                                                                                                                                • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                                  C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:3868
                                                                                                                                                                  • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                    C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:2612
                                                                                                                                                                    • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                      C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:1860
                                                                                                                                                                      • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                        C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:2844
                                                                                                                                                                        • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                          C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                          84⤵
                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:3484
                                                                                                                                                                          • C:\Windows\SysWOW64\Doilmc32.exe
                                                                                                                                                                            C:\Windows\system32\Doilmc32.exe
                                                                                                                                                                            85⤵
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:4428
                                                                                                                                                                            • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                              C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                              86⤵
                                                                                                                                                                                PID:2420
                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 396
                                                                                                                                                                                  87⤵
                                                                                                                                                                                  • Program crash
                                                                                                                                                                                  PID:5164
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2420 -ip 2420
      1⤵
        PID:5140

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\Aclpap32.exe

        Filesize

        64KB

        MD5

        3272e475482e320b8aad6ab9cca2d303

        SHA1

        9ad7cb91f29eaa6679d2d39aa5173aa7a9074ef1

        SHA256

        25f70807beef242801609b8b70582ace4041763e273b694b0e16ad16e717da74

        SHA512

        33bfe373534ba4419aa6dc99d0204699dbf577079aa667a46d0f0286fcd435231e6419dcb1c0380ab72cd39bb79f2c9069d72fb75a8ba6cb5ed68df232db91d9

      • C:\Windows\SysWOW64\Adgbpc32.exe

        Filesize

        64KB

        MD5

        a27787e12422d479a12ad3bfe4dbb10f

        SHA1

        203798653c4e062cd2fe4af7746e8ae5365fcb9a

        SHA256

        de86c1f376a2b3d5f64a7b814535643608d7082d21718fc885ce72daf2a98dcf

        SHA512

        cf1894e3870a31483b6480f5d53e4136a27d49ce97c48c2174f1d75339160a271b2fa0427a4a28ffa8cd9af076c8fe672066e4e3d88917cf1a74e4c301984a79

      • C:\Windows\SysWOW64\Aepefb32.exe

        Filesize

        64KB

        MD5

        5fbe8f3f6bceba58949424990cb58689

        SHA1

        8889a1af5a24af68edafc667513c174e6ca3ec95

        SHA256

        dfcd73b9a849c9b01357d930469e06e41ca993fdc8b91369da5fefae73c3a1a7

        SHA512

        f1fff05cfc72ada5b6b4c1c13216039e3f9ad19e352eb975c10ce3e5236aff1ab5a330eb2a3111f64589ff0000eec6c4b2d0310aca48d4c9246ab9e8262d7e64

      • C:\Windows\SysWOW64\Afmhck32.exe

        Filesize

        64KB

        MD5

        111a9494180b721bab5d8474bdb95984

        SHA1

        d6551cc877a58693d9c776075093dd00e22197db

        SHA256

        836bb83befe6f32b28ba61f0f5076dd7078743b8d508d8c858087b314bab5d00

        SHA512

        b723f158e7405d120c7da86515f44c93710e2d3c4b1706666adc9ae84d425cd9161ec8b52d301fea61e9367ce016f2e77cfb45b059937d0b19841dadc908f785

      • C:\Windows\SysWOW64\Afoeiklb.exe

        Filesize

        64KB

        MD5

        8701f7b32a1742e6e92648cf53041da8

        SHA1

        35b6d97a22065f39b2200ab93110b61da9165b1d

        SHA256

        00ad248cdbf20b8a31c2d33cab7484ee029378f44974d1f1b8068315bacaf078

        SHA512

        e0df98c872c70c1437e73ab5c01e0a7b8d12e565fba8b19ac0f3a7c4b886f9c8eac4f97ae33219c146b871b3a66529c46706c48b95dcdccd43bc8e7e1c6789b8

      • C:\Windows\SysWOW64\Ageolo32.exe

        Filesize

        64KB

        MD5

        ae2e62d80013c698de8c7ad4c7670a3a

        SHA1

        94151b9627792803dea8ebca8ff6269d3ada2962

        SHA256

        7105dced17fb5539330850a991ef6f6a5a9de3f44fde5bd22720c18cb71ee88f

        SHA512

        6178f429dc8da003d20309942724515b7e393d2b6aa78773456788eaf23e3feed02949c31987e66115cdd1f283afc270d48cbfef7776044e501e4a53ff6fb411

      • C:\Windows\SysWOW64\Ajfhnjhq.exe

        Filesize

        64KB

        MD5

        43695eac7c6fefcb8ca8eec894a4bf8b

        SHA1

        f22eee819a2a1b206f4919e8941977b0e5c07a00

        SHA256

        622f7cfe3347e3f881a36c669b69221f78e48bad6a3249720db68a0252b946fa

        SHA512

        b72f266620079656d5607aabdb63793c10e0c88d318afc7ca1a0f970819c46a8021007420d11a21b846fb8ff2f7909688a2bf82ae048d770500c8073921029fd

      • C:\Windows\SysWOW64\Amgapeea.exe

        Filesize

        64KB

        MD5

        88454e1d31c428aa92cbc37531c86a5c

        SHA1

        34569d06bb9869b81d433b0ec38e96f2c3c8a193

        SHA256

        5c0723ed91a413e85f9c0f0348ec90c2571a3e835e31d433049480e4f45ec5b0

        SHA512

        05865253c065058a70a094be8a1aa859466bc68e2653fa97b00709f6fc23b72ac2b8ee4db27e32b568f51ff2a15767ad3f448d5297577b67d974683e6d5e0aef

      • C:\Windows\SysWOW64\Ampkof32.exe

        Filesize

        64KB

        MD5

        034298f74ba2a83c869f8f96a21e9acc

        SHA1

        31913f7460fd4098d64d8de4b70b62ecd0f7f565

        SHA256

        9194d764911324c009373a0e63865dbda746877ae040ba3a037c0e1eec60772d

        SHA512

        7fa212e63091a90ed44db30146d3da4c9716caa461515fca2ade2e5d297647ff3fe74520fbe48f282200e5c11e7ab2fc97e0b19c6d8c22cac9cc2051ab047440

      • C:\Windows\SysWOW64\Andqdh32.exe

        Filesize

        64KB

        MD5

        2a0e440808a4aba0573d6fbeb4ca4c1c

        SHA1

        3a968daf7112e077c704ab69a7615c7f58516d5a

        SHA256

        612ccccb48fdbb522372d6bd94793c099b8f7e9af40b7315c22b21cba18e6dd5

        SHA512

        a8e01d92ff724d0095d3d2390102d5d8430c425a5fffcefcaacd1561b8168806faee36fc08554fc6cf605de7e6e1f23ebff144dc2f75e3b17cd058a3ac3508fe

      • C:\Windows\SysWOW64\Anogiicl.exe

        Filesize

        64KB

        MD5

        bf6383839cec0ddc039bca8816ff937e

        SHA1

        75fbaf4a1ea4efc15cbf327f72a88aa7a5ab448f

        SHA256

        95686c1a7c24476b33e516d8163740d7d58c07fa8017784adef4c29163040eaa

        SHA512

        268b7f8849ca9d6bc14142c7381d67cea5bc00ac25f922b058ba68f375b01084ab970fb0ff098ff6f98278959457ea80595188c1a5b6a43f2bfe6a239a0800a9

      • C:\Windows\SysWOW64\Aqncedbp.exe

        Filesize

        64KB

        MD5

        f2ddc38e8eae300d45a1fadf059261a6

        SHA1

        23ce51de4ff7cd0b0d3bb6703fbbcfd6e41072ac

        SHA256

        9004931bc04ffebfa781048c9edd564310df46fdb4d619c5556453e1931384ca

        SHA512

        e490b29eb7d97f498902f078ccf3b38e9f764927e8773fa9f26ce781133c06e8135b9cb741d48236aa617aca592cf1ee5eb4ac69d76d7eabcb2d0a147d57d42e

      • C:\Windows\SysWOW64\Aqppkd32.exe

        Filesize

        64KB

        MD5

        cdfe70483f50f1529877324fc41a130f

        SHA1

        ffa3c9d2f9a667497ad87c1e049d261c8f5078d8

        SHA256

        5290877b8ddf38c56e486fb62164acc55b665a8fefdf91b3c4999b2c81fcd63a

        SHA512

        1d309ab37c9e34b0f99c71372c8dbb1345a2b1c42a4e8da59c2d371e2cd0dbeb3bb188a171fbe04517905e2b6867ac824cabdf5b479993d65b45feec76ce8462

      • C:\Windows\SysWOW64\Bebblb32.exe

        Filesize

        64KB

        MD5

        89557278a9e28c29ba11ec82df6b14cc

        SHA1

        aca755c62b71d0f81cf1ac2668bde99961465b50

        SHA256

        579d1ade9283edd15147e91f153ceddbe0112071c4e6c894eee22045b590b432

        SHA512

        c13421b32986b1ef6435e25ac47c2b1634bfe430f1f9930b6f218b01f4dad619ba659358f10d5e9b02d31325f7d5edfff5ececf597fba8564f1e080b109d4803

      • C:\Windows\SysWOW64\Bfabnjjp.exe

        Filesize

        64KB

        MD5

        9535cbeab4a8e4339398d013e47211d9

        SHA1

        4783ec1184f64665bdb69d34e223929eb43087cd

        SHA256

        6b8f082a9c5abd267de7d27f8d7e6865f48d32e26e34a232e3d4cb15ee24ba05

        SHA512

        04599d73fb4dc3ee13483c8ed6926e85c8b05ab106643f9c7eec0936625d3db0d2cd5d0087d968dc3e7c51a03c72416ab30176903da02775ea1c59f9ecc888bb

      • C:\Windows\SysWOW64\Bganhm32.exe

        Filesize

        64KB

        MD5

        48528dd6ba1f6a670ff2b6ee58b92465

        SHA1

        14a30b2ce6b144d134d77c2137418daade14a4e4

        SHA256

        616c32f81a5b7583643f4ce409a71f1906aa37af8ffd5f41a2143b22d953d314

        SHA512

        5b1113477db15aff0c6c44e34f4d800eb3a0179d960126f88889743482d1617ac4055eba426e86a8f84da0f5eb7757f3e99a63b1c830376435d9822cfb03e439

      • C:\Windows\SysWOW64\Bmkjkd32.exe

        Filesize

        64KB

        MD5

        dd11d405a0c70c8e4fd2d9dea6ac1844

        SHA1

        11c7149490a9c52aa58f7bdd2ceed5d489b3730a

        SHA256

        328e8e8ee5a2191f511953eb539df064571a54b7d12c1f8870d86d7029bd503e

        SHA512

        66e41aa1b14eff2b34e85ebd0884c6854f737736c81dca20099dbedabf38eb0d0fcc237876aeef5369fc3cf07ba8aacc8a7ff011144aaa9e618225145e8c74ec

      • C:\Windows\SysWOW64\Cdhhdlid.exe

        Filesize

        64KB

        MD5

        ec2b466dacc21f328e2fed40175e8601

        SHA1

        ac5782bf65d8c867e70c57c8d13740c5acdcb264

        SHA256

        ea2dd1c4ad206ea11c0a68b442feddcdd111ebdf0fcaa3379b41588878628a61

        SHA512

        fc699752e323a19cdb6e2f25822cc20f4d3a36c07aa3309444c80499a258869babe57d2a7ea04012282a8882088fdf55ae99595e29740e0f433ecef0d7c60e5a

      • C:\Windows\SysWOW64\Cjpckf32.exe

        Filesize

        64KB

        MD5

        be918223591f8aea8f7337f724d055d0

        SHA1

        19a6ae8a870d0ecd4bd0e79f1a3b21da78136a18

        SHA256

        ad48478552a10c1726dcefdf3d913396f065ff4bde6fef8a5847da9f845fabd8

        SHA512

        b4270139209bf7bc3044a68104352f2dd7f9991e806a2717b3d6c19a29d2584a157c0c3cbb9c7a9d19bba266f708faecf364f3f015efbfcf0979c7e4537189ab

      • C:\Windows\SysWOW64\Pcbmka32.exe

        Filesize

        64KB

        MD5

        b4081bc0241e5871f29f22ae3616ab0f

        SHA1

        5fecb982773c90aacaea599174703ede4e827a31

        SHA256

        3e24671eb0dc4254650b301e56dc06ababd5f1f2881ebd1986812c941a47d2a0

        SHA512

        df75c1061e28d5f49d91a857717b704b4e8a5b73b465008f498f0937fa6e227dbc2cf616e1ebc630e862f385ea7faf1469bd68319bd32cb1328eb3eaf85b5ed0

      • C:\Windows\SysWOW64\Pdkcde32.exe

        Filesize

        64KB

        MD5

        b9a22222a37219633decaab89c190056

        SHA1

        1fe3d52d11be896d7280ab503ebadc6f23e4379b

        SHA256

        3f48234f5a29e1977ec1a74aa40e85300b1daea896a34574fc389b63161ca883

        SHA512

        c0278196d46b53de6e51e0da24af63730935e63b8def04a15fb339caf950f334c90ee5a21e69888a029c06be98c2512ff03b3af0a188f24e863b345c887b532b

      • C:\Windows\SysWOW64\Pdmpje32.exe

        Filesize

        64KB

        MD5

        3972acbec8b372770bcb4d34ab63cfaa

        SHA1

        7debf83cf51eaa85ce1d19511bd5e39ef9a79a99

        SHA256

        3df95322ae235c83874183bdc9213029dc7e65c528863947c085bcdbdab290d1

        SHA512

        33c49e2c1cf84f7828c090b6561fd2494dce6a129050ed3d152afce420eee43d91853e68f2c2d7d322246a7fac5126d65a8af4679b8824395ca698e195c2ab4b

      • C:\Windows\SysWOW64\Pflplnlg.exe

        Filesize

        64KB

        MD5

        113147f196158278b04ecef9276f9899

        SHA1

        8b106fea272aaa7e6f533998ba2c3f6307b2123f

        SHA256

        1082ec04f57223bdbad1730dff9c8fefe6aafdc975eaf391f266c52ac8fa5afb

        SHA512

        fb5dc509b5832131b1c71ae5d4c20e5311576e5b79eab25a81fb8d17b42a4f0060f6274de9860df110d942d22ba699f9ce276a610e9e548292403785a7fa9ef9

      • C:\Windows\SysWOW64\Pgllfp32.exe

        Filesize

        64KB

        MD5

        aec21e5bc1dc27a211fe943de04b376d

        SHA1

        4dcf0b068b2e5bef4822905e62b689a29fe2428e

        SHA256

        1a79a1af0876ae553c710ac0f7802da9ebb962bd2c87db35179457f2c70985eb

        SHA512

        a225a93c0c1fabdebe287b934051e7d3b58601847dcae5128b53d4cb83d5b166d415f5d72b0b270105d8ed0db298357ecf8f7ce1970b006deb852d4a757929ef

      • C:\Windows\SysWOW64\Pjjhbl32.exe

        Filesize

        64KB

        MD5

        175d01b251ce24d1ee88ff63e649490a

        SHA1

        a471a382a425b6f6ca47fb8745b32fd0d83c0e66

        SHA256

        73cfe7d6293935a10f6254993098e5290b4ac7d0af0826b29b66316d18b55b37

        SHA512

        4fb5fd551340748911f2271ab22dddf3017a927164a56eeeacaa0aae30cf4f468a933abc3c35f34cda66577bf8c55f6a0e843e5a14cf66e5b3cb46e07368483d

      • C:\Windows\SysWOW64\Pjmehkqk.exe

        Filesize

        64KB

        MD5

        0582df00cb9b9ff6ce0035c15baf6f4d

        SHA1

        523eb4fb0c028501f578b070d04e56bb2c749488

        SHA256

        4cd18aed6d3c9ada0ee00f1e3f6525198aeefac0ad3336115f4125a429c9c63b

        SHA512

        646f47fd97ba41ff4833e774b93c2c70b79e2af6394e289a3ac715a283267f6c018e30c1c3fe778242e222a87395414afd607f2df16fba99f6c5aca11d4291e8

      • C:\Windows\SysWOW64\Pmdkch32.exe

        Filesize

        64KB

        MD5

        79ea37b2079f25d54d426555d26dabd3

        SHA1

        d5e9850ea2a67996ce533c05dd31b54b4bea9863

        SHA256

        eeb919574ebd8b135e5801e64b58afbc240c475ea67fc96054293eb3da1a1d4d

        SHA512

        3cb4f8918f1b50b2050db70af84b0edfb86d03e4f009ca429622c6992892dd5399c0d3040113bebcb33785be87850d18ce19593c396926bf418abc887517aefb

      • C:\Windows\SysWOW64\Pncgmkmj.exe

        Filesize

        64KB

        MD5

        c6c73fbd450fbb926cb3c54656aed193

        SHA1

        34eed4c5085b1d75d5135d926736fe3fb2ed0642

        SHA256

        936bd069b144d13624027ea00069d477351134e0665969886bdbd29432e25a16

        SHA512

        ee229eaa78f7d688c7122a8eb69d59a2c88a2e05c68cdb94501c5347b6ebc8ab2e87b5c40d277e08645a04a92eab9bd50fbed05c5d014f333f2a1546002c429b

      • C:\Windows\SysWOW64\Pqdqof32.exe

        Filesize

        64KB

        MD5

        61337f2fc71562445e3bc059cfe24329

        SHA1

        e876b062bf7ed083a861e54e418fc3d1950a69a6

        SHA256

        9e9a9d5c7c14a92f692acac8a63bef98e4510bec632d1e9746645925bba4da81

        SHA512

        0bb3286e5c8749ad3d93bb693863ffc93c27afbf8b149e8ee12ba0b6f9498020f2b911bacc6f3e86d795ca3d1e2c082f3e8f908c8f51f4958d3241354912abc0

      • C:\Windows\SysWOW64\Qdbiedpa.exe

        Filesize

        64KB

        MD5

        c20a5146581a62e18205baf45ac229ff

        SHA1

        ff4879597a38546f8f991516680113a73c7b41cf

        SHA256

        6576872b177388727a443e1ac67c6d60104c3ca78a4466d3bf05e9c179605cbb

        SHA512

        dc43b0cf511a1d3b60f01b1b15ae71d7c40577a43b6bd9d995a786ae1550ffaef526873f04c16584e7fb13934cfacf2c71bdce2d477aaf40da4afdf23dbe5411

      • C:\Windows\SysWOW64\Qddfkd32.exe

        Filesize

        64KB

        MD5

        62010cfc4ab2a94196e60572e7e72dc3

        SHA1

        a28e46eb8f0f08783f37d947edabc43061bb8fbe

        SHA256

        a6e35ea9a7fc47338ef0c7c52ec12b713ca8a63d103f1b648ceb7a23052e3e42

        SHA512

        8eac529aff3ac505843dec31ae463bc66871f6745fe722086a62afb411da9a80bc4e5aa3db0fd83c50b3c4cc2673cde3a0a31e4462c0378f8d7f439a3589dee7

      • C:\Windows\SysWOW64\Qfcfml32.exe

        Filesize

        64KB

        MD5

        40ca05cfcd7fd087901a8cb21ed5e019

        SHA1

        0ae1033af248fa81cdf97e80b2c9c4b795492750

        SHA256

        6127cf3256080ac4f2d4d4d0251a3f56a4d2844619b8c72dea69be3fa57ae61d

        SHA512

        96f98a82216a3db51c0501c76b1250f3bf64f1b9156629499bab4e445c6e83c7df92d45213404837e81330feed6e53b7f5c524c9c838389c07bae86a5b98051b

      • C:\Windows\SysWOW64\Qffbbldm.exe

        Filesize

        64KB

        MD5

        77e4f72a52436f633864f6bbea1cf85e

        SHA1

        34d493946abc691b0c78043d37185696af9853b6

        SHA256

        b405db875b9222cfa09c71a2dc28eef8945b9d4eb63417e4952a2c5e9cfacc6f

        SHA512

        04100304b63ef6e3de702ea35a1dc2a554cf3d6f0e974aa5d528b0c9531a33007c9dc66de9c99d2d3d0cbcf520b19237bc6f300bf19cf58158bd9c40699f9a84

      • C:\Windows\SysWOW64\Qmkadgpo.exe

        Filesize

        64KB

        MD5

        d93bb5345cb8de7c627b790ffbfab1a8

        SHA1

        3dd7e227c4621637ffcd0e4be838cb7be46a7b4f

        SHA256

        db299bcb480e8d080f14675b7e027108526be03b31e2599908436cdcb2c872f0

        SHA512

        2cf10ab418f0cecd64b15e1cf808a3252e9a87a3bbae08ca806e8898f8fcc4c2b7d1d8bd8d6b664294d557e870c32a94a56d8121e39a822b9abac8033bbeda2b

      • C:\Windows\SysWOW64\Qmmnjfnl.exe

        Filesize

        64KB

        MD5

        034ed89a6f3663dc1bec5fb3ae419b53

        SHA1

        18c41395eb7db3379c65b19f78ccdbb0597795cb

        SHA256

        8613a13bcc5b1f10808e860bb2f6a229405e57a2edb373561f44e03f8e814c45

        SHA512

        6464bf8f2e30adfe39fd31b98a840647116b4823727d840d5e5defe17a4eddbdc7b13353cb00259d847b30beaf3a713d59807a1f9c891e82b5cd1cd1964c67bf

      • memory/452-24-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/452-106-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/524-47-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/524-133-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/688-193-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/736-260-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/736-332-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/888-381-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/964-413-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1100-340-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1100-412-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1160-251-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1160-325-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1264-97-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1264-15-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1284-0-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1284-79-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1492-333-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1492-401-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1540-380-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1540-312-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1632-64-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1632-151-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1652-71-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1652-160-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1776-31-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1776-115-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1828-228-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1828-134-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1964-351-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1964-278-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1972-360-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/1972-428-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2128-352-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2208-81-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2208-174-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2248-180-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2248-259-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2300-234-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2300-304-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2460-415-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2640-268-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2640-339-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2648-370-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2648-298-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2804-196-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2804-108-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/2984-175-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3060-143-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3060-232-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3080-373-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3080-305-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3144-291-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3184-7-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3184-88-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3208-220-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3340-39-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3340-124-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3348-422-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3392-388-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3584-371-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3648-374-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3680-402-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3700-55-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3700-142-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3752-117-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3752-205-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3756-359-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3756-292-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3900-242-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3900-311-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3908-197-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/3908-277-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4012-429-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4044-241-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4044-153-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4180-229-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4276-395-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4464-326-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4464-394-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4672-179-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4672-89-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4736-421-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4736-353-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4740-244-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4740-318-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4752-206-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4752-289-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4780-99-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4780-192-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4852-319-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4852-387-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4884-161-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/4884-243-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/5056-219-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

      • memory/5056-125-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB