Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:28

General

  • Target

    08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe

  • Size

    768KB

  • MD5

    0c750354d7a0c87f4e707b4e2a40bb3b

  • SHA1

    293b2e47f79a82de23971d45ffbd4ea3eb3176dd

  • SHA256

    e8eaf9490dbbcc19dc3e90ea6bda091755ee82221b291fe70ed19d48594c9c31

  • SHA512

    80c6827144241e041f4b5480d9e033f93f018b9fe5d5a70601cdd6e31ced05c1b7152b9e88fccad959f9525b9e372ea127117c2d3657da943d0a606114c44f38

  • SSDEEP

    24576:31Lim0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL+:lLGiTWVDBzcjgBNXcolMZ5nNxvM0oL+

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe
    "C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\SysWOW64\Likjcbkc.exe
      C:\Windows\system32\Likjcbkc.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\SysWOW64\Lbdolh32.exe
        C:\Windows\system32\Lbdolh32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\Lmiciaaj.exe
          C:\Windows\system32\Lmiciaaj.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Windows\SysWOW64\Lphoelqn.exe
            C:\Windows\system32\Lphoelqn.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\SysWOW64\Meiaib32.exe
              C:\Windows\system32\Meiaib32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Windows\SysWOW64\Mgimcebb.exe
                C:\Windows\system32\Mgimcebb.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2600
                • C:\Windows\SysWOW64\Mmbfpp32.exe
                  C:\Windows\system32\Mmbfpp32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2232
                  • C:\Windows\SysWOW64\Mgkjhe32.exe
                    C:\Windows\system32\Mgkjhe32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:4784
                    • C:\Windows\SysWOW64\Mnebeogl.exe
                      C:\Windows\system32\Mnebeogl.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:5024
                      • C:\Windows\SysWOW64\Ncdgcf32.exe
                        C:\Windows\system32\Ncdgcf32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1456
                        • C:\Windows\SysWOW64\Nlmllkja.exe
                          C:\Windows\system32\Nlmllkja.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:3400
                          • C:\Windows\SysWOW64\Neeqea32.exe
                            C:\Windows\system32\Neeqea32.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1256
                            • C:\Windows\SysWOW64\Nloiakho.exe
                              C:\Windows\system32\Nloiakho.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2104
                              • C:\Windows\SysWOW64\Nggjdc32.exe
                                C:\Windows\system32\Nggjdc32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:1972
                                • C:\Windows\SysWOW64\Nnqbanmo.exe
                                  C:\Windows\system32\Nnqbanmo.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:3024
                                  • C:\Windows\SysWOW64\Oncofm32.exe
                                    C:\Windows\system32\Oncofm32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4596
                                    • C:\Windows\SysWOW64\Odmgcgbi.exe
                                      C:\Windows\system32\Odmgcgbi.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:4616
                                      • C:\Windows\SysWOW64\Olhlhjpd.exe
                                        C:\Windows\system32\Olhlhjpd.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4992
                                        • C:\Windows\SysWOW64\Odapnf32.exe
                                          C:\Windows\system32\Odapnf32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:3004
                                          • C:\Windows\SysWOW64\Ogpmjb32.exe
                                            C:\Windows\system32\Ogpmjb32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:4228
                                            • C:\Windows\SysWOW64\Onjegled.exe
                                              C:\Windows\system32\Onjegled.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:404
                                              • C:\Windows\SysWOW64\Pgefeajb.exe
                                                C:\Windows\system32\Pgefeajb.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:2776
                                                • C:\Windows\SysWOW64\Pnonbk32.exe
                                                  C:\Windows\system32\Pnonbk32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3740
                                                  • C:\Windows\SysWOW64\Pggbkagp.exe
                                                    C:\Windows\system32\Pggbkagp.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:3660
                                                    • C:\Windows\SysWOW64\Pmdkch32.exe
                                                      C:\Windows\system32\Pmdkch32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3252
                                                      • C:\Windows\SysWOW64\Pqbdjfln.exe
                                                        C:\Windows\system32\Pqbdjfln.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:2916
                                                        • C:\Windows\SysWOW64\Pfolbmje.exe
                                                          C:\Windows\system32\Pfolbmje.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:876
                                                          • C:\Windows\SysWOW64\Pqdqof32.exe
                                                            C:\Windows\system32\Pqdqof32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:740
                                                            • C:\Windows\SysWOW64\Qfcfml32.exe
                                                              C:\Windows\system32\Qfcfml32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2696
                                                              • C:\Windows\SysWOW64\Qqijje32.exe
                                                                C:\Windows\system32\Qqijje32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:4416
                                                                • C:\Windows\SysWOW64\Ampkof32.exe
                                                                  C:\Windows\system32\Ampkof32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:1272
                                                                  • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                    C:\Windows\system32\Afhohlbj.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2744
                                                                    • C:\Windows\SysWOW64\Amddjegd.exe
                                                                      C:\Windows\system32\Amddjegd.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4836
                                                                      • C:\Windows\SysWOW64\Afmhck32.exe
                                                                        C:\Windows\system32\Afmhck32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Modifies registry class
                                                                        PID:2772
                                                                        • C:\Windows\SysWOW64\Aeniabfd.exe
                                                                          C:\Windows\system32\Aeniabfd.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3344
                                                                          • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                            C:\Windows\system32\Afoeiklb.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            PID:2284
                                                                            • C:\Windows\SysWOW64\Aminee32.exe
                                                                              C:\Windows\system32\Aminee32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:3456
                                                                              • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                C:\Windows\system32\Accfbokl.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:60
                                                                                • C:\Windows\SysWOW64\Bnhjohkb.exe
                                                                                  C:\Windows\system32\Bnhjohkb.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4952
                                                                                  • C:\Windows\SysWOW64\Bjokdipf.exe
                                                                                    C:\Windows\system32\Bjokdipf.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:1416
                                                                                    • C:\Windows\SysWOW64\Baicac32.exe
                                                                                      C:\Windows\system32\Baicac32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:2688
                                                                                      • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                        C:\Windows\system32\Bffkij32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:2368
                                                                                        • C:\Windows\SysWOW64\Beglgani.exe
                                                                                          C:\Windows\system32\Beglgani.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:4584
                                                                                          • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                                            C:\Windows\system32\Bfhhoi32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3536
                                                                                            • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                              C:\Windows\system32\Banllbdn.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              PID:2976
                                                                                              • C:\Windows\SysWOW64\Bfkedibe.exe
                                                                                                C:\Windows\system32\Bfkedibe.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:1656
                                                                                                • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                  C:\Windows\system32\Bnbmefbg.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1652
                                                                                                  • C:\Windows\SysWOW64\Chjaol32.exe
                                                                                                    C:\Windows\system32\Chjaol32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:3392
                                                                                                    • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                      C:\Windows\system32\Cndikf32.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:3756
                                                                                                      • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                        C:\Windows\system32\Cenahpha.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:1076
                                                                                                        • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                                          C:\Windows\system32\Cfpnph32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:4468
                                                                                                          • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                            C:\Windows\system32\Cmiflbel.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:3948
                                                                                                            • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                              C:\Windows\system32\Chokikeb.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:4392
                                                                                                              • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                C:\Windows\system32\Cnicfe32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:3048
                                                                                                                • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                  C:\Windows\system32\Ceckcp32.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:3848
                                                                                                                  • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                    C:\Windows\system32\Chagok32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Modifies registry class
                                                                                                                    PID:3676
                                                                                                                    • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                      C:\Windows\system32\Cnkplejl.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:2800
                                                                                                                      • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                        C:\Windows\system32\Ceehho32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:464
                                                                                                                        • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                          C:\Windows\system32\Cffdpghg.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:2132
                                                                                                                          • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                            C:\Windows\system32\Cnnlaehj.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:3592
                                                                                                                            • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                                                                              C:\Windows\system32\Dfiafg32.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1916
                                                                                                                              • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                C:\Windows\system32\Dejacond.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:4608
                                                                                                                                • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                  C:\Windows\system32\Dmefhako.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:1524
                                                                                                                                  • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                    C:\Windows\system32\Ddonekbl.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:2964
                                                                                                                                    • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                                                      C:\Windows\system32\Dodbbdbb.exe
                                                                                                                                      66⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:2900
                                                                                                                                      • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                        C:\Windows\system32\Deokon32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4004
                                                                                                                                        • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                          C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:2448
                                                                                                                                          • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                            C:\Windows\system32\Dmjocp32.exe
                                                                                                                                            69⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:4028
                                                                                                                                            • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                              C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:2608
                                                                                                                                              • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                71⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:3280
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 412
                                                                                                                                                  72⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:3564
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3280 -ip 3280
    1⤵
      PID:2060

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Accfbokl.exe

            Filesize

            768KB

            MD5

            cdc02ee585e81cf2d586c4b4001272a7

            SHA1

            e8f928ab83337419a1b50ba45e15a7c6f0f68543

            SHA256

            169150a6cc0af693e3e693fc21b3ef26c5dd2729812eb08d8014119ae0fedabc

            SHA512

            884d0eab04ae16f868d3b7950e222f9c0dd06f75063b772341cb2a9298df6ba442e38ab49e605f4b1e6dad74175809602ec1ae8fbbbd0c738599513428599c71

          • C:\Windows\SysWOW64\Afhohlbj.exe

            Filesize

            768KB

            MD5

            6b39a5b48be65da56ce495e9cf7121cc

            SHA1

            e2f28df7cf05c085b93da2bbd3913d4eaf94a99c

            SHA256

            7b8f176e7868fb85db214d7a53e1ca0c6ec7c62cffbd85236d8004cb5ade1d20

            SHA512

            165ebdb95478868e2254404866dd37d136260be44d3c40850affc49442d8071866d018192f2526fba75fab8ca455fd1af79435d481bd24e248a876e4768aeb26

          • C:\Windows\SysWOW64\Afmhck32.exe

            Filesize

            768KB

            MD5

            633166dd4cde66b9ff03393531db2862

            SHA1

            2936f1215b5b2fff2aae4047973a7a8126bb4834

            SHA256

            218b685bf44f8e3ab99ca3a5e167cc615d1b9634fa2ad5ff5d9c47fc6224da2e

            SHA512

            c77324d49b39c004d3c995558d5d51f2546611d5bf788a9fd452267d6c82f380876afcd17f5c596d5482f732f797c6831c13acf4dc7dad73acf8706cb7a5ea4c

          • C:\Windows\SysWOW64\Ampkof32.exe

            Filesize

            768KB

            MD5

            07f4a3a9d17d6d3161cb7800ee6093ca

            SHA1

            30c6677e8c86d767d27aba85bb318e0ad8aaa7c0

            SHA256

            ad9cef602eb338b8e6cca0e8481b8e1fa8999c1bb671b6cd0a5f60c0eb339447

            SHA512

            d8649dd6c42c3cb409c11a37e5e3c76570fe860bc8829e4f7ddbedb3d51b7f6765cbaeb841c682e8ad12c04ec4234f159e99739ad1904203676205a96d1e100e

          • C:\Windows\SysWOW64\Banllbdn.exe

            Filesize

            768KB

            MD5

            82febd1ff4ebc9389d01033677a33f26

            SHA1

            61921ef37d5830af8da7f6ead932a77b51b964a1

            SHA256

            de8d130897ffacb2edbb52ea5db9a7eddc439f5ead886a6e1256b4a090da20b7

            SHA512

            01cfada23cdcbfb2e1162d7bea2d43b61e22327d561bd4d369e72d30d2d200e3cac4b52b6e0bfdd0bdd15e9beebfc69cc153beda7c7fd17e31c28280a1407e46

          • C:\Windows\SysWOW64\Bffkij32.exe

            Filesize

            768KB

            MD5

            dc331f642ee639cb3fb402b18f02481e

            SHA1

            cd487641af04c08445d1d2e8d253b1934bb2a3c1

            SHA256

            e3e1db43219618e5d0532f912397b981040f8e5f92f71f36bad54611460bb2aa

            SHA512

            a3a63d148d0322f4178018e012cef4398184db58c788a0d2ebe72ddb044962f98e79e77263f49492b83d7497109fcefcff88c4fd4a6145619f92f4803176fd1c

          • C:\Windows\SysWOW64\Bnbmefbg.exe

            Filesize

            768KB

            MD5

            8f106de90e0c263a79a5e0e1bd06b5e8

            SHA1

            3e9bb2ca7f5158c66c18fcd79004bfc98561fb7d

            SHA256

            8a305a2d83f48c19b79b469fbf83aa2f0563b68dec7bc001f8bdf7c6ba01a544

            SHA512

            ece20736ee3773c7d74a1f89793c12c8f36daf83aa4851622f797e9493e9639520a53e223ec81d9740753b8ff7a9b6c74b4f6f6846a231bb531721b47934d956

          • C:\Windows\SysWOW64\Ddonekbl.exe

            Filesize

            768KB

            MD5

            145e9cf48b52996b2769753e5cf4e41f

            SHA1

            bc82691556bc050ce3e25f8c67f0eadae6eb5919

            SHA256

            157cf5b3d5de1b19096ddcb4616e334cb26efeadaa3870c4b5a50433ced97d41

            SHA512

            07c7ad252088091cae782eb058245324f5445e5ee3dd7d9e9aa195e050ccb5442b9e034c8615148534faca953340a021d43e9ef847602900887f170bff7f0fb9

          • C:\Windows\SysWOW64\Dejacond.exe

            Filesize

            768KB

            MD5

            eac0413315aabba1311a105b76f0b564

            SHA1

            a41e8157420354b54961e21473a391b1e8ba88e0

            SHA256

            803f09d24a6842769686e12678ca3bca07c721a5dc8bb94d03408c3883beebd4

            SHA512

            c806c13a577f6f2740658726c874884c75306e065410d4641ba49c284090b7472bf84fabead4c968d0dde35aeff8edc46ef0899ae64bdc6356a31962eb0a61f7

          • C:\Windows\SysWOW64\Lbdolh32.exe

            Filesize

            768KB

            MD5

            14ee15ec59e31451bf047d0980c25dc2

            SHA1

            d7f113ca01b4d5a6cddb83ceed95fbd1ba0cbc12

            SHA256

            97a0b58457e931f138161d785670d16256ffdd256497e3fb8de82ffaa4e69763

            SHA512

            be62d403826823e21dbf1faebc2c399bb7f6ba9d23380c9d802b943e63328e8784ed58c059e47153f133a359af3a56a94b35cecb3b34d5739170680acec80a57

          • C:\Windows\SysWOW64\Likjcbkc.exe

            Filesize

            768KB

            MD5

            4dc5637bece21dbc5324312f4bc7568d

            SHA1

            c19e14d85efc81bf13f64154cba5bcf46f98305e

            SHA256

            fd5ce06a3abc7444f99f80c23ea0a63347d0e71fcc906c104b7992e56f01b518

            SHA512

            a533b4f01f2ae9cc538371d015c44a9157c7f4a68ba18a829323957692331a4489b3ed4609a310dca3db5ce773814140c2be0b52ef4cf26108a40830e88cdfd5

          • C:\Windows\SysWOW64\Lmiciaaj.exe

            Filesize

            768KB

            MD5

            5ffa25370dbbb4d932a092ae43a0bfc0

            SHA1

            1a9ecf36bc6c3f80bda5a69ed524fb90e873678d

            SHA256

            251889203f9d03c10f1ddfe13cded4af3ffe11f87d357000597f1da8bb1f4e03

            SHA512

            8b35b736f89f0fd61949c266e55861f3ad199d65277e06d8e0fdf096edcc41a777796631b52b7e5a7d245eb7d499c5f4102829d0fb69e2f2f20366ad2a9f133e

          • C:\Windows\SysWOW64\Lphoelqn.exe

            Filesize

            768KB

            MD5

            79814ccd9d0c8c3f356c77ba097a708e

            SHA1

            9aea7ad4db6b9468358fd725147bb4af1230d6d9

            SHA256

            b74f2a6a5bcb3344b6365c6dc856e4451a00c05ffcd18e0bec0394c5672f5c83

            SHA512

            ce1adeb56f1ec9399f4f20a06b05e93999ff78c2795c6f2df81fcc6aa2c6aa5b5e7488e6bdf861ade472476f9b85a03a4891a7bc14af0ccbc10c45e70b56604b

          • C:\Windows\SysWOW64\Meiaib32.exe

            Filesize

            768KB

            MD5

            1efdbffb32f1af6a64ecdbac87f1875a

            SHA1

            dd172992a7f01c7ad45f415ba1af0f4dd0795317

            SHA256

            35152ac9cc1e6c587d93cf503864be5e4f47bdd9f2ad48369093ec691be5abe1

            SHA512

            969ba1e173bf64f0c6dad8065ed5b67eea0849825ae5a6a04cfaeb841c7629fcfcb1ada61b206e32eb78b2be86abbf32fa661d3a51cde79b83703ef09c80e5d0

          • C:\Windows\SysWOW64\Mgimcebb.exe

            Filesize

            768KB

            MD5

            22c408ec59f975e571a9716767b9b91a

            SHA1

            be3b0220fb79b4cf3230f4317364deab64b01382

            SHA256

            fd75c06a7480744f000b1a051edd4e06823cf56c5140afdde4789fa1eea6c93a

            SHA512

            b4cbe7f1f2658e2f50e9489dd3aab5a5294b06d4be1075dfaa8b0f5d1e3689183e7bdc139c37fe1e335ad3ad543b2cc31144bf6edd8e49788a81f7da56801776

          • C:\Windows\SysWOW64\Mgkjhe32.exe

            Filesize

            768KB

            MD5

            0c2d65b99eee76a5b0ff0b4adf9b6488

            SHA1

            1f1f0537821e30d6d2a41e0612b5e05bbb00c135

            SHA256

            6889dc4ed004634eeff3a32abed4fd05bf23e9c7c2f3227ed61092c646cb1806

            SHA512

            e4af3d223cdb6b4c01b50cedf06b8839f1951fa569825d14d290f28a5614156093c916897bf8e7f0aab539bb37a3911b4b5584d6ee08c689bc3f4a5f5b01672b

          • C:\Windows\SysWOW64\Mmbfpp32.exe

            Filesize

            768KB

            MD5

            f252b824646ad0bdd62e0b6543b5db21

            SHA1

            7843ea5a1468b2630afdba10110e12d89875d589

            SHA256

            cc575a85cc7a4f0f5e5a2ff7c994c91de16ae3a660472eccbc760b9f296b15a6

            SHA512

            ed00f34f5d7e7f0179dd93a6024cb3806c9ce593fa790818d7451d1282e3d95c5751447d592a735ea0f5ac1d78610b2cb4e4c391bec7a4a15f14bcaf8910cb80

          • C:\Windows\SysWOW64\Mnebeogl.exe

            Filesize

            768KB

            MD5

            42c915b1dc1ba5411848765d0dcc5994

            SHA1

            8fb5196a237675a6b0979979e59bb61ab4049839

            SHA256

            10655f16f08cdad455ec884c861c1d6415fdd30f91b2713479d901f3808210f0

            SHA512

            a9cfb68c39531800100ca4d01c4273baf694827ad4dbd65b88341a54016b73c0967c6deeebd226620955cedf281a49307e8bb905e43c597a234019d9e238f375

          • C:\Windows\SysWOW64\Ncdgcf32.exe

            Filesize

            768KB

            MD5

            aeba101a48e9bd851ece95c6a5ad5cac

            SHA1

            0f888b4c0553327d8d6be86a9527172c9c47b3bf

            SHA256

            4f222c7ea24d74bc0ca2d00dc2f66ca99d11b128b1cb743a24bf54bf90dd1253

            SHA512

            a256be53da068de27f5dc2acf682d0d00efed8f9006ee94ea2a990a5ab06faf65d411d9431395e3b4828d55bc142e31dbef07edec1deff5174638964f06e2e8a

          • C:\Windows\SysWOW64\Neeqea32.exe

            Filesize

            768KB

            MD5

            d63a2b0db64b202df0cee211fed3ad03

            SHA1

            4885317d384cbcde5d4fa4bad75b78382b6977d4

            SHA256

            884221634173640682ac58ff0caffe59e07896a97a1a828e9a2640de9ca949bc

            SHA512

            0e9eaadd658a1b6cf8eb29a197fca813e7c0dd19438eb118f8fd0aa676934ee421a2785dc4f0d378f823f99b7a992bf16be62e99be7bd013ce645a6cc2ba9562

          • C:\Windows\SysWOW64\Nggjdc32.exe

            Filesize

            768KB

            MD5

            684547473f82574c53e335a9a3f0cb33

            SHA1

            37e7484cacf45b7a1e7987beb27d5fdccff5c1bd

            SHA256

            48257ccfc7abfb6a9739ca904acf2f935b3d240a2cd74731b829cf3839174d0f

            SHA512

            124a5698144caa9ab709d73dd4da21bbd96585a2dd93351051712749fbe8889d60ca5569c769fd170391a4885bf061628f747dbca5f4c9b6e5e0792ebecae1a9

          • C:\Windows\SysWOW64\Nlmllkja.exe

            Filesize

            768KB

            MD5

            f9ef871c43dfde22ab3ea03abf7c28f9

            SHA1

            bde58f9dcd70878f08ee2d02c76b4c2af5d9c68d

            SHA256

            81a25da239b81ee0990c6989605becf2705701c2d1663854859ed77858b2d425

            SHA512

            14a76103159bc721928032cc273ef8a32e192f3caaf737c933555c39dd470ae10c8937732a0efa424c83482a94d3b0594686f1c134c8771f4e71e0d1a38e0679

          • C:\Windows\SysWOW64\Nloiakho.exe

            Filesize

            768KB

            MD5

            394f3567ef45693f86e1e80a0218906f

            SHA1

            82d8731a17e71b9f6579e4333f96124a843ae44b

            SHA256

            5a445659f486bbe7e9b95218e4cfc4c5651ab27679857a3ff2f0860f49b50e95

            SHA512

            48d4410447f85f44bdd7709ef388dcabceda9186824e545c1174f776d806e9afe8705c0bb33d461ac2feb2317f19e11dd3a9755be2e4f1c2fbb73c9738438a91

          • C:\Windows\SysWOW64\Nnqbanmo.exe

            Filesize

            768KB

            MD5

            906ee72e81725d60e30839d308031ed9

            SHA1

            4a60542cdaf67aee47a2b1455f7c2e8577a12a02

            SHA256

            11a5339b87ce904401c19960f202a3748ca79fa396f9d25b6b4c236230fa30e2

            SHA512

            1ad1d0bfdbdf24acdf09de6f8fb12e115482f27a9f038daa19efc1a9d6027fc47b187e7a32561c796cdfe65e437784e3e16c04bae511caee02e5b207a1fcfda7

          • C:\Windows\SysWOW64\Nodfmh32.dll

            Filesize

            7KB

            MD5

            8e8855859aa804a91ace2f51edf1e6e1

            SHA1

            e45955a19e25b249a9e3f92dbf3bf3f25ad4ff5e

            SHA256

            382bff50cf24603b1e43c00dd502f14f643739225758448d2c5cba75b2554571

            SHA512

            a13bdd9199919f1353eb36255a045609094b85d7514c61e715d20cce2d5f6140cef21ddd677c02066e24347ab7c9a4ddca5f013bbfb0dfa9feeeeaa9e69b215d

          • C:\Windows\SysWOW64\Odapnf32.exe

            Filesize

            768KB

            MD5

            00dd76973ae80772ac9cdccfb2dd8962

            SHA1

            f809ce92d23195f9703b190a42cde5a582c5845f

            SHA256

            97e973947898e140549a24f3993fbc498cccb679da11abe10b0ebe301591cffd

            SHA512

            f4b2365c2b81e7516085a8b59a5324dad1c8c6cf1b03ae6280e3e0133a773783d6d6cb193158d1d388eb1b2e0a94484bc593a356ae8e6d01bfb6b71ac37386a5

          • C:\Windows\SysWOW64\Odmgcgbi.exe

            Filesize

            768KB

            MD5

            fd39674ae4a45595608f0744fd990221

            SHA1

            c8230906101d9bcc601034499a0547bd3deb8a5e

            SHA256

            451bf4630b4c7010a9d6b26ec3b08af8d60806dc16e25d422b8b6eabe167d749

            SHA512

            70c75ed5e004afcc02a0a56dafdf331a3b70e7ad9c3c0f592787dd250d6cca4bf92973c3855098b1520cf392f9635d570cd1ea36f3316006210292ec6124b7cd

          • C:\Windows\SysWOW64\Ogpmjb32.exe

            Filesize

            768KB

            MD5

            bfac207f8470cd1796478927eacac477

            SHA1

            434d993c65d4fff8459b16da1b6662f46bf5b29b

            SHA256

            b83643d72887076039f5d85e982780a0cce28efb675b734ce7b5b4af3e773360

            SHA512

            3d4f4c9067c87cbce56fdd208ed49af9502d7bb7bfcd02274d504c2a990f90ec610a6e111c414ce86758182f8b969c90f0ec00cfb4fddb5064739175e017b742

          • C:\Windows\SysWOW64\Olhlhjpd.exe

            Filesize

            768KB

            MD5

            1203ec78a8499bacd41e77c9fad5ec09

            SHA1

            a67c7f133e602a7960b5c53413ecc6598c4b8aea

            SHA256

            2970bc6449add2bc082514f2c14821c7c8362c93184d69395051717b0c032321

            SHA512

            f23b5defe03396c5b9690c0d28b828965de1caddb083d81156b512b61ba8a6fcc8de0dbd3195ac82d343a78e7521a2eb706ca15ead0859d4662ab13c0004991d

          • C:\Windows\SysWOW64\Oncofm32.exe

            Filesize

            768KB

            MD5

            b5a4e2dbf80d6fd6e319d3c7b6737a6d

            SHA1

            6206c0975ec22f029ecdd33c29a0aba1c5d783fe

            SHA256

            f049607672553295f2bf32e5d65f4de0755ae854987f132976599647c18fea99

            SHA512

            0af84452117a36f8f05a7373164cf2a57d8377f14c2016c7a5720bd8435980b3fc1022ff78fa711701ed00b02c870945c3b0481684e0614069ce717b56ca6ec9

          • C:\Windows\SysWOW64\Onjegled.exe

            Filesize

            768KB

            MD5

            1230c43dc2dc474850de6e84bd7ee576

            SHA1

            cef13155a97b18c9f46c86da654322a1f03305c1

            SHA256

            3bb6be8f773a6c814e3f4be41ceb34e7f73f4a4132b3b76d34520f158adf5224

            SHA512

            4ce88d8fd8a9a579c289c071e8123027fc6dfe3d0af2326bc3871be93597ebfca243663aef8217065943199cdee227700c3389b1964e39d2df2b8a264c3eaea8

          • C:\Windows\SysWOW64\Pfolbmje.exe

            Filesize

            768KB

            MD5

            87f78d854a2ea869546dcfedcabca15a

            SHA1

            e3895fde49f965848a5ef3711c8030e48811e09d

            SHA256

            76b2e740c8c1deb2f600c0b42dac86127f224ecbeaf926f538330e818adfc8ce

            SHA512

            43092b991493d7b014feeaa9851e7a5db7b7d416fe15b11b1d66b015652d04df81aabb86ecaba17f720b9e7367efa4e97b171567e4e02118836e2362bbfafadc

          • C:\Windows\SysWOW64\Pgefeajb.exe

            Filesize

            768KB

            MD5

            93c90c57693127a9d138552d7f962876

            SHA1

            dbd730854fe111f566806c6c419215063a68f7cd

            SHA256

            4b383d9a77214a77e3df7f544bd7c05736767b822ccb2a17dc230d3e80db04dd

            SHA512

            9a6aa25224587ef05edcd156389db8b1d9a91a7d79ec59a3403f104971c7755f9791ce1c22f1b907c0b9267235db85611eeb1533d6e165328336c191c131afda

          • C:\Windows\SysWOW64\Pggbkagp.exe

            Filesize

            768KB

            MD5

            2b0bc438eb1a0f3b96770ecbbb716423

            SHA1

            f5d3aaf233500390f7fd164631b4a44a4c75922c

            SHA256

            26996b1226131e757c1faa3dac5a4f5fdd440215a6a125f6252547fca29a0c0c

            SHA512

            047690e619c4cfea54b1aa7fbf75d2708f33a85026fb90225f38db33ee81311d48802bb9569f55f45e9aee4fde4320e5e25141c03c1c82d2f83253d735db7724

          • C:\Windows\SysWOW64\Pmdkch32.exe

            Filesize

            768KB

            MD5

            3ad3e5869a9a0a0c99fd83b88db73980

            SHA1

            9eb51c975854765c028cdbf55422379b8c812902

            SHA256

            71336c8d2598ba82229736769d9e6978fa4f8bf9fa211b26d45bb06062fbe92d

            SHA512

            bb7f335b310e1681d51fb1c9a07dbbaf56e93625f8c4bf5ce4269cd6286bfb5ab71fe39ef769b0cb1da782fb65f60090daacb6c0c5fe3553e13e51eb66c7130d

          • C:\Windows\SysWOW64\Pnonbk32.exe

            Filesize

            768KB

            MD5

            bbe14ec246c429715644e6e0c14fa634

            SHA1

            1289e4d68c957abc3758db4a4fc62dc4db909b37

            SHA256

            5efb78504aae8c3baffe79b94d8202c18ab4221d69cc7a387b9182cccab9bcde

            SHA512

            5c4d4c993a3e5d13b9a0fd8a57484354f0d862951036d662e83163d9b71aceca0da6de3adb51d42b654593464e03155c679b52c695616ff764771eb1bef65d4d

          • C:\Windows\SysWOW64\Pqbdjfln.exe

            Filesize

            768KB

            MD5

            d9469ce833e07c20902a4f4a5b9bcc7c

            SHA1

            47feedab61550cff23499f127d2939c142cb5618

            SHA256

            110d1e3cb558e98fb213a61b2b5f7642365934ab82f708812993435872733e9e

            SHA512

            f282c2f1985f9ffa1af88f21e2be11f2d4503e3abd181cb4e395776c4215afb1d9e058723c00a559cfaf04b40b6565c48b1319e148b1016125a2c92e2c31c755

          • C:\Windows\SysWOW64\Pqdqof32.exe

            Filesize

            768KB

            MD5

            7a1b0c070aa205f69a056b2db719e083

            SHA1

            a36d0782a684aa205f25731421d68e95ed5017d3

            SHA256

            5eb56f22535df2782dea07dcc52f0669092242734dab3dbd989c48ed532eebf6

            SHA512

            081ee8709343305768fff01736ae73a4a41659ce420b8c5446db8f18e8953e4b3a0d23ffd7aa844615ef460dc2b4770c830743f2a9ba8f4af17f535ccb62bde9

          • C:\Windows\SysWOW64\Qfcfml32.exe

            Filesize

            768KB

            MD5

            0666cad29ca0440d23fd9f0bf6013f86

            SHA1

            2d5a71ddf9301c694b716e57c6c7c6de468edd07

            SHA256

            3f9487d31804ffad3efca9fa860b7dc240aa3314876c2594e2113be1f1c2e61c

            SHA512

            dc84a21e24bbc3882ad66ad3e6d5cfe9e852025f186deeae9280ecfd7a1e098c156c913c4e159d01f02d40ac6e3fd58ac33880a4223a36fb169576ab39a6dd66

          • C:\Windows\SysWOW64\Qqijje32.exe

            Filesize

            768KB

            MD5

            d0c3c3e24058a43e5ff89b0233998a19

            SHA1

            74b1870798085c18847faf5fabfb374063090c88

            SHA256

            9d909ff4c9d0714c4b1d6f06b0be206bfa1117e8d9547c12687f40111f9dae58

            SHA512

            9deb0d530833ab3f848ce758c1523c80499b6b99c8241440786212ca63341741a2135d0ee0651de738bbe1eda6ad86b83d091583de0e3346a329caa66deeb8ef

          • memory/60-292-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/404-167-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/464-412-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/464-497-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/740-224-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/876-216-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/956-16-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1076-505-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1076-364-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1256-96-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1272-247-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1416-304-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1456-79-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1524-492-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1524-442-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1652-508-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1652-346-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1656-340-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1656-509-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1696-29-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1744-7-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1916-494-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1916-430-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1972-112-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2012-39-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2104-103-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2132-418-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2132-496-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2232-56-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2284-280-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2368-316-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2448-488-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2448-466-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2600-47-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2608-478-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2608-486-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2656-31-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2688-310-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2696-231-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2744-255-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2772-272-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2776-175-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2800-406-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2800-498-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2900-490-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2900-454-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2916-207-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2964-491-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2964-448-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2976-334-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3004-156-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3024-120-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3048-501-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3048-388-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3252-199-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3280-485-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3280-484-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3344-274-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3392-507-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3392-352-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3400-87-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3456-286-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3536-328-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3592-424-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3592-495-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3620-0-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3660-191-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3676-499-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3676-400-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3740-183-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3756-358-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3756-506-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3848-500-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3848-394-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3948-503-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3948-376-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4004-460-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4004-489-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4028-487-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4028-472-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4228-160-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4392-382-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4392-502-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4416-240-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4468-504-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4468-370-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4584-322-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4596-128-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4608-436-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4608-493-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4616-137-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4784-64-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4836-262-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4952-298-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4992-143-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/5024-72-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB