Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:20

General

  • Target

    7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe

  • Size

    64KB

  • MD5

    15547afe700498242bf6912fdc2bf5d0

  • SHA1

    5dc33dba6351a14e02a34acac527fc069916bf0a

  • SHA256

    7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28fac

  • SHA512

    b44985f0e950fea0329b9e70b08261d4968cd6f4facb4e88f90d85842f0786fbf07bb677c20fac69c6b2f2143cf4659d0230bacebf76da63c588adbe312a8de3

  • SSDEEP

    1536:H+L1CGmL/xuohE4SOxUCQJWEXUk7qK2tvb01SV1iL+iALMH6:Hg1CGmTJaOlxEEk7M1QSV1iL+9Ma

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe
    "C:\Users\Admin\AppData\Local\Temp\7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\SysWOW64\Pnakhkol.exe
      C:\Windows\system32\Pnakhkol.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\SysWOW64\Pqpgdfnp.exe
        C:\Windows\system32\Pqpgdfnp.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\Pdkcde32.exe
          C:\Windows\system32\Pdkcde32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\Pgioqq32.exe
            C:\Windows\system32\Pgioqq32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4596
            • C:\Windows\SysWOW64\Pncgmkmj.exe
              C:\Windows\system32\Pncgmkmj.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2336
              • C:\Windows\SysWOW64\Pdmpje32.exe
                C:\Windows\system32\Pdmpje32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4084
                • C:\Windows\SysWOW64\Pcppfaka.exe
                  C:\Windows\system32\Pcppfaka.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1072
                  • C:\Windows\SysWOW64\Pjjhbl32.exe
                    C:\Windows\system32\Pjjhbl32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3868
                    • C:\Windows\SysWOW64\Pmidog32.exe
                      C:\Windows\system32\Pmidog32.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2848
                      • C:\Windows\SysWOW64\Pdpmpdbd.exe
                        C:\Windows\system32\Pdpmpdbd.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4480
                        • C:\Windows\SysWOW64\Pgnilpah.exe
                          C:\Windows\system32\Pgnilpah.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4072
                          • C:\Windows\SysWOW64\Pjmehkqk.exe
                            C:\Windows\system32\Pjmehkqk.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3956
                            • C:\Windows\SysWOW64\Qqfmde32.exe
                              C:\Windows\system32\Qqfmde32.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:4584
                              • C:\Windows\SysWOW64\Qdbiedpa.exe
                                C:\Windows\system32\Qdbiedpa.exe
                                15⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4924
                                • C:\Windows\SysWOW64\Qgqeappe.exe
                                  C:\Windows\system32\Qgqeappe.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:3208
                                  • C:\Windows\SysWOW64\Qnjnnj32.exe
                                    C:\Windows\system32\Qnjnnj32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:1092
                                    • C:\Windows\SysWOW64\Qqijje32.exe
                                      C:\Windows\system32\Qqijje32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2824
                                      • C:\Windows\SysWOW64\Qcgffqei.exe
                                        C:\Windows\system32\Qcgffqei.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:1088
                                        • C:\Windows\SysWOW64\Ajanck32.exe
                                          C:\Windows\system32\Ajanck32.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:1352
                                          • C:\Windows\SysWOW64\Anmjcieo.exe
                                            C:\Windows\system32\Anmjcieo.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:4792
                                            • C:\Windows\SysWOW64\Aqkgpedc.exe
                                              C:\Windows\system32\Aqkgpedc.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:2988
                                              • C:\Windows\SysWOW64\Adgbpc32.exe
                                                C:\Windows\system32\Adgbpc32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                PID:4220
                                                • C:\Windows\SysWOW64\Afhohlbj.exe
                                                  C:\Windows\system32\Afhohlbj.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:3872
                                                  • C:\Windows\SysWOW64\Anogiicl.exe
                                                    C:\Windows\system32\Anogiicl.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:4988
                                                    • C:\Windows\SysWOW64\Ambgef32.exe
                                                      C:\Windows\system32\Ambgef32.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:5028
                                                      • C:\Windows\SysWOW64\Aeiofcji.exe
                                                        C:\Windows\system32\Aeiofcji.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5092
                                                        • C:\Windows\SysWOW64\Aclpap32.exe
                                                          C:\Windows\system32\Aclpap32.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2860
                                                          • C:\Windows\SysWOW64\Afjlnk32.exe
                                                            C:\Windows\system32\Afjlnk32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:2660
                                                            • C:\Windows\SysWOW64\Anadoi32.exe
                                                              C:\Windows\system32\Anadoi32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:2500
                                                              • C:\Windows\SysWOW64\Amddjegd.exe
                                                                C:\Windows\system32\Amddjegd.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:5080
                                                                • C:\Windows\SysWOW64\Aeklkchg.exe
                                                                  C:\Windows\system32\Aeklkchg.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:3988
                                                                  • C:\Windows\SysWOW64\Agjhgngj.exe
                                                                    C:\Windows\system32\Agjhgngj.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2292
                                                                    • C:\Windows\SysWOW64\Andqdh32.exe
                                                                      C:\Windows\system32\Andqdh32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      PID:2880
                                                                      • C:\Windows\SysWOW64\Aabmqd32.exe
                                                                        C:\Windows\system32\Aabmqd32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Modifies registry class
                                                                        PID:2184
                                                                        • C:\Windows\SysWOW64\Aeniabfd.exe
                                                                          C:\Windows\system32\Aeniabfd.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:1868
                                                                          • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                            C:\Windows\system32\Afoeiklb.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1652
                                                                            • C:\Windows\SysWOW64\Ajkaii32.exe
                                                                              C:\Windows\system32\Ajkaii32.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:3760
                                                                              • C:\Windows\SysWOW64\Aminee32.exe
                                                                                C:\Windows\system32\Aminee32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:552
                                                                                • C:\Windows\SysWOW64\Agoabn32.exe
                                                                                  C:\Windows\system32\Agoabn32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:972
                                                                                  • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                                    C:\Windows\system32\Bjmnoi32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:4496
                                                                                    • C:\Windows\SysWOW64\Bnhjohkb.exe
                                                                                      C:\Windows\system32\Bnhjohkb.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2980
                                                                                      • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                        C:\Windows\system32\Bebblb32.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:1900
                                                                                        • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                          C:\Windows\system32\Bfdodjhm.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:1856
                                                                                          • C:\Windows\SysWOW64\Bjokdipf.exe
                                                                                            C:\Windows\system32\Bjokdipf.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:1460
                                                                                            • C:\Windows\SysWOW64\Bmngqdpj.exe
                                                                                              C:\Windows\system32\Bmngqdpj.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:684
                                                                                              • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                                                C:\Windows\system32\Beeoaapl.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:1980
                                                                                                • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                                  C:\Windows\system32\Bffkij32.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  PID:1872
                                                                                                  • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                                                                    C:\Windows\system32\Bjagjhnc.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:3032
                                                                                                    • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                                      C:\Windows\system32\Bmpcfdmg.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:4288
                                                                                                      • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                        C:\Windows\system32\Beglgani.exe
                                                                                                        51⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:4576
                                                                                                        • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                                          C:\Windows\system32\Bgehcmmm.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2388
                                                                                                          • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                                            C:\Windows\system32\Bjddphlq.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            PID:4284
                                                                                                            • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                                                              C:\Windows\system32\Bnpppgdj.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:4928
                                                                                                              • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                                                C:\Windows\system32\Banllbdn.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:1232
                                                                                                                • C:\Windows\SysWOW64\Bclhhnca.exe
                                                                                                                  C:\Windows\system32\Bclhhnca.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Modifies registry class
                                                                                                                  PID:2776
                                                                                                                  • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                    C:\Windows\system32\Bhhdil32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:1764
                                                                                                                    • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                                      C:\Windows\system32\Bnbmefbg.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      PID:2284
                                                                                                                      • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                                        C:\Windows\system32\Belebq32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Modifies registry class
                                                                                                                        PID:4900
                                                                                                                        • C:\Windows\SysWOW64\Bcoenmao.exe
                                                                                                                          C:\Windows\system32\Bcoenmao.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:208
                                                                                                                          • C:\Windows\SysWOW64\Cjinkg32.exe
                                                                                                                            C:\Windows\system32\Cjinkg32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:2276
                                                                                                                            • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                                                                              C:\Windows\system32\Cmgjgcgo.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:2628
                                                                                                                              • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                                                C:\Windows\system32\Cenahpha.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:3308
                                                                                                                                • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                                                  C:\Windows\system32\Chmndlge.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:224
                                                                                                                                  • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                    C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:2844
                                                                                                                                    • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                                                                      C:\Windows\system32\Cnffqf32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:3644
                                                                                                                                      • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                        C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:4312
                                                                                                                                        • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                                                                          C:\Windows\system32\Cdcoim32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:1384
                                                                                                                                          • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                                            C:\Windows\system32\Cfbkeh32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:3188
                                                                                                                                            • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                                                              C:\Windows\system32\Cmlcbbcj.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:4128
                                                                                                                                              • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:5012
                                                                                                                                                • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                                                                  C:\Windows\system32\Cfdhkhjj.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:2868
                                                                                                                                                  • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                                                    C:\Windows\system32\Cnkplejl.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:2248
                                                                                                                                                    • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                      C:\Windows\system32\Ceehho32.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      PID:4448
                                                                                                                                                      • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                        C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:2004
                                                                                                                                                        • C:\Windows\SysWOW64\Cegdnopg.exe
                                                                                                                                                          C:\Windows\system32\Cegdnopg.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2344
                                                                                                                                                          • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                                                            C:\Windows\system32\Dopigd32.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:3416
                                                                                                                                                            • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                              C:\Windows\system32\Danecp32.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:1400
                                                                                                                                                              • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                                                                                                                C:\Windows\system32\Ddmaok32.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:1892
                                                                                                                                                                • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                                                  C:\Windows\system32\Dfknkg32.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:4092
                                                                                                                                                                  • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                                                    C:\Windows\system32\Dmefhako.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:5076
                                                                                                                                                                    • C:\Windows\SysWOW64\Delnin32.exe
                                                                                                                                                                      C:\Windows\system32\Delnin32.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:3284
                                                                                                                                                                      • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                                        C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:4592
                                                                                                                                                                        • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                                          C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                                          84⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          PID:2300
                                                                                                                                                                          • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                                                            C:\Windows\system32\Deokon32.exe
                                                                                                                                                                            85⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            PID:5040
                                                                                                                                                                            • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                              C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                              86⤵
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:5148
                                                                                                                                                                              • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                                                C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                                                87⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:5208
                                                                                                                                                                                • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                                  C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                                  88⤵
                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:5268
                                                                                                                                                                                  • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                                    C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                                    89⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:5312
                                                                                                                                                                                    • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                      C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                      90⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:5356
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 396
                                                                                                                                                                                        91⤵
                                                                                                                                                                                        • Program crash
                                                                                                                                                                                        PID:5444
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5356 -ip 5356
    1⤵
      PID:5420

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Aclpap32.exe

      Filesize

      64KB

      MD5

      2f5aabc4746079f09153a26f48481c4b

      SHA1

      659316a32ecf89d1db5c3a145eb7a32b17804a82

      SHA256

      9003fb6e1d2cc9542a8e312c125c72be0f5cb397d7e6084e9133db2ffa54dbe2

      SHA512

      6686f9ef307fbffb715284370521adc1b90e7c7b969cdaa81ea1462c54c9d83ab98bb44bd0b6416b4679065380ffd4260acae2d1476418d06428892ea5d51a22

    • C:\Windows\SysWOW64\Adgbpc32.exe

      Filesize

      64KB

      MD5

      5407215802787dd4be952878ff9eaeaf

      SHA1

      68b611e66d8caf1b3425a6d1039001acd985d90d

      SHA256

      7b51d3a061be686c6bb4531c36df11bc05690aba71301c63f3cc5e2fdb4c945a

      SHA512

      5e5a22573ac4cf711484007be1d7a1874072c2823bef3b9a964e364b42d1056009437bb5da934ca7dd47adc00b47a057d9df6f72bb6bb712a371018ce9aa7dd9

    • C:\Windows\SysWOW64\Aeiofcji.exe

      Filesize

      64KB

      MD5

      25eedbadc78752dc2e77031e85d9202e

      SHA1

      eb74b4db27c2dc8e85ddfb73790c3a419a88a77a

      SHA256

      ddeaf8a04fcb81125a3a6380b723ee8669c49dadf8b7f831ab8370b78ac4a95a

      SHA512

      47d02b5210afeb3ad3661035908c2d046f78ba5bc09b61c4c5de1cbbbff966657afe340bb5bcc473c94432ba0c0ec6c62a74d4041356fb42a32be62fa684c4be

    • C:\Windows\SysWOW64\Aeklkchg.exe

      Filesize

      64KB

      MD5

      425f97f8868d0d3191f41919e48faf96

      SHA1

      c9339794f7e050a0738fe6eb6d7725130f5020f3

      SHA256

      c8207c2dd9962e30c81ea390a62d0edbc8ea77353eb98906ffef304ba1b629dd

      SHA512

      bf21b612e1feb295ab28a21de5dbe41c2929c02478e32c72b1dda3711b90171e4165266e8740b5f265edf352ea864cdc13245dfa85f9512fd97da71d16c44652

    • C:\Windows\SysWOW64\Afhohlbj.exe

      Filesize

      64KB

      MD5

      bc0688cd4f9dc81ef6181c5010f72889

      SHA1

      d4efc9337651dfc8c9210f11efeb599c78cf0a22

      SHA256

      049f5a14751bc1eb12c62ec119dc08ea6ebba7917a5b21dbd03ce5f8ce1056a9

      SHA512

      4ff80726660caab03bb0cbb39a3f25c138b9f3b754c18623dc189db987dab608efc61a8b871cc954d4d78a842cef9ed9119570fa5e26138d4bafecb56a848ed5

    • C:\Windows\SysWOW64\Afjlnk32.exe

      Filesize

      64KB

      MD5

      2ec8d5ddf3297da08251bec4a49fd979

      SHA1

      c85c5ddbacad3187aefcd88317ade7e5238d578c

      SHA256

      83a8df65a8513409860e2fb05d42718b56ac63d97f29f23b083f2b95a3c6b677

      SHA512

      2b83bbb63404d73f1ee2e2b1b580f9ff85201bd6d57b8611edca8354db5f8fab6b282f73d53f3cb639e0fbb366fed550863d06c7011c034a398a7988a4d2f6f6

    • C:\Windows\SysWOW64\Agjhgngj.exe

      Filesize

      64KB

      MD5

      65308bcb1d5c203902340a725ce9b036

      SHA1

      ddafab111dd7462b56e5f5ef4a61ca78391ede17

      SHA256

      6321c10d17285bb38bb3cb8af30d16626008d3bf08d8eff1ecff27b978789063

      SHA512

      5a2b743c9179b59739b153e22f141dc71cbe260b406d989626e151e14fb165d2d13edb418004e8b253eb4dc61cdb1cdabd091e24b6df64aae0e014922ca416b1

    • C:\Windows\SysWOW64\Ajanck32.exe

      Filesize

      64KB

      MD5

      69746288599f52cb1a57e591d8d0abc4

      SHA1

      f8bdc2ea518d8a267b2382391b36c99c2464e32e

      SHA256

      020bfa35d4afc8c1794d4969435a4fed10f8850b86c7ec38648b75484743f9f5

      SHA512

      7cd79983855d7a4748d5b8967eacc4a9f5ebeacd5b5fd6edd47e3e4b63ae46f01086d2c633205ddb1960f7e751fe274c99ef18dcfd5a7da9e7f082a4b15714bd

    • C:\Windows\SysWOW64\Ambgef32.exe

      Filesize

      64KB

      MD5

      9a5c251dfe76e547f8ed30414ea512c8

      SHA1

      aa36d7cc5ce32651bcde7a4c70017b0a9369fd9c

      SHA256

      c1f6d205e1223d521b055dc05f54bffb9c0caafc69c5182aea1934007c8dc8cf

      SHA512

      f10660044383cedbc1c13cf5145ee78fc2e6dd7e333fd5569b664569185cce996ec19994b6818042d12027e3943d10da95215201076d1a673804a52f7bfea18e

    • C:\Windows\SysWOW64\Amddjegd.exe

      Filesize

      64KB

      MD5

      ac717fe21f75ea6b7a835e14ae3026e1

      SHA1

      83645b5dc263250255f76f34072a49cba4e6b130

      SHA256

      33f9aa8c3be10f7f5e55c1a85a0ee605114b565b76d3d7d36f51561242bf629b

      SHA512

      f61ad8afa4264363484f12273ad48cf39ead40999fe69316843c3f3e8cdf47c68af33aac077fa03a390a8cd4281c6a69f4ed7b757d87bd0ec1b92b01b9808e7f

    • C:\Windows\SysWOW64\Anadoi32.exe

      Filesize

      64KB

      MD5

      b5aa7beb6d6f5335c7c8a05b67634a11

      SHA1

      22df0191e0cbce853e231ba89d3e2a3e3b96c148

      SHA256

      1827eac63baab9376a6ad1bb31ffd683b29066d231e991c96e57c8f19fb60950

      SHA512

      76586040e86c08350143bde34a735a33013f2626c978489f0b4f1f02a7b3ac8c0102cfc0aa2bffc45ef5ec8ebae1434692749382567569aa2a3801dbc043f771

    • C:\Windows\SysWOW64\Anmjcieo.exe

      Filesize

      64KB

      MD5

      89cb329857ed9edf954d179cb1a93f6f

      SHA1

      e417ea9b5488210a4c0fb93164fc8b62422267bc

      SHA256

      8efe3561076d10a38902efc5641631557cea38a3792b032936b453aef44f6c2f

      SHA512

      90b33e56e3a99417109f76c841388de4b7f77349149034d33051c2b319bdc7c10430b94b9cb581cdff86d037371b85a441a69efe597d73a96226c8bf0cf4ed64

    • C:\Windows\SysWOW64\Anogiicl.exe

      Filesize

      64KB

      MD5

      ee8b05cf3a977b3f99b6427c1c759933

      SHA1

      8ddee67d6cf216ea9b1a89c8c1460320aee165d0

      SHA256

      b274158758c8dab7b15a83b3370004dbde810fb950caed2d5e9fea74687487ec

      SHA512

      30908a3e129fc4fbd2f10cba4f168414c89a31e8fd6244b4c07b0f8fdba4cf3fe5c53d2f6480780b52fbe402e46b0b57fe39e4cbf587ce34e188a58c2604df5d

    • C:\Windows\SysWOW64\Aqkgpedc.exe

      Filesize

      64KB

      MD5

      c6ad820b3497ea12e6642781e788b396

      SHA1

      5184d50464a87f71d163fc7320d6fdb8694d176d

      SHA256

      8f09479d5218db97368406d6a32e59fbfb1c8cdf42c41ef63ee7fbcdba4cfb0a

      SHA512

      b7d219efec0876ab32964cd879c10eaa76f24e722b9e9930d3afde4516b5694d93a4d9ad3237e82b3cd6869102cba6c71adb2d4265764ff78847f3a12cc2a7a9

    • C:\Windows\SysWOW64\Dgbdlf32.exe

      Filesize

      64KB

      MD5

      e23949abaf3de6a66942259dfe520ac4

      SHA1

      9b16479760eca1542bbd6d98858f6ebce7ad6da0

      SHA256

      0340fff987fbc9f23627881404e0c4190923ff43469859dfe00a3c7c80920686

      SHA512

      cad417e631f4f6a2d06debf6a641c16fb04205659e57336842c5f58595f6b36643a556e9bdf22681a1e976ac318522c6e9a176590b626704a8c38fcd050ab048

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      64KB

      MD5

      88e99c887defe2c0d05bd3ae59578777

      SHA1

      24c66489d61099bce31fba555fa1433b03d65fbd

      SHA256

      5b3c70c23a98d4e2e7778bac2aca91f11295461fa20783d804865bbae80cc697

      SHA512

      557d2a561a00190057776d1c28b932b9d93aa76742efe73f549195aaeab23c16c5f7812ac9f5435ba324e772bfaac3e039db99b3e59e379408763242af3aed8c

    • C:\Windows\SysWOW64\Dopigd32.exe

      Filesize

      64KB

      MD5

      e668a1134abab0024faee0aebdbf29a8

      SHA1

      aa6e1860903b18f79c74b64978ddc81c707f9270

      SHA256

      3a207455fd7ecb11320dc95a93b026dcb7d8d9c9d43912ad5429a46721776bbc

      SHA512

      2d98effaee19f339a7c62344cccd435cd582ee54c4053839c32b3b2af7f6556e65f9f5e150a350c6e939deb4af65fd050d925cf740df6a2e4b3f6a8b30b8c80b

    • C:\Windows\SysWOW64\Pcppfaka.exe

      Filesize

      64KB

      MD5

      f168e83ac9b5f70b256dfc8613d7adfe

      SHA1

      5db298a34a2336120923c6f3fd5c5c3f6d9b07dd

      SHA256

      281881ad40c6794b69a95c7c069c0c3876d8d3777e9757e7024998a8ceea2bae

      SHA512

      069501dc78f970e4e438142b5731c171705c1b828637495d0d7398065c5cc050e0e0f6034466a834d734a1028abd74ee230d5175189b92cacc5140cba9a398c1

    • C:\Windows\SysWOW64\Pdkcde32.exe

      Filesize

      64KB

      MD5

      c80ace299a68a3ea601f644367d8eac0

      SHA1

      c44799b9e58231ac6a4c783949f5e320036b909e

      SHA256

      426184365930097762dcacff044f32858aeac040f070cb8041d5e89da4621929

      SHA512

      6687bddbfd80d8f7d21c08ac89fddd5964ec48f10d813bc32e7a03f1931816fefbb9fbb849e4287467b796ecdbb0a5035d721dc09cc7d5aa7f085a2572515a22

    • C:\Windows\SysWOW64\Pdmpje32.exe

      Filesize

      64KB

      MD5

      f41b75f95e00bd65524f560225eec570

      SHA1

      cb88b7d176e94726eda979361b437e98f1c6ca17

      SHA256

      193b03fa69e97b6a08ebb7d2d43adb50cbb6216d8e0056a8aefa61719c972f58

      SHA512

      9fbf6775d7984d8f22863947e36c3a636099ed4bdf90e85530cebd0bae1cd456c35fa2623e526c8519ace8818fdb5cc23bc5f08843cf5c8144a4755eb63b3f71

    • C:\Windows\SysWOW64\Pdpmpdbd.exe

      Filesize

      64KB

      MD5

      6029a998b0bb044ba230e25e6b6fbdc4

      SHA1

      5c0b7e80615bdd0574ec00f294de32cc9d65c8c2

      SHA256

      3b37185798b59a91d6308b733966656de16a9bafc9beae783f719008860b7b35

      SHA512

      35abd7ace4220a73c646a682cc220d89195c757d076a237489a9f272acffcf35b865bdca8705c0640a76e8a68ea8c28eb628f8a65d7f10f5a615b4e9bad73a02

    • C:\Windows\SysWOW64\Pgioqq32.exe

      Filesize

      64KB

      MD5

      fe0b2fac52b61bf42fb3a0570c355dc5

      SHA1

      9825393ddbef9b826ef7cc11128958318a4bfe7b

      SHA256

      e03e63ef4c8e08a31b361cb26679faf02d6c40d0e4484932f751e805ecd2da58

      SHA512

      c67d8986e98512ce754419aaca13521bc5a6498eac77217eb562c32f63c129fec10d014d580f79a882fdbd3d921d6c65ab92e2c3d299c321dd5c59c5fb1ac312

    • C:\Windows\SysWOW64\Pgnilpah.exe

      Filesize

      64KB

      MD5

      c6e1186f52769c21bc81ef1a44c1036a

      SHA1

      be8369a4a10ec093919ab56fd185062b8e60cde8

      SHA256

      f3a5bfc2622469d483aebcc35e7eb447929a64f491f3c1941d98d1a24504312e

      SHA512

      35d5789a2c7f11fef007361aaf822e33b948319ae431f1631b16cf6760294def9267f84e446cc3c87761567600f3d9ae9461a4ed34d0fbe12f9a84f63d9987d4

    • C:\Windows\SysWOW64\Pjjhbl32.exe

      Filesize

      64KB

      MD5

      bfa3a2fd0f4e0b53c4afdcef867bdf38

      SHA1

      592c268fd9eab5b2887930133105ae2786650f0a

      SHA256

      481440bbb34dd40f64d8d6796ec2ee6a4930dcca8f14b15db9f7471648ff742c

      SHA512

      319feb5a936b0c89ebb545eb163d948eeddfd97a0489ee212586bbd4dc58c60154246e5c217efec4a637934b99193829589ddf7cfdd60d2f3603f945bf75a9f6

    • C:\Windows\SysWOW64\Pjmehkqk.exe

      Filesize

      64KB

      MD5

      48bc41868572ff2fa2248431546aee16

      SHA1

      1f4f35c14899f4a4f69981a1567b3c889d71cccd

      SHA256

      8d7010be5394ff52f42f56af3f5223c5b32a2db9fe8267a67ba2f90d9e701a4f

      SHA512

      28841e963a7b5a9084047ca23dd2701490482c7a657b29859ce7b179cd759fcede6485f8354492e07f50fff203157d26ef62b0dec05db683961e6d7a2ea9cf15

    • C:\Windows\SysWOW64\Pmidog32.exe

      Filesize

      64KB

      MD5

      3f4f4d681be6ae56987303405a3bd365

      SHA1

      138a2d4bdd9164f129e975abe4bfa6f11db82573

      SHA256

      a90d07459ea1a4fba51324cbb82dccc5844ae334c9a4b7e1fa8e3844bfb0043a

      SHA512

      dfc7478966cef38688ea83e859b2dda5097a4eec363462acb65f09d2f9c70e91036ac24c5a4ef03bb3435090d53ee797a8f7809feb6abdec9745405983618fee

    • C:\Windows\SysWOW64\Pnakhkol.exe

      Filesize

      64KB

      MD5

      bc115e4c5b66b43ff16d547a9036626d

      SHA1

      eb4702a1c8be292c2f653872cfe5124317cb1ead

      SHA256

      a4f33a7c273df1a47bd53b7585ba0c5a8b9d6f7e2ce6ee215a4cc1dd56c5994f

      SHA512

      ae8ef67c237ecfa59399d648b60bf22162cd5511503e19f82c82796b04c5169bfd2c437633fa96fe5e3d54ad2b6fa7543b29fa4f1d4fdd291fdecd87621e8b7c

    • C:\Windows\SysWOW64\Pncgmkmj.exe

      Filesize

      64KB

      MD5

      0d46b3700ef6d9871767d443c441041d

      SHA1

      12123d79694bdfd25150db1a412d465c59c05db6

      SHA256

      56f2658e9b9728d3dc3e85a01b291bad764a1739ef98976593de43a47ad3f3a5

      SHA512

      d49a2c244fd4779878e3764690050297a2ef2aebb006f82218625d9411c46410aa7426b2be3323097fabb37e24b92e87383dae40d23819d5a0f5bcf75f08366b

    • C:\Windows\SysWOW64\Pqpgdfnp.exe

      Filesize

      64KB

      MD5

      07440cd47ba0736aa91e8c602a4027b1

      SHA1

      8538974cae0195bfa8e7f23f0172411de950dea3

      SHA256

      cc5e66fc0747ec38bf1547e5276ecefa418a381d7fd0dbb9c956ac35926c0f45

      SHA512

      e2c72f2d1dd8cf85cd8cf1fcd319e402350edb1b637d4188fd57f0be536ee4f9f1a0958f6f6686351d917556d5029684953220cc066087d06f4dc332f5f3e0d8

    • C:\Windows\SysWOW64\Qcgffqei.exe

      Filesize

      64KB

      MD5

      2381f0d08a2cff7be0ee86fea0a71a5a

      SHA1

      ae1215c0156e645d86ac3bfbc34c4756c232a590

      SHA256

      46a81c83480e6138818a5a83bfc078054fbde77f85f71dbccf9c1965f4fe52d1

      SHA512

      858e61a27fe307ee6bf8c12c69df36e0c96ac2af89a9be2d2871f75e5d7d240333660a6262762897a748f1fb0f93d21aa387e9966ab0833658f83b17843a494c

    • C:\Windows\SysWOW64\Qdbiedpa.exe

      Filesize

      64KB

      MD5

      8fd8e3b9799c0f84a689ee1703e445f6

      SHA1

      885a204e655269a2a17f1c79a5ae94f917eb741c

      SHA256

      58c58f66e631db0b23f943ffb9e5271dbef61b75029be5325a199396d1e2de15

      SHA512

      fd38bb9c2411db3cb833db61d67580236bcdd7b65c5f6b7f338592d1ea50748608984fbc4a7c96a0252bce64a26d9c16c55f3b59e776917f7eabd3f12452c972

    • C:\Windows\SysWOW64\Qgqeappe.exe

      Filesize

      64KB

      MD5

      7c9670cb9e2cf82d52730d3fd4a85f15

      SHA1

      1aa70d9ce1fa6807f168fd8ebfcd65d8dc509fba

      SHA256

      a04362a009c5aff1cc956c8d251a52f01a20f29318f74042f2c2c3e7e7276683

      SHA512

      4b919ed78096d0b1c632e40f7f037e58154db760cd3e9c64ca36868cf82bda1298e18a506175eecdbaa1ade8e2baa68a18688ddaab0d8c130536a7b4836e2605

    • C:\Windows\SysWOW64\Qnjnnj32.exe

      Filesize

      64KB

      MD5

      0789eff08b6e06d62da73a87514b4802

      SHA1

      dd555685180f638578397bcf4a18127f8ef6b36d

      SHA256

      356547b039a5b491a45f4673aa252f0247bd9f6578ec9fc01c25e8c6379ba771

      SHA512

      33aa60eb8d9eb2eee65b6b9b8a7535081bd601df40e649086ed70fcfbf7e6e901668253f76960df3da7cb9f41873d4e778b690c2f66675102232900d6f62dde6

    • C:\Windows\SysWOW64\Qqfmde32.exe

      Filesize

      64KB

      MD5

      27d80a0f66b4f2dfac73530fee1cd10e

      SHA1

      ad5cff678cba490869e222056b5b5152cb61d2c3

      SHA256

      4571edfbc43f27aa9904518a7efe5b13d3dbb6928fb903b53cc1b58463127ccb

      SHA512

      8fff101dde108d170786f58db4dc65d37aec7ed044ced77461366960c9787cd15caae3dc45b551d2a5f808a5319a8db55c286201c5c794b80e8b4d8f19b3a759

    • C:\Windows\SysWOW64\Qqijje32.exe

      Filesize

      64KB

      MD5

      bf6b46dc15fbf179def62e0ceea949c1

      SHA1

      601304d41f7627eb20e941efb9df8620bbb0fb18

      SHA256

      096a35886536e67907761aa7f8d0c066dfa4fa713cb7dd59f3a570be02634f8c

      SHA512

      fc251c46ffdfaa2838b761b4fc3b814d089be6da0c7bd50511236ec1edda179ba2b36a98fc59393ba5ec6725caf87e04a54f634511c9f0a23acb13286c79516d

    • memory/208-414-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/224-438-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/364-534-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/364-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/364-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

    • memory/552-297-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/684-335-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/972-299-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1072-588-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1072-56-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1088-144-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1092-128-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1232-384-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1352-157-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1384-462-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1400-522-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1460-329-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1652-285-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1764-396-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1856-323-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1868-275-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1872-351-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1892-528-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1900-317-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1980-341-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2004-504-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2052-554-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2052-17-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2184-269-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2248-492-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2276-420-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2284-402-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2292-256-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2300-561-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2336-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2336-574-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2344-510-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2388-366-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2500-233-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2628-426-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2652-29-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2660-224-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2776-390-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2824-136-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2844-444-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2848-72-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2860-216-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2868-486-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2880-263-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2980-311-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2988-169-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3032-353-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3188-468-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3208-120-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3284-548-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3308-432-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3416-516-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3644-450-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3760-290-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3868-64-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3872-184-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3956-97-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3988-248-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4072-88-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4084-48-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4084-581-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4092-540-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4128-474-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4220-177-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4284-372-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4288-359-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4312-456-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4448-498-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4480-81-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4496-305-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4576-360-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4584-109-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4588-547-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4588-9-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4592-555-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4596-32-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4596-567-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4792-160-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4900-408-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4924-113-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4928-378-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4988-192-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5012-480-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5028-200-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5040-568-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5076-541-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5080-240-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5092-208-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5148-575-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5208-582-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/5268-589-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB