Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:20

General

  • Target

    a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe

  • Size

    128KB

  • MD5

    c6780b428c2640b4bf8012779bed084b

  • SHA1

    f2d9217a354eed3ba0da239dc61a55895376f394

  • SHA256

    a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9

  • SHA512

    d28e95c74ad78250f995c2a641aafffa6a44dde2a8bc62057de64b3c03a257a2dea2e67dc4d4795eb9c7b12e1f8e0b669bd486ce6aec3861d4f4fafef1f9802c

  • SSDEEP

    3072:8k3Ws5aX1SgF0+upGh+URDd1AZoUBW3FJeRuaWNXmgu+tB:vm2+SQRh+UJdWZHEFJ7aWN1B

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 34 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe
    "C:\Users\Admin\AppData\Local\Temp\a5c5b81e90a0fb5d629e9f61a46c7c2a6e0eeea3a09fd3e4b7ef4790fbd08bd9.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\Nadpgggp.exe
      C:\Windows\system32\Nadpgggp.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\Ocdmaj32.exe
        C:\Windows\system32\Ocdmaj32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\SysWOW64\Okoafmkm.exe
          C:\Windows\system32\Okoafmkm.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\SysWOW64\Olonpp32.exe
            C:\Windows\system32\Olonpp32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\SysWOW64\Odjbdb32.exe
              C:\Windows\system32\Odjbdb32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:264
              • C:\Windows\SysWOW64\Odlojanh.exe
                C:\Windows\system32\Odlojanh.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1720
                • C:\Windows\SysWOW64\Oappcfmb.exe
                  C:\Windows\system32\Oappcfmb.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2108
                  • C:\Windows\SysWOW64\Pjldghjm.exe
                    C:\Windows\system32\Pjldghjm.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1608
                    • C:\Windows\SysWOW64\Pfbelipa.exe
                      C:\Windows\system32\Pfbelipa.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3036
                      • C:\Windows\SysWOW64\Pgbafl32.exe
                        C:\Windows\system32\Pgbafl32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2880
                        • C:\Windows\SysWOW64\Pcibkm32.exe
                          C:\Windows\system32\Pcibkm32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1824
                          • C:\Windows\SysWOW64\Piekcd32.exe
                            C:\Windows\system32\Piekcd32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:380
                            • C:\Windows\SysWOW64\Pbnoliap.exe
                              C:\Windows\system32\Pbnoliap.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2440
                              • C:\Windows\SysWOW64\Pndpajgd.exe
                                C:\Windows\system32\Pndpajgd.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1140
                                • C:\Windows\SysWOW64\Qgoapp32.exe
                                  C:\Windows\system32\Qgoapp32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1672
                                  • C:\Windows\SysWOW64\Acfaeq32.exe
                                    C:\Windows\system32\Acfaeq32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:1368
                                    • C:\Windows\SysWOW64\Agdjkogm.exe
                                      C:\Windows\system32\Agdjkogm.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      PID:1552
                                      • C:\Windows\SysWOW64\Apoooa32.exe
                                        C:\Windows\system32\Apoooa32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        PID:892
                                        • C:\Windows\SysWOW64\Amcpie32.exe
                                          C:\Windows\system32\Amcpie32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          PID:2528
                                          • C:\Windows\SysWOW64\Aijpnfif.exe
                                            C:\Windows\system32\Aijpnfif.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            PID:1744
                                            • C:\Windows\SysWOW64\Abbeflpf.exe
                                              C:\Windows\system32\Abbeflpf.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              PID:2760
                                              • C:\Windows\SysWOW64\Blkioa32.exe
                                                C:\Windows\system32\Blkioa32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:1620
                                                • C:\Windows\SysWOW64\Becnhgmg.exe
                                                  C:\Windows\system32\Becnhgmg.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:2756
                                                  • C:\Windows\SysWOW64\Bbgnak32.exe
                                                    C:\Windows\system32\Bbgnak32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:2156
                                                    • C:\Windows\SysWOW64\Beejng32.exe
                                                      C:\Windows\system32\Beejng32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:2764
                                                      • C:\Windows\SysWOW64\Blobjaba.exe
                                                        C:\Windows\system32\Blobjaba.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:2788
                                                        • C:\Windows\SysWOW64\Bhfcpb32.exe
                                                          C:\Windows\system32\Bhfcpb32.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:1708
                                                          • C:\Windows\SysWOW64\Bejdiffp.exe
                                                            C:\Windows\system32\Bejdiffp.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:1944
                                                            • C:\Windows\SysWOW64\Bhhpeafc.exe
                                                              C:\Windows\system32\Bhhpeafc.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:3016
                                                              • C:\Windows\SysWOW64\Cdoajb32.exe
                                                                C:\Windows\system32\Cdoajb32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:2120
                                                                • C:\Windows\SysWOW64\Cklfll32.exe
                                                                  C:\Windows\system32\Cklfll32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2116
                                                                  • C:\Windows\SysWOW64\Cddjebgb.exe
                                                                    C:\Windows\system32\Cddjebgb.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2920
                                                                    • C:\Windows\SysWOW64\Cbgjqo32.exe
                                                                      C:\Windows\system32\Cbgjqo32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:3052
                                                                      • C:\Windows\SysWOW64\Ceegmj32.exe
                                                                        C:\Windows\system32\Ceegmj32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2160
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 140
                                                                          36⤵
                                                                          • Program crash
                                                                          PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Abbeflpf.exe

    Filesize

    128KB

    MD5

    8920caf802919bd66c7e015c4ae5789c

    SHA1

    696160892d06e3d1ad9e896739ac02c3b6c7e9e5

    SHA256

    98930b6389ad0342ca7404aa3006f862fde1f1c46c9913e60a250af2722452d0

    SHA512

    a7d8b2582cfed34f5a0a38ec1f197a04c0dfe889f77d4020a5e50eeda8f6821f89f9388db540bfb9a3e3fcad4bc491491daf7d3bfe39b4ec8d29d0d3d3f74081

  • C:\Windows\SysWOW64\Agdjkogm.exe

    Filesize

    128KB

    MD5

    c29056bf52f806658906178b51cc7bb1

    SHA1

    a78554fbd0331ae93141b241359229061162a4e2

    SHA256

    f0d0c060767ec80eb657bfe5bc3c5d9ccf33400a67a50c3e62c3f46ae796ca36

    SHA512

    436bcadcf02f9d8379f558246a821b2b3904ac320b004d89655108ca917140b2e7d61afd5c9499c77e43cb649435e2ca3eaacd26292e106f4b091c95fb8fc46d

  • C:\Windows\SysWOW64\Aijpnfif.exe

    Filesize

    128KB

    MD5

    ecdeb7a2701f69a4a5bb12dbb3a05be0

    SHA1

    190fbadd0e0a8b34cc27c517d15d640b69019a5b

    SHA256

    eb646123e32598fbb795a00edcd4caf294b41a8385b5bb56dc06b21751731bb6

    SHA512

    53e359da4b7e78d2ebeca7cf891b69ec66e8e51fe427f509669bd1c6edb57038e2cd4bc3c1c0d5c98167100fedb99ce6f7d53b562ca5823ae6ee637fbccc4d58

  • C:\Windows\SysWOW64\Ajcfjgdj.dll

    Filesize

    7KB

    MD5

    05fdda8879e2e3de5cf4ef493a8fafb7

    SHA1

    44673720833f650bd1b252b0c4164d2d7a194903

    SHA256

    786706b0602cac6e9458c8f81ef0e8fc6742cb310b58366d3cbee0916a8cb9d2

    SHA512

    610add54a32672d75c47ff1bc22c1bf072750b713be0dbc2e7ab9d73e66a0175a87ef425f2b8b6f5c4340264ae7c73da966dd72abade64bc1493a7acfbeb14e9

  • C:\Windows\SysWOW64\Amcpie32.exe

    Filesize

    128KB

    MD5

    be784132bd9b17bb484f3b3b139ae26f

    SHA1

    ea87adf8901ef308d8963b8a98ca2c8bf1b2a63f

    SHA256

    cabc8e742f185a8c08a94a2c48bd6ac4a261c4ccd7d521b2d42167f22902afa4

    SHA512

    abb8b7f09c24767fbede8dcfba550de32aee8a5045693c8e8e6e257db2feb413eb35fc82c22c2ca960c6678c1aec67255817845856c3f3c6bdc87a0ac91e07f5

  • C:\Windows\SysWOW64\Apoooa32.exe

    Filesize

    128KB

    MD5

    791e9849272f3cbb2d87baa793aafa54

    SHA1

    f2a9158861b4064f234b8e0857fe83bb9580b1d7

    SHA256

    c2708ef9d61af73bb27bbb13a0c5fac66e089dc5ab1f412aef25d3554d06b4df

    SHA512

    c4c3e86f9932051c5081327c59bcfcc33a664dd84edd5eaf30b02ee93afa3307fa499c91710d75b77d11478d109071d3d2494ccd1acef9261f84abf72636f690

  • C:\Windows\SysWOW64\Bbgnak32.exe

    Filesize

    128KB

    MD5

    84a5e0218ac8a65e98c0103fc09316de

    SHA1

    da2ceb01b6f285d2818c404cf75ac2cb49d1a761

    SHA256

    5fbc3a93566e9392c604632a904e2f9bb844f9044ef95103fd9024026a08815b

    SHA512

    24473cbdbd433aa4b54ec9f96db40aa93e5219c4e3b3ef1857bbe233201d281368cc80062cab87da9a43ee03dadc4a4655cf8b9f9bc455cbf3b5ebdff311f264

  • C:\Windows\SysWOW64\Becnhgmg.exe

    Filesize

    128KB

    MD5

    2f73734d48f601a616f15a66736bdec2

    SHA1

    bc8b1cfc7c8cf510b80172719ea551b80eec1e1c

    SHA256

    b0d69dd9458bdb20625062c11c50bc319d273ed384c09e93072f89e371c36972

    SHA512

    875dc1d6323de758983faafd7259febf314850ea17aeafb339d23c63d02c64654dd680b89813d4b24198d6d82ee49848fdae43da718da705926df7000f1c0ccd

  • C:\Windows\SysWOW64\Beejng32.exe

    Filesize

    128KB

    MD5

    d7e4bf8001f96d52734ec4198a2e90ae

    SHA1

    5255059e6abf6ff6e5c4c54bc0e94ab3d00e1a7f

    SHA256

    e9453e99040515f591f2e51206b87bd8beeb67a49b3003e84664968ac05fc52d

    SHA512

    a479023b9dffb775a84e65eddefd814daf32dad5989245fd5f1a9bade4c79da9bfe98c9f0a9ea09a87ffe7a66c9cb7c63699735a7e80608c355dc89a17be51b1

  • C:\Windows\SysWOW64\Bejdiffp.exe

    Filesize

    128KB

    MD5

    46824f8a6a04d6b3d76b221d83d829d0

    SHA1

    25d8a915233915951905193fc242bc35c9bfa642

    SHA256

    9abb3f84acccbf682dc5483da132dd154df5fc4ced93e89cbea5d01e1c846295

    SHA512

    e5f51001a2319706e2a6193f33381c571e136c5411543ab8ec85bdf8c83475bdf8f19198fe0e9a6bdcdf39d61db99963ce6789af5ddec0a48b6750bc7f6ece93

  • C:\Windows\SysWOW64\Bhfcpb32.exe

    Filesize

    128KB

    MD5

    5c14f8db4c386e8e196b32feeb20b870

    SHA1

    34e40ac9684ca51a786693d81a01068d6046c575

    SHA256

    a39bdad0bdd0f4fc8aff0bd0a5dadc6dfa01bf542c44e037dda03f3d3ae83c12

    SHA512

    1eefbca3cc157ef1783ae5320265a64940f1b21ba003f523a5f61fe449d26d3d846b70c70ae0ae62694c77e058ab151300775a088bfdb85de5b82291c1c68dd6

  • C:\Windows\SysWOW64\Bhhpeafc.exe

    Filesize

    128KB

    MD5

    f7f4e64446d602dedfc2c41ad35c6bc0

    SHA1

    dcb181be42a207d809ee1fc5f5136065a88c528b

    SHA256

    1fe1e3e6767ff0d93fcd450aaf6c2b525d802c022d86dff13721dac50557f7fb

    SHA512

    67c7550315a2d25723fcab8303caf606dc744056fdf11b792e98cf3d99594f657455c9ca950b8b6598ec93f6868653b09bc6af3d808c183c5c280da4418f504d

  • C:\Windows\SysWOW64\Blkioa32.exe

    Filesize

    128KB

    MD5

    6fa5963b9bf4051dd97c64ed6edb597a

    SHA1

    748de9017d0135fb51ec623357a6984d092ae6f0

    SHA256

    0b6fb4694b830cb98c1332c4e7c92fcc2a2911fb4dff58fe062ed469b56af81f

    SHA512

    26cbf7834b71041fd21f9be64d1ff6bcd912384ddc7f08be6d38979c519c4f2b956ba5b1543da142b936cb15221651b653af95483dccd1d2283ef83d28d50352

  • C:\Windows\SysWOW64\Blobjaba.exe

    Filesize

    128KB

    MD5

    6c381a5772e13679b9ce6eb16353321c

    SHA1

    1a0a2aa792cc7eba1bd70263e1d66c8fa85a83d1

    SHA256

    c968ef6d9ca43ff044ff11c7995263b2fffc26bd2114f68b660321251946f1a3

    SHA512

    22e2d36da0f0f3d47c1ff8d515d14af84275f97937a61770d223b9adda7e4ffe9c9b9875ac3fdb34786fc56045cabfcacc7e8a4fcd1b4ebe2ad1999646e0e577

  • C:\Windows\SysWOW64\Cbgjqo32.exe

    Filesize

    128KB

    MD5

    37028e5ceef1834203c89009595ebcca

    SHA1

    57ef27e7eaec562f5ce1100f6d789e1d6f7da8ab

    SHA256

    d2b18a48a7817fefaf4e708ab14aba7b3b2e36935729baf325638dc0bbea8912

    SHA512

    514daa371deab6b1f63ba7d708ef5dda71c2bf452658a7408b308562d1f583f52cad72d03849f0554abbd472e8df239735401aaf5684f534da6a8181dfdcd252

  • C:\Windows\SysWOW64\Cddjebgb.exe

    Filesize

    128KB

    MD5

    2d3ff9e46c340d2427e5ae715232fc4e

    SHA1

    aa09190cddf0b71f3ff13f4bcfd9f45ba61affdc

    SHA256

    44fa015b87fda2c08130e77aea04be39b6cfa44e66042801578719b7f0fc976d

    SHA512

    a4f0911bd89c6fcfc92f46b107ccfba58c30cb5f2ca02500832f933b08153614e36bb7efc6ca8edfff2377c7a001ae88a75f69b68238cbe44faa665cf9fc24b7

  • C:\Windows\SysWOW64\Cdoajb32.exe

    Filesize

    128KB

    MD5

    6841930f2b7033e1cc9fbc9fb91a70c8

    SHA1

    1f7c3d8cf5258a20fa1e31401390a369739daeed

    SHA256

    1a2a33587e36d56a85dc4d3ab7eb79e8e664389c497f7b0e0da77659b9bbcf3d

    SHA512

    7788a06fcfd4b2ae373b4951aae53511328c68278799f32ee76d21a7bb993552e77042350aa126256564bebaed35c065592b81419dc5629f21d75652aad6590a

  • C:\Windows\SysWOW64\Ceegmj32.exe

    Filesize

    128KB

    MD5

    4897cd4c0f1fce62f7fc692581b08f84

    SHA1

    9978471d2d28e99dc3fefdcc0c33c61c42fe5e53

    SHA256

    e120d4bd2148d703e3447b33b9d6884be24737484293c8be84222a658a9e1b90

    SHA512

    f5eee828507ab7bd11494bf2e81069d458a1cd44e7a7a3d1b0f71a44fe19fa3fbafc4034fa01578964092931e31648bc6fde09658c7c1c830fb449498b670232

  • C:\Windows\SysWOW64\Cklfll32.exe

    Filesize

    128KB

    MD5

    364c240160edca32efc7910ee58907d7

    SHA1

    dd7ffc66f39f0085ebf960b091d0c25650d3d040

    SHA256

    ec380158ba738ee7eaad80e441897facae3a573c7fe124b1130c380df88ce626

    SHA512

    9030f48c1d7ce994b07af6e761b97e4f92511b1b79af04b6634669d353d93f278bcdf6cf36e2f38540e34c9c4fcffc3c8e38d2fc286dd2a73216f373a400de85

  • C:\Windows\SysWOW64\Pgbafl32.exe

    Filesize

    128KB

    MD5

    603d4552260715f90fff9b075da23b64

    SHA1

    22c617901d070f127f799d56a6851961fbf6aa7c

    SHA256

    4744ce238d20d56f98fb6057d22d17df10156d6c68d33ad66bf498786203fe44

    SHA512

    28f8b8bdbe6db0de667985195917c89b932b8b76336a6a8b1712afdd24d1bd982a45c9239c32dc3f1eef48162e4fec73dbfb308952ce959c7b5f25bc246d0368

  • C:\Windows\SysWOW64\Piekcd32.exe

    Filesize

    128KB

    MD5

    22c00d4f93b60ddfdc77265375d421ce

    SHA1

    5b593f3adeae6fb7ede867625900bbc53a99b631

    SHA256

    864b59f9d13f662da80dc756931fa6b5f887a8b781933e1a0b977351df05e84e

    SHA512

    10b79fd40b23db9f94c4432d4623d4a80f0d3b1502a7c654e834e06f15fa155a854afceb0f30ca5145c0e105679e720c63b6fc3d3dc70a0c05ce16b04c1bd7ea

  • C:\Windows\SysWOW64\Pjldghjm.exe

    Filesize

    128KB

    MD5

    9c29287074b2d2d0d279c494f08de8c6

    SHA1

    4a76ceb3ce6e7d2643491b7d1f817b2e4c3a18cd

    SHA256

    4c56b74598523946d44c1145e7f44f6265a4bdfa409c554f1a674caa0a0c5285

    SHA512

    23c686eaa05499feaea536b547e33fb0f961e4478ca2f566f29f44a9c1a306f9b6c236042506821d533ba332f901b59ab8f5779f20f806008ae20e09c017d370

  • \Windows\SysWOW64\Acfaeq32.exe

    Filesize

    128KB

    MD5

    127daed11b900d7470927703d18e32fe

    SHA1

    089d49937888b92722d4f8a1c42d832802143dfb

    SHA256

    b5f8264237bb63bc3a5520e014c3c69f6372bcdea33f3dc251144f0f8720f960

    SHA512

    f3859c84a1ce4be5803e7532a874219b8b285ba69a60fc94b2fa13611837fab1356910830a0eca4d97d5b80d03f86f7d4798b1a0c1d7e0491b7ef25c5e80becd

  • \Windows\SysWOW64\Nadpgggp.exe

    Filesize

    128KB

    MD5

    81e8dda9b761bb889671784e39418619

    SHA1

    4dd2aef8a88b046572ce5a22abe81939504b9f8d

    SHA256

    a272f645de76a7287fc54037f72ac6b201b7e0e9985ac85e739908b959b91e4d

    SHA512

    e4e293982ee31804e2511a0559b1389d5070e32904dd34f1bfab653611acc7f99be00bcefc35eab1b8297a7d0e74310b5c9b39b4dc3a620544ac8b8d9dc99cbd

  • \Windows\SysWOW64\Oappcfmb.exe

    Filesize

    128KB

    MD5

    dc4467560adaf8908bad8fd0ba1ec5d3

    SHA1

    791c6897c69b202680aa044e2be2797989058cd7

    SHA256

    8e8fdaf4bb1bf06f495fada7a2754e1203ac6ef38d36ab6f33d4c28118ad270e

    SHA512

    37ea66414813b152cc8bd3e4abd9f35f3398800660e7f757205c500c2c7172b0137e15c1d6c559393d33f7bc250b7f14988e86263514d8a33e7becd3bbf545af

  • \Windows\SysWOW64\Ocdmaj32.exe

    Filesize

    128KB

    MD5

    ca4f21228c9f23c51655643424e1cdbe

    SHA1

    74fdc1a9def929d9cac4d19495892ad96f6c9e15

    SHA256

    53f4139bf9ceaa3630fd54666ac5871f842b899b4e40760653d9dc7ca3ab90bd

    SHA512

    362f314ac11861b917652c79831c9010c2f04c61a454f187f6c04aa2b41ebbba4da717a1465e1d38470bfff8297dba3405f6f98696eecd61ba1dae82aeb9ca05

  • \Windows\SysWOW64\Odjbdb32.exe

    Filesize

    128KB

    MD5

    fe8847e1ce8e75d6c08e3630905acfa9

    SHA1

    629751926f2a810660f5ef4b7543dbd84a5d6fa9

    SHA256

    3163454e6ae3115858809d7880e22d8a75d794acb10ae2f8d8e2353fc61b295f

    SHA512

    c65ea3ed86f09aece4e0761d86784de2f6921dfa01abf4dad911ada5cf7d51a652841ce17cb1576e7305ce411040485d1c6d0f2e7eb4540609ebe5a2fb28c540

  • \Windows\SysWOW64\Odlojanh.exe

    Filesize

    128KB

    MD5

    e1598d651bcaf2da5d7a12dd7781dfb1

    SHA1

    3bea2bc35c43f936337fd243a391583113e38a1a

    SHA256

    83e1396920a260a52792390f80b0ab7ee9045882353a3ae935b4da6bfcd4a9e6

    SHA512

    d9379b65f98878a3cbaed93fda8f993c398f68c5fae46a991f8e487608de8c79b85502bc7a3db558e3ac318e42c1cc93cf993646cdcd4b3a107b88745753e137

  • \Windows\SysWOW64\Okoafmkm.exe

    Filesize

    128KB

    MD5

    5c614aba482095330651b10b7a8f0e9e

    SHA1

    8cc7ae61c97b983cca0d0024fa5713f93bd5b7ed

    SHA256

    35cfbc832242732343e5d6b9bb1ae372015547cecc795dc7361a76e429c46a89

    SHA512

    b9c61c78088b4752181cce02be19a70da3cc091a12d9fa045bbacb8b8f0fe58e6c61e644567fedf1e29e9e0e76b0665373e84a0b5b86be55790e2c710901645d

  • \Windows\SysWOW64\Olonpp32.exe

    Filesize

    128KB

    MD5

    28b361cc91feeb2c9df63b6240407d89

    SHA1

    c099e6ca01fa6f06c44d15f8d1c7e10c0320aad3

    SHA256

    c5b65ff0cc107fa73a502ff3657c471d7e07fad1beac20180d53b2aedb58bcf9

    SHA512

    f7acc8795b131f6b8e0f81ab376523d253cec4fa86ac6a223b492c28752aa3ab45ecc0ba296f540781d9c609ffce671ece9e48502220f010073dc82477d5b8bc

  • \Windows\SysWOW64\Pbnoliap.exe

    Filesize

    128KB

    MD5

    2546738d9d0ed165d4dfdf84a93e21cf

    SHA1

    97209c9696a5389bdb39c199246679202c440936

    SHA256

    7488967d554a8f9a52caf4e722e0c437861b73b1caa509acf1e93340a9ea0d15

    SHA512

    1e9ce934fe94e6739cf99b1206579498c7eec2227569da4514bad3f39358310f9582b46a23e195f74cb1239239b479211b7796c482f92d7a61275e7be5a79600

  • \Windows\SysWOW64\Pcibkm32.exe

    Filesize

    128KB

    MD5

    50c946c1f31df56ba0bcf014915c29ea

    SHA1

    1927562fb9985d7ba96ea487456039ef14a9fbbc

    SHA256

    32687441913ad0dbdd4006e1c2a18b37a177d36d494b8df539f5314c87c22869

    SHA512

    8630be1bcb76b5a89f86d0c63c4b2f863a3aa1ea69458f7bd4a6b3b65deb39cae3cb1b3106b2736103d1454ddb79cd998a138fd2749b5b39612cbd3c360c398b

  • \Windows\SysWOW64\Pfbelipa.exe

    Filesize

    128KB

    MD5

    c4bdff749350bc0c39aa4b5cf2c6c94d

    SHA1

    7745dc5065ec0ad223ecf38781e61275e6f62bf0

    SHA256

    55ed195ffb210da65254ce5a02fd9e5368454563c72fedeb3900b234f5f9acca

    SHA512

    28255f2f54adeaa668555b32c311a24952a733f5d8d654edf2b7b557582e68a303f33116f97e7989ffc465b2af96b8b2c89ad141d5d13b044e4316c38ad0f1d2

  • \Windows\SysWOW64\Pndpajgd.exe

    Filesize

    128KB

    MD5

    29aea1d7f725de8d71b889e42d550239

    SHA1

    39682e180c49f58ee985c5cb35b7dfb33932ad23

    SHA256

    1931a8b34b4540d60f06edfa17a67794e233e231c9035a6289bb9345dccaab5a

    SHA512

    a37970a078df0eea4a07641f76038b4cfec62b6d78784828b87aee8a874b94aa6877153c23cce17757fa64b6f144a7cdfade8239fd6128e267225960990c157b

  • \Windows\SysWOW64\Qgoapp32.exe

    Filesize

    128KB

    MD5

    363a4c58b65da3a6eef4b886c814a180

    SHA1

    0ac6b5aaadcf6ef724e3dfa1b83f251915bca87f

    SHA256

    b070df34d79849ffe64d84a857a4374b45ba20d8688015fef2941b52cf29e2e1

    SHA512

    612903be0f4db65c569f924f897f0035431d0b22e08819544d80c562393cc471b828e0a2fde404015646eb83c588ff78cb686fc7cb4674587f21752c7bd813e1

  • memory/264-119-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/264-77-0x0000000000300000-0x0000000000342000-memory.dmp

    Filesize

    264KB

  • memory/380-218-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/380-171-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/380-185-0x0000000000290000-0x00000000002D2000-memory.dmp

    Filesize

    264KB

  • memory/892-257-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/892-297-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/892-264-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1140-256-0x0000000000280000-0x00000000002C2000-memory.dmp

    Filesize

    264KB

  • memory/1140-254-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1368-234-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1368-278-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1552-285-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1552-255-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1552-245-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1552-291-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1608-173-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1608-124-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/1608-184-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/1620-309-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/1620-351-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1672-269-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1672-268-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1672-219-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1672-232-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1672-231-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1672-262-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1708-401-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1708-407-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/1720-137-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1720-91-0x0000000000290000-0x00000000002D2000-memory.dmp

    Filesize

    264KB

  • memory/1744-324-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1744-287-0x00000000002A0000-0x00000000002E2000-memory.dmp

    Filesize

    264KB

  • memory/1744-280-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1824-216-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1824-169-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1824-170-0x0000000000280000-0x00000000002C2000-memory.dmp

    Filesize

    264KB

  • memory/1944-380-0x00000000002D0000-0x0000000000312000-memory.dmp

    Filesize

    264KB

  • memory/1944-370-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1944-382-0x00000000002D0000-0x0000000000312000-memory.dmp

    Filesize

    264KB

  • memory/2108-105-0x0000000000290000-0x00000000002D2000-memory.dmp

    Filesize

    264KB

  • memory/2108-148-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2120-403-0x0000000000290000-0x00000000002D2000-memory.dmp

    Filesize

    264KB

  • memory/2120-396-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2156-334-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2156-325-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2156-376-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2156-369-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2440-197-0x0000000000260000-0x00000000002A2000-memory.dmp

    Filesize

    264KB

  • memory/2440-241-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2440-189-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2524-61-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2524-111-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2524-54-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2524-104-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2528-313-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2528-308-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2528-314-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2528-279-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2644-40-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2644-89-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2756-315-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2756-366-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2756-367-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2756-368-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2760-335-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2760-302-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2760-301-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2764-381-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2764-392-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2764-345-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2764-344-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2788-353-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2788-357-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2788-346-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2788-393-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2788-395-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2808-67-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2808-25-0x0000000000260000-0x00000000002A2000-memory.dmp

    Filesize

    264KB

  • memory/2880-155-0x00000000002B0000-0x00000000002F2000-memory.dmp

    Filesize

    264KB

  • memory/2880-141-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2880-204-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2880-150-0x00000000002B0000-0x00000000002F2000-memory.dmp

    Filesize

    264KB

  • memory/2996-0-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2996-7-0x0000000000280000-0x00000000002C2000-memory.dmp

    Filesize

    264KB

  • memory/2996-52-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3016-383-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3016-394-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/3036-196-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/3036-195-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/3036-139-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/3036-138-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/3036-188-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3064-34-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/3064-75-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3064-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB