Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 14:13

General

  • Target

    a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe

  • Size

    77KB

  • MD5

    91c90b31a33facace1c3e3e3cba01d7c

  • SHA1

    32eede210d1afa54a0bcd1cea9e3333fd458e7aa

  • SHA256

    a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08

  • SHA512

    93d8b3a2424d452102d59b06566408965348a4df58ae29513a4c23d8ba62131391fc23a8fb0e6a6985c43bd57a6323527671bda8ff5cd9af41cac4957347bac5

  • SSDEEP

    768:J10BO9/vDOvT/AE3ziWZxJV2q9W5yL2gq+0C6f2NJ2Ix8eLVixOBAv8Q5ae:/0OvDQvn+LmPLNJcFV

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 60 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\Jcdmbk32.exe
      C:\Windows\system32\Jcdmbk32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\Jcfjhj32.exe
        C:\Windows\system32\Jcfjhj32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\Kkckblgq.exe
          C:\Windows\system32\Kkckblgq.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\Knddcg32.exe
            C:\Windows\system32\Knddcg32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\SysWOW64\Kjkehhjf.exe
              C:\Windows\system32\Kjkehhjf.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Windows\SysWOW64\Kninog32.exe
                C:\Windows\system32\Kninog32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Windows\SysWOW64\Lfdbcing.exe
                  C:\Windows\system32\Lfdbcing.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2428
                  • C:\Windows\SysWOW64\Lffohikd.exe
                    C:\Windows\system32\Lffohikd.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:736
                    • C:\Windows\SysWOW64\Lkcgapjl.exe
                      C:\Windows\system32\Lkcgapjl.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2828
                      • C:\Windows\SysWOW64\Lkfdfo32.exe
                        C:\Windows\system32\Lkfdfo32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2044
                        • C:\Windows\SysWOW64\Lijepc32.exe
                          C:\Windows\system32\Lijepc32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2684
                          • C:\Windows\SysWOW64\Mgoaap32.exe
                            C:\Windows\system32\Mgoaap32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2104
                            • C:\Windows\SysWOW64\Mcfbfaao.exe
                              C:\Windows\system32\Mcfbfaao.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2960
                              • C:\Windows\SysWOW64\Mhckloge.exe
                                C:\Windows\system32\Mhckloge.exe
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:1512
                                • C:\Windows\SysWOW64\Mfihml32.exe
                                  C:\Windows\system32\Mfihml32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1960
                                  • C:\Windows\SysWOW64\Mmemoe32.exe
                                    C:\Windows\system32\Mmemoe32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:2496
                                    • C:\Windows\SysWOW64\Nmgjee32.exe
                                      C:\Windows\system32\Nmgjee32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      PID:2516
                                      • C:\Windows\SysWOW64\Nfpnnk32.exe
                                        C:\Windows\system32\Nfpnnk32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        PID:1500
                                        • C:\Windows\SysWOW64\Nokcbm32.exe
                                          C:\Windows\system32\Nokcbm32.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          PID:2080
                                          • C:\Windows\SysWOW64\Ndjhpcoe.exe
                                            C:\Windows\system32\Ndjhpcoe.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            PID:2332
                                            • C:\Windows\SysWOW64\Noplmlok.exe
                                              C:\Windows\system32\Noplmlok.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              PID:1064
                                              • C:\Windows\SysWOW64\Nejdjf32.exe
                                                C:\Windows\system32\Nejdjf32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                PID:2352
                                                • C:\Windows\SysWOW64\Oaqeogll.exe
                                                  C:\Windows\system32\Oaqeogll.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:2124
                                                  • C:\Windows\SysWOW64\Oacbdg32.exe
                                                    C:\Windows\system32\Oacbdg32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:1712
                                                    • C:\Windows\SysWOW64\Ollcee32.exe
                                                      C:\Windows\system32\Ollcee32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:872
                                                      • C:\Windows\SysWOW64\Olopjddf.exe
                                                        C:\Windows\system32\Olopjddf.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Loads dropped DLL
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2296
                                                        • C:\Windows\SysWOW64\Ogddhmdl.exe
                                                          C:\Windows\system32\Ogddhmdl.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:832
                                                          • C:\Windows\SysWOW64\Panehkaj.exe
                                                            C:\Windows\system32\Panehkaj.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:2116
                                                            • C:\Windows\SysWOW64\Pkfiaqgk.exe
                                                              C:\Windows\system32\Pkfiaqgk.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:3020
                                                              • C:\Windows\SysWOW64\Penjdien.exe
                                                                C:\Windows\system32\Penjdien.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:2784
                                                                • C:\Windows\SysWOW64\Pkkblp32.exe
                                                                  C:\Windows\system32\Pkkblp32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2804
                                                                  • C:\Windows\SysWOW64\Pdcgeejf.exe
                                                                    C:\Windows\system32\Pdcgeejf.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2824
                                                                    • C:\Windows\SysWOW64\Paghojip.exe
                                                                      C:\Windows\system32\Paghojip.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:2900
                                                                      • C:\Windows\SysWOW64\Qdhqpe32.exe
                                                                        C:\Windows\system32\Qdhqpe32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2312
                                                                        • C:\Windows\SysWOW64\Qmcedg32.exe
                                                                          C:\Windows\system32\Qmcedg32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:812
                                                                          • C:\Windows\SysWOW64\Amebjgai.exe
                                                                            C:\Windows\system32\Amebjgai.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:616
                                                                            • C:\Windows\SysWOW64\Amhopfof.exe
                                                                              C:\Windows\system32\Amhopfof.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:548
                                                                              • C:\Windows\SysWOW64\Aoihaa32.exe
                                                                                C:\Windows\system32\Aoihaa32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:3048
                                                                                • C:\Windows\SysWOW64\Aialjgbh.exe
                                                                                  C:\Windows\system32\Aialjgbh.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:2140
                                                                                  • C:\Windows\SysWOW64\Bmhkojab.exe
                                                                                    C:\Windows\system32\Bmhkojab.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:944
                                                                                    • C:\Windows\SysWOW64\Bgmolb32.exe
                                                                                      C:\Windows\system32\Bgmolb32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:2112
                                                                                      • C:\Windows\SysWOW64\Bjnhnn32.exe
                                                                                        C:\Windows\system32\Bjnhnn32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:924
                                                                                        • C:\Windows\SysWOW64\Biceoj32.exe
                                                                                          C:\Windows\system32\Biceoj32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1864
                                                                                          • C:\Windows\SysWOW64\Cfgehn32.exe
                                                                                            C:\Windows\system32\Cfgehn32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:1968
                                                                                            • C:\Windows\SysWOW64\Cbnfmo32.exe
                                                                                              C:\Windows\system32\Cbnfmo32.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:2848
                                                                                              • C:\Windows\SysWOW64\Chkoef32.exe
                                                                                                C:\Windows\system32\Chkoef32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:2680
                                                                                                • C:\Windows\SysWOW64\Caccnllf.exe
                                                                                                  C:\Windows\system32\Caccnllf.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:2136
                                                                                                  • C:\Windows\SysWOW64\Cligkdlm.exe
                                                                                                    C:\Windows\system32\Cligkdlm.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:1516
                                                                                                    • C:\Windows\SysWOW64\Caepdk32.exe
                                                                                                      C:\Windows\system32\Caepdk32.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2728
                                                                                                      • C:\Windows\SysWOW64\Cfbhlb32.exe
                                                                                                        C:\Windows\system32\Cfbhlb32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:2464
                                                                                                        • C:\Windows\SysWOW64\Cahmik32.exe
                                                                                                          C:\Windows\system32\Cahmik32.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2564
                                                                                                          • C:\Windows\SysWOW64\Dkpabqoa.exe
                                                                                                            C:\Windows\system32\Dkpabqoa.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:3024
                                                                                                            • C:\Windows\SysWOW64\Dajiok32.exe
                                                                                                              C:\Windows\system32\Dajiok32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:3032
                                                                                                              • C:\Windows\SysWOW64\Dbkffc32.exe
                                                                                                                C:\Windows\system32\Dbkffc32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:2792
                                                                                                                • C:\Windows\SysWOW64\Dalfdjdl.exe
                                                                                                                  C:\Windows\system32\Dalfdjdl.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2832
                                                                                                                  • C:\Windows\SysWOW64\Dkekmp32.exe
                                                                                                                    C:\Windows\system32\Dkekmp32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:1420
                                                                                                                    • C:\Windows\SysWOW64\Dlfgehqk.exe
                                                                                                                      C:\Windows\system32\Dlfgehqk.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:2092
                                                                                                                      • C:\Windows\SysWOW64\Denknngk.exe
                                                                                                                        C:\Windows\system32\Denknngk.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:2180
                                                                                                                        • C:\Windows\SysWOW64\Dpdpkfga.exe
                                                                                                                          C:\Windows\system32\Dpdpkfga.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:2876
                                                                                                                          • C:\Windows\SysWOW64\Dilddl32.exe
                                                                                                                            C:\Windows\system32\Dilddl32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:2032
                                                                                                                            • C:\Windows\SysWOW64\Eceimadb.exe
                                                                                                                              C:\Windows\system32\Eceimadb.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1956
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 140
                                                                                                                                63⤵
                                                                                                                                • Program crash
                                                                                                                                PID:2028

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Aialjgbh.exe

          Filesize

          77KB

          MD5

          a58d5e81fba5617e62ba17a3ab8f5c3a

          SHA1

          9e7be3bc5c6532447d769cc3bf07daf94ee43730

          SHA256

          7e6eaceca1fdf01aafe70c79bf79ad8e2aaa4c198af3763abb4d6a779fbf0089

          SHA512

          b832890e63d8a4c6fb50a00e37502945f21ec0a48d74328fc0d3ae71378a1be71e8908a29734a11fff237158fe1f6597f0abaf7c9b278e3fd3cf0165f5d42c24

        • C:\Windows\SysWOW64\Amebjgai.exe

          Filesize

          77KB

          MD5

          cfb5eb98171b083ec7ea834502ccb240

          SHA1

          9d7bdd5acb7d44a536d2fdb168fc653328b4d146

          SHA256

          7f7603f3ee382a4dce2ce2dbd7e75b0a14dc5f3f46c44a0408037985bc872975

          SHA512

          65f4efbc327dbdac59e19a57956cdaa8793fa5e8302488c6a915942ae55b554e542d8a0ea96c565bb738dadbb48e612c412252df6ce70d5a91b1051341bd0d31

        • C:\Windows\SysWOW64\Amhopfof.exe

          Filesize

          77KB

          MD5

          3ee806d889c0cce04f6d47ac093c6011

          SHA1

          9645983d5c95f2d4eab0f75bd9c6ebeeea636f48

          SHA256

          9a0cac61a1badee0dfb8b37cc056ae51ec497491c73d9429f15a8e3e05c8d189

          SHA512

          09e5c38b2248cdaaf96774ef03d9b85e65a023da834655e450c36bb3ae395f044dddf67ec5517b248820384d33bbcc3c0e864a1749c4ef2663c99acae9fe59ce

        • C:\Windows\SysWOW64\Aoihaa32.exe

          Filesize

          77KB

          MD5

          640cc21672476e63f251826ed67882c1

          SHA1

          7e3eed4a3861660eb5262261736ee879577c3ad4

          SHA256

          746b3dc6729e9eefe36980b28d9b91a7af958b26178b4ddbba34eee509fd99e0

          SHA512

          1986b398904c2b648fcf34c878ed604c942e4b4d21690f4cac03012afe7c64b8a068dc9edf13a3eedc75c27f2d9a7810f8fa2e5d693d13b131bdbbcfec4f7d75

        • C:\Windows\SysWOW64\Bgmolb32.exe

          Filesize

          77KB

          MD5

          1a8e2da315da2e5cfd23b1f5c8daebd6

          SHA1

          0dea34d072da34a3fff9551878bd7bbdf9d83acd

          SHA256

          0dcffba0413f84836490c5130aec16c965086ba17d09b308b4ca6a8221f49077

          SHA512

          587e3a56f5526ee27276004dee27438833e6573ddeef7d96924f47fae11c1a965ff08389ca60a4d3606757e7439c3250ff1b5b54096d34ce6976cf5b6c082049

        • C:\Windows\SysWOW64\Biceoj32.exe

          Filesize

          77KB

          MD5

          202cd181acf1c80743db5930d0e3c226

          SHA1

          fa695e97ef5146cde88ca09ca57720660d7b467b

          SHA256

          e919b7fdd1b186c926a8de0b1cfe686a6a5363d86e0a82fa0425c8b0963ef546

          SHA512

          52035f0385ed77272692044def41f81f4211b3e9cee0b68672d6a3b0fc3909a5d038afb11b9f4c4dca43a9b0942cd8d47d016a9c43592b372b91c11ef05d0452

        • C:\Windows\SysWOW64\Bjnhnn32.exe

          Filesize

          77KB

          MD5

          5eb733d55c66bf37c773ea4c837015fb

          SHA1

          3021123343314a7fea0a2dd00908fb24a186f805

          SHA256

          1d8243700dc6ef443ab2936b40031a7798daa71e0277e2746bdf9e400d3ee9b4

          SHA512

          be1660d12e8b538a19e8ed0ce84d78d0bcf0c542b549410d47c605d668d2b34e1b109200a2ff85ebd05a047c6b6a5be8f2e5a69736ee4757eaade2a88ace12ba

        • C:\Windows\SysWOW64\Bmhkojab.exe

          Filesize

          77KB

          MD5

          cfe629090df05b6bd0e3cefcc2fec699

          SHA1

          fda9c4c4cf51d4b7b086b9e1ce67b0eda126351d

          SHA256

          e6788d385ba2e94c916faabb3a7e693d0efaef4f936e1b8d530145cafb9c8565

          SHA512

          b535e5723ceb5054d8a53a3486bfb219b70526a2c8e068e86b6f9d207603bfe4123d483eb6230a0ccbca474010160daeef01a9d37056f3e71a4a56168cbd2b38

        • C:\Windows\SysWOW64\Caccnllf.exe

          Filesize

          77KB

          MD5

          ee6f933709728ec96fbb8964b60039a1

          SHA1

          9c84fe8e8ddcc9bd9fdb6fdeae6b02f5f67f53ed

          SHA256

          c0917325c104a107225e3130cb0c986bf4019ab103ad8ed9dea1a1a4a06fe511

          SHA512

          8055246dd300aea6bc7182be620e96bc3105bb6862363713c61934798b49f501540647420ac6f0180bd51cc3828fb984892ef2b475bda43e4f3809c6c0eda8e7

        • C:\Windows\SysWOW64\Caepdk32.exe

          Filesize

          77KB

          MD5

          06bcb98667864ab5af4c80b51f1593b8

          SHA1

          c95c6bea222974c1dcb99bef83cb0e8c5620de9c

          SHA256

          b50f67db5de1332aab956c9eee59527aa3401daebcc0ce1959a766db37965101

          SHA512

          b54d6d072b71e34d010a47b87b26dc1cc799834cf70ecc1c73273aae5ebccf0d597672331fde70c59935c87dd4120eb96485b082e84ad0b2a798c804f662f916

        • C:\Windows\SysWOW64\Cahmik32.exe

          Filesize

          77KB

          MD5

          16c3c4091fbca9728c4c8e3d3d1de732

          SHA1

          0396898811c08c5c7d27a1b7b46be7fb0dc52a35

          SHA256

          8785ec65173ce33a3b85e490401a82be521f0a7962c9d1bef21577d9df24f8aa

          SHA512

          6eafbc60ff870628c2803ebffdb1f6098cec8e4607387ceb8c76408c9c0b0290a37ec422d238e30d91ceedf2e57166a1b10f14176d7355284217faea8f1054c7

        • C:\Windows\SysWOW64\Cbnfmo32.exe

          Filesize

          77KB

          MD5

          ee008392db9a9b3cd5383375f8b23b61

          SHA1

          3a87557d553e5e6386c38c8f81b8d52b28039bd8

          SHA256

          820966776048c37e903fdffa4d6f9f1c6ed49c544220e1da086ca69e66f15fea

          SHA512

          70f2a5ac31714063e54a333625cb9c5c23ba6c3021e5416dec9e2ba3350a3336347958a27bb0d8bb06f526a0bcf370b006c892ce1783efb9db503afc38eb8fd4

        • C:\Windows\SysWOW64\Cfbhlb32.exe

          Filesize

          77KB

          MD5

          8d78e9572e0136cd562adf09e8fc90f7

          SHA1

          3d761da93aacd0e1d7c9b3aef4416cf1459be40d

          SHA256

          3dc334321b21ca1a7b61c290a337c774eb027b8510525a0693889542341f409c

          SHA512

          cb6b06370f23f7cddb76c71d7f719549cdc5c711c1662409165edde9ac92cbe0b8d5245d254588e7ce383a396cdbbe032683160fe75e614d4ba3dc1efef05bb9

        • C:\Windows\SysWOW64\Cfgehn32.exe

          Filesize

          77KB

          MD5

          ca554f26e6664fff6f9ccd62bb7b94e3

          SHA1

          d56925736e30dece1f7d4937339fcc90fcd32505

          SHA256

          de4986d147bfc5e75bcc9f0bed610f43e217912bf7387b3b62f20212fb8f5fd3

          SHA512

          0ee41b6b48afc2bec80d9099676a29f82d42861c6c207d86c25856406447ec40e68f3a73155c5bb9a5cbf5ac557ddca20d4714da27362f455baee01c3bab6021

        • C:\Windows\SysWOW64\Chkoef32.exe

          Filesize

          77KB

          MD5

          044ca20052ae1394b02e242ea5dd3151

          SHA1

          ab0865727f0725179d1090477c282f5f74baf70e

          SHA256

          4af28330d12f2241bc7e54c4b043f8b9fdbdb5e2dca8d460c97324ad01a98b92

          SHA512

          4d9cba1f6a589733dbd3ecd57063fb7425db01d22b05808dbc15f2e8e022e957b31b0ddb92e270911d8e6a27e7de6b52f45b9f8298b8fd99261d57c93a25fc43

        • C:\Windows\SysWOW64\Cligkdlm.exe

          Filesize

          77KB

          MD5

          e188cc982c78b5cb24d029b31ca3b7e6

          SHA1

          7eefb1c75927584a2f8dfe6590f753a9e9d13131

          SHA256

          7e021863a567b1e2a53c77872054a4687cb4f024b2017062e2907533f6153b60

          SHA512

          53038a51e9cfe44d78fa95625dae2edefafa2be30e6a5e62b1842d0bc663cbd5acc1bca5ae8a95dd132106a7053503eb97159289fae2e424c29b089506fcae01

        • C:\Windows\SysWOW64\Dajiok32.exe

          Filesize

          77KB

          MD5

          6b50f081874a6e77276fa88102f12832

          SHA1

          a47d4065d5a99c5527e6ba8af2bad6d65cddf601

          SHA256

          8a19aba11cc96d81bdf3269c48257e764493d9463da0a732b5a5bb9fa2bf3458

          SHA512

          004daec373a66b9ba466bd9812238a179c32e8835718a99ebcb0244c3a51e4d10746d971952cc0df7b9c9db408d7022efc87a07079025928ba8666a7ef79501d

        • C:\Windows\SysWOW64\Dalfdjdl.exe

          Filesize

          77KB

          MD5

          96ced8f0c24438edb9dbc73d7192244e

          SHA1

          a8f3f2a189d21c1a3f40d82274f92dcfa524863d

          SHA256

          1bf6ef1c15f85c5a48f18133bf0d0176589e487bcf5a35baab5f98d317269408

          SHA512

          0379b89cd65f13d2bbe3d392324ad0b01d76e14fead25914ad687136cc84d5f936e1248074ce3c843d9a9e1c0cc4ace767bf078344683c72d3d24c221f5b34ee

        • C:\Windows\SysWOW64\Dbkffc32.exe

          Filesize

          77KB

          MD5

          39f5e9eb7b6493c9aafdea9d5ff172cc

          SHA1

          41ba5132674eab2fdd5b4eaff485f6a9b9ecddd5

          SHA256

          a06ffe22857e07a600783c3db71a794bc53ed216f9b158d17cfb0c244f242d44

          SHA512

          79eac7cb315e2460192f26de47d7c14f232506b5258a1d0515c3c083086f92cdb784e8f3347e46ea9ff111605e53ae46dc0ec97fce6d7bec782c9119dcde22ba

        • C:\Windows\SysWOW64\Denknngk.exe

          Filesize

          77KB

          MD5

          e89c2f695e150a20f01af3cfc4654480

          SHA1

          84a8b8293515eb8d57c0ac595ae50356895a1138

          SHA256

          a3144008b0d0c1e148598f850304f955304aa2e60d1c9104c2e7f033f09c069b

          SHA512

          52f101c71d52cde380fa4d3c33130c9919d25547a41388b00e36929464733469765b4c4a23819afbc8d8e8277b1e19cb891deb7c48426bdd3c758b3917ef7ad8

        • C:\Windows\SysWOW64\Dilddl32.exe

          Filesize

          77KB

          MD5

          a3e80a56024e9dd79d0d5964f669c8b9

          SHA1

          b0c44afc485252fd000b5ea78a137cab1e29e2af

          SHA256

          8d51cf3625d8b38de5569a0dd15f807685837b6b5b50e2acb61577034b68f271

          SHA512

          748e048b6cc92d100849cd1b9edefd25c1baf34ae85bc6bfed232fc2f78f40e41dd66373e9e7d01b3beb4f11f277b8179e830912c773e39a6646ded583cc313d

        • C:\Windows\SysWOW64\Dkekmp32.exe

          Filesize

          77KB

          MD5

          1b290c88d2b327e97c09468375754007

          SHA1

          a38a11f144eb47a42d2b28ac9192b52153a4e991

          SHA256

          b1572f05cf81a4b95352b0a385fed841b69a91c234355eed31367902287aea3d

          SHA512

          91951210678b3c6dba62985c2ac30abba1012112b0262f1c9803ce992ddbbd72ee196ac7ae58bc35a3d6d50ef19488122ec487a3bfc5a80f7a7a425ec5f92916

        • C:\Windows\SysWOW64\Dkpabqoa.exe

          Filesize

          77KB

          MD5

          3c300abb1b9f5e6f69a8159678f95687

          SHA1

          60dd6bf6af3e96f9c71312b392dac2085008e5a4

          SHA256

          377a7bbe3e41d783232d46a53d9117396b4f7ce1ff57522ec541a509260a3ad1

          SHA512

          99a68528952ebb5ae9649b5ad85c19a3b9272a9131e742a500bd517525702d4762761ba77f17efad2db903b8f6469e6dbfbd1a475681b4e77731078e273dfdfc

        • C:\Windows\SysWOW64\Dlfgehqk.exe

          Filesize

          77KB

          MD5

          a1fc5ccb73a2cccce941145c64b7f060

          SHA1

          9ccddd9ce96c2570b8a6127cfb5906bfd1c6324e

          SHA256

          949b90209f689eb92e2cddbc8b223b56ee342ed916a415086c1b9d2e09406b0b

          SHA512

          68780c77857cb8f23fcc5d84d9318193e0f3dcb0fe475d817c3d3ecdb32bdcb63f9a1b3d9fe6222cdfb0944be9a8edb0eff0ea64f27f68c8decd785bf404ed08

        • C:\Windows\SysWOW64\Dpdpkfga.exe

          Filesize

          77KB

          MD5

          d50adbb7f6bb458e639cb3e122ec935b

          SHA1

          79b946dc3e7c4cf359c697961f1b0836131f21be

          SHA256

          10e6cb746160132a35787ceac4f7d718fa939890ac8dfe6923f89d6edd2cece8

          SHA512

          b78585f90bc1e5c5f575b1ad789711fc12c750a8c9b5dc71a6c0be8ac1b561b0c950331aa2b2b3a504c4ed1f305f7aba4888de9037d79c595baac88c4157d850

        • C:\Windows\SysWOW64\Eceimadb.exe

          Filesize

          77KB

          MD5

          e90dbcceb59d5ddc54545bd9bef746c4

          SHA1

          93a381526260e7b34b5ae766cf7aae75af6bb49f

          SHA256

          acff5f04de1b24b7b9126e4e219708f62dce479cec8bbce16baf618e29a9ad9a

          SHA512

          6a45d4a35cd0d9d0b732213745a94bf948925860806a7a6604fabe5dbd0156c5b698924d526e26be807056cb69377b2944faa67f0135a28ff7a0bdf9695c25fa

        • C:\Windows\SysWOW64\Gigpekfk.dll

          Filesize

          7KB

          MD5

          b15f75c3eae57178fcb1f356675450ae

          SHA1

          8fdd5f70a1464d1dd01770b35444524a46836d93

          SHA256

          0f82a87d26391b760f6cbb86f28d20f99172dcd5fcb88b7105248f2579102501

          SHA512

          257ebbe5b00e6f1b46ba1dd4e3fc37ec550f23f89fcab3df4cbf7ebec1c4eeb0ab87a47ac71db2ed91076ff44510a469851ef267f55c41efe8e9ba28a51ebe95

        • C:\Windows\SysWOW64\Lkcgapjl.exe

          Filesize

          77KB

          MD5

          9cb5a65e0c542c2e61c9f14954c9f4ac

          SHA1

          31246b4cb864c64822fa1e9a35f4206feffce2bd

          SHA256

          147eb54c3550adaca603abbf212eb6b2bdcc1b8e040d9df803612fb1a0e8fcbf

          SHA512

          7584e9d584e5b18302f1de27a06311d7b3ce6eebddbc3774e7eaebc2d0beeb845ba0c06b3708585e26f78a10fdc05d3471a5ac3bb3481ec8c3c24df8e09eb7de

        • C:\Windows\SysWOW64\Ndjhpcoe.exe

          Filesize

          77KB

          MD5

          4a94b0a919a0c897ed5cdfb20a7855ee

          SHA1

          8dada736e7bb4060c5b556a896560859c42802ad

          SHA256

          f6f7a1cd40e24b30eb3450b89b62f85d9a45fbda3dcccec025c9c1d3ad40602b

          SHA512

          e913f7f0b34f7b47b155978de223d23b79b86262f62a1501b385faab58da141f41407591848283fee417c7223dfc61ad39bff0c3f57527bc82b69309d2b59309

        • C:\Windows\SysWOW64\Nejdjf32.exe

          Filesize

          77KB

          MD5

          0c1a2eb185d0c7ecec7a89663a00ade6

          SHA1

          08f5258a43e4dc4811ee4eace73ec62d8a85d227

          SHA256

          082e850a022aab74083b0aae3530f391399df20fda109b800e976ac09de260fd

          SHA512

          14cb82aa444c8416e065e2687ea9e7e8ac76fd01ac106592f6bc49f2b3dc7b54bf1c31bbc15bc60d1eee20e9f6b9550701d97732181d4933349d8e894c75a693

        • C:\Windows\SysWOW64\Nfpnnk32.exe

          Filesize

          77KB

          MD5

          466870559ffa13df273fa4ff3c022f98

          SHA1

          4d0155e3f1199972183ac358dbe67f2cc7cc516c

          SHA256

          8a1dd49060bb63a0a8f4537dd576ca1813d0a5dffca0f64bf4db39e1111fa160

          SHA512

          f76ac97960667223fc6df4ddc51e868c7219ba3ca32eb7749c76367568b4bce23fd7c31ba10ada42921e9d92223bb391b31bbf8bc9f09614826b42e38117dab2

        • C:\Windows\SysWOW64\Nmgjee32.exe

          Filesize

          77KB

          MD5

          2a930a67147b97dbf6d875bf9bd193c1

          SHA1

          7566c205e6071886fc2a914936da64e158bb2256

          SHA256

          bdcf34e6800d618e26ff2108dde695d289e93dc7d77e8d697e0f1a2ab2f0bcc6

          SHA512

          213ab00a26b87e083ebb193ee5ab9c49c461ce68226c2a752e8c7b52233fa91403b1214c6b0d5f209b24487a5f8bd70a8c8e6ebedd2342f2dfe461fa0048a6a2

        • C:\Windows\SysWOW64\Nokcbm32.exe

          Filesize

          77KB

          MD5

          364286305b618cb3c5357d59cf4d7fc7

          SHA1

          64c7b69060190eacb68922ad05ce958f55341b10

          SHA256

          a673d2aceb9b061df0b284ef792bab82ae35c7536668dcca37b32285a094326e

          SHA512

          ce4d30690c06ebc903418b01847f8e1913325492baa9711e04138dcae100c63cbfcb1627aa2ce4a06b0e8439f88aa56ae7ffdf06568dfad4a38f1657389d9b1e

        • C:\Windows\SysWOW64\Noplmlok.exe

          Filesize

          77KB

          MD5

          37f4118059993e4566e58d423a257bd9

          SHA1

          f47314168b7b2e31674b16da9b03103b58ff8c2a

          SHA256

          6f64c6ca2f3d93d9c59e2d822a88a790cf762049b8b2d7051cc2db1f21b628eb

          SHA512

          6ffe61613f9c3799455c0de32d7d08ce3adf2189c719863e873773a2cdbd1ebf20736ec4396c5c6243de49dd3173dbe2c56cc5f6606f0104c9b0087200392a6f

        • C:\Windows\SysWOW64\Oacbdg32.exe

          Filesize

          77KB

          MD5

          2794527f307e4c4b4c5796653e49c4fd

          SHA1

          e984385719ba086109add72382153d10d30cce74

          SHA256

          87bbb96ae8a93ce2a02b6cb503c46a4091e816fef6473e3d97f0b2b8724eb6e3

          SHA512

          b8bf7d6a7b430137275f7cd83a4aca11f5706eacb6626c6a0ebec9d43f8660d7c0f89e788ad740635eaa1bfcde8f8e913da42a32bac57024d7ffd7a198ed16b2

        • C:\Windows\SysWOW64\Oaqeogll.exe

          Filesize

          77KB

          MD5

          6957e1f4030e6e9e4fa7e66d6346b012

          SHA1

          108ac9610e7da470cb71ec4a11ec1ce8ffe594cd

          SHA256

          d341a66d89f72a4be5af286f81f93accae560690119fad3b337eeba123587bd5

          SHA512

          162c19b149d6a744b8f716fc4c193cc8ab94abfee92d4e7af09742c0fa809206c8347c394aacf9b324d598f13b8b8489f014eda441daafb0111c36e5fd96ca0a

        • C:\Windows\SysWOW64\Ogddhmdl.exe

          Filesize

          77KB

          MD5

          53b835946399bce1b5f215d12e6774a3

          SHA1

          1dbf15616e4338f79d56bdcf798a1999ab34bf0a

          SHA256

          3b25e32d418f458d87d3b5f3d8e0bcad51dc192fb5cc86ff94f3dda719b16599

          SHA512

          23bd81c20778f1d2766835f0babaf2147297a214873068997c680df9992e7489dcd32f3b9771030dcfa2f1643ebbe9eccc43324c4309164b4ac6eabf7cb7354c

        • C:\Windows\SysWOW64\Ollcee32.exe

          Filesize

          77KB

          MD5

          9c45b5cc9c052b6318290af10092f0ff

          SHA1

          d206ce0a260c3ca11e320e34ae64c983261b3333

          SHA256

          1fd037dc8c5cab1793421618e53454a4c4da875d4c67947429c22d9a52285157

          SHA512

          b3195327e811254e3e8ded55b7ad86b8176236ea2ada00957714cd5e0f3cf11c50116087ec28999525b3b1c1fa15de9d1484735ece149389ab830a0d2891be7d

        • C:\Windows\SysWOW64\Paghojip.exe

          Filesize

          77KB

          MD5

          44455e2fd8130b1163c0e137b6c5e9ce

          SHA1

          10928c6222869e81369d2581f58faca5d9b8b2c9

          SHA256

          ef1cdaef4c03d33c23c75403f9bf484c5566d70f02d2fa13e6e1c84cba3f318a

          SHA512

          3cffd2f6141992eae2ae054f651fe5f7c91fdcc0d705c3829ecab6eb41cc0dcd1aac09146268a0550b2a5b43c668cdf0560c01b7de8aea0fcfc0e9b1affa53d9

        • C:\Windows\SysWOW64\Panehkaj.exe

          Filesize

          77KB

          MD5

          dc6d62249447b3a9acb289941e300a6d

          SHA1

          90c43fbffa4634a4ee1f4d207ac57a7f9b0d9200

          SHA256

          b5fc3d3209765425e941f040243b025a9ffe66c856feb542d2838c797bc310cf

          SHA512

          cff2b4937b9217b4071ae62687ee61400671b8da79be4b4d315e289dd986fb88864d33f566039cb2ae7a5d836b3bacfb13176077e2b8e01200aec8f8c1b6c877

        • C:\Windows\SysWOW64\Pdcgeejf.exe

          Filesize

          77KB

          MD5

          62aaf9dbc1b6eac903b92d54b04831f2

          SHA1

          458891583126a6cbea5ffea12ff30db62823cb59

          SHA256

          23a4c8e8cd219146fd34ef2581eee354c2ac72905c505ad5da9d2073eba61dd6

          SHA512

          f8388be0e96b83afc41795b04527c0637cbef60e45c07dca78f5527aba3ef13f6d6163c96015c80146f9ba31ab60601fb1dd3bf862473dc2121dc7357c7dcf6c

        • C:\Windows\SysWOW64\Penjdien.exe

          Filesize

          77KB

          MD5

          bc1d11ca9e622d7cb8f412fceffadc9d

          SHA1

          d3ce029c13b81851e165738f70248779c5f8cfce

          SHA256

          7311feb025899558180027a7643064a3b75b197588dbcaf42cd7c83f328d2827

          SHA512

          23b2b40756f58cc3b14538331256ead9ae49f0efffa08b2e9f409bbd756869583afa6afa6c02901066a726225328d2b25b3a48dba418f36f45ea53dc57016153

        • C:\Windows\SysWOW64\Pkfiaqgk.exe

          Filesize

          77KB

          MD5

          039410b3149bffce7215a2dbd139b6ed

          SHA1

          52927e91ddfbc9e58fec167abaf8d3245c084a16

          SHA256

          2baa390c0e44a38e4441f5beef7764aab44901c84e50a81c59804159fe42bcf5

          SHA512

          b4fe2d22e5d7adb6677dc23167b889023ca8e06794c349efc40f0d1996a3d9fbf01487436e155fea9e0e9875a1041844a195d10b4c5091972f7ff35640bf4a85

        • C:\Windows\SysWOW64\Pkkblp32.exe

          Filesize

          77KB

          MD5

          94586d0d9cdf626bc77938568f022e44

          SHA1

          abbb4991e97ad67d79c1e6ba63f7ed606b042b37

          SHA256

          2cec28de7587d60c03a78035170fd5c5db9eae737a75a1ef2b552a7fea6a1490

          SHA512

          267955039f536d7f26553a3ccd16a1449b39862d6447ce194a6c389508371c37a8df942cdd0aea83043ba69a96862410233c545d1b967f437cdb30c1f94a517e

        • C:\Windows\SysWOW64\Qdhqpe32.exe

          Filesize

          77KB

          MD5

          747497df4b70d2ce6485ec0e8dd74645

          SHA1

          781fc5581989d3b4ffe8c96d6ad5d5f21784749e

          SHA256

          5fa27676f361c62ea519ef0bd83732f10beb801f5c646ba25836bd648189e85f

          SHA512

          22bc791d36d8da9b69925306c2ae0589faebc7304abecf4d21f89519712c318961f4fa2edfc0cc2878773c3a16d3e74d9100463f6329e11492e105f678078bf7

        • C:\Windows\SysWOW64\Qmcedg32.exe

          Filesize

          77KB

          MD5

          8e0554f396e53a53c5d87d77ebaf33ca

          SHA1

          1ca50f85c2645a3a3f4fc0cfae37cb70e623554c

          SHA256

          1de3f5ee116421ce1e19214403b248e0ec857786d49a9d4cbc131a44b5dae150

          SHA512

          03d138866e1f684c681a889d0c4168430e58fbd8a45c24e1609006390b7baf6d7976fb1466d42a62c61c0200b35702223538fc34331e0d6290d5561f40541009

        • \Windows\SysWOW64\Jcdmbk32.exe

          Filesize

          77KB

          MD5

          8ecc63efc012f9d0e8e15b966fb7053c

          SHA1

          ea0082d8b8c5fa63c8f1e142e1cf49020047248e

          SHA256

          5a73bd6071e54aab5cdc5fc11a0af50c0c884d631295712c664ab3a01f6b9b2f

          SHA512

          dd54ef4a89e6727ee8fb8080febedffb3ea58f71a626dd96b28f5c1236061a56026ca51969f70d6343d9eeed0752d9b9c745bb46f5330c33e1e9dfb8fb440e04

        • \Windows\SysWOW64\Jcfjhj32.exe

          Filesize

          77KB

          MD5

          95b214bd445e062cfee165bc3499e9c3

          SHA1

          4d2f396d3af295ae59d092f041b5489ddce91f02

          SHA256

          89971e5776060de2e9dbaa7f7df67ff34fb8d9f5a0737d0dfbc6b0b9177a085e

          SHA512

          9beff3f9f717fca990776eef352f9192aabfab54dd33c12b080ee7fb050cf04bf77d30195788e8f7a95d58215964b7552a8dd332573b2f19d57fa589c8c3c7a1

        • \Windows\SysWOW64\Kjkehhjf.exe

          Filesize

          77KB

          MD5

          88dd34788e8081d6b491c6a3951aa381

          SHA1

          2c8bfc0c0021f64e92cc403b1c7a480144362537

          SHA256

          c888ed4d7bbc4c86350fab5c55445b560800b77f0858885c98ddbbcd4d24ec39

          SHA512

          5697fc6210d1048ba6d0bfac1d975c1aa5dd87e858c03d6260c4d4fbbf6605f825b0f795eb51d934a440471c482d58a7f0230d0cc100d7680c7d45d01889fb38

        • \Windows\SysWOW64\Kkckblgq.exe

          Filesize

          77KB

          MD5

          2778618c8f00c7480e37779cf39540c9

          SHA1

          bfca288471a395f4d40515adf7182d00126f2382

          SHA256

          2f6c5903f4b5621c1491ee13993e621fcb32ff41dda72f77483b1a2c5e0cf096

          SHA512

          fc49e0f11f75b947cec216bc2f946ec7f248678895e572c3acbc3329c6aa0136b6af41243978b774a3bba6c56bae2221e8b0891522ad05d12d6ffaa229707a21

        • \Windows\SysWOW64\Knddcg32.exe

          Filesize

          77KB

          MD5

          8697856f1fba22b8c1ac58fc846adb10

          SHA1

          21b591f92dd7d5c6b63cbb005deb7a4ef2649d5d

          SHA256

          db19fcd558c848f1378eed2220b6d2f5aee7002649c6202734be0b36157f0271

          SHA512

          51207f732fd5911fd50dbfbc5af40d8d9cda2b4e0cb848dc866ffb22890b338ec66de5dc6e97139247a9e8890487e6afe3fb2ef7f5c0f47e55b68d90a6213a5a

        • \Windows\SysWOW64\Kninog32.exe

          Filesize

          77KB

          MD5

          fe985ebcdc4af1a20e6367952c8e0518

          SHA1

          1d6bdcb83e6a4fff3776a48c8205002ce7945a7b

          SHA256

          2a9ff1f7e2e1b7b12a5f9462b949d721bd8349ec15f489c10adb2ed844c33bcf

          SHA512

          b361bb25e92bbbac6ff4a360fa2d7f4abcad61ee81cbe4074e4d4fb86f5f49be7867df46726b1015e4add07ec76ebf061d0f42041bece37b262b5ac2e255d3f1

        • \Windows\SysWOW64\Lfdbcing.exe

          Filesize

          77KB

          MD5

          f48c80cbc50bf741b370e89328549bdf

          SHA1

          6da98e62670b3342a43981384146ee4c18a124b9

          SHA256

          c1754a9f610de3ac249b02f216592ffde6cc223b1780b39844369df7bc15011b

          SHA512

          9c7c2baec95d873c4a14399b415a1f1ccfb33beec7e235a90553cf713341501fa1f647c505b0bbcc8fcc647e58335d1c5d0c52a6373c50fed846065f99028f37

        • \Windows\SysWOW64\Lffohikd.exe

          Filesize

          77KB

          MD5

          3d330db4dff8f320f2e37fc64edae9f0

          SHA1

          349ebc2f081f9516a897805d59d752cb8b46ad92

          SHA256

          aab8fcff39042ab22eb45b0e985d3ca04c487d98e2942b636465c4d88f372a74

          SHA512

          4023f6945355b856ce30919e87671804d943175f75660a0610c9defc05169673e421069aaa862132bb2a882065ce090a7d3c813cdc297252981923d68871a4a0

        • \Windows\SysWOW64\Lijepc32.exe

          Filesize

          77KB

          MD5

          5d65009501992f2343d0b5530f7dbe69

          SHA1

          c2ca11cede6aaeea44c4993304b6fff44a89cea9

          SHA256

          d36a1345f58eb72692f49cc86b90c23ac8e06a428a5da62fb38ebde3f48f2808

          SHA512

          d695ce7d0b73707fa875e71716fddbcef5eea2fa0c595999f1f01ab19e7aaa244877d7538484b3bd100f4eb719090a9474d2bd26c06b337e9cbadba2606ba4d6

        • \Windows\SysWOW64\Lkfdfo32.exe

          Filesize

          77KB

          MD5

          8ca0a62414d7fae798d8b3b3e8bc9ce7

          SHA1

          3cd3d8b581289425abff616e0204effe3d18c668

          SHA256

          f9146b3ef514433c5c74a53fdb050ad66a9a2caba4aed77eb6aa459cd29f0fbf

          SHA512

          75fd928a00fea2c107fc18c7f6f33e94c683a3b8b0693398aab85e3cdcad2a7e501e3f2026c59427397a69eab93e562e8c3dd8cba154d2ddfde6c325763093f1

        • \Windows\SysWOW64\Mcfbfaao.exe

          Filesize

          77KB

          MD5

          c7ccbf772596480784e84d80a437b511

          SHA1

          45987a7b2c41f9de23a489f80a6751d5b230f458

          SHA256

          919c10ec785d3ca51e2845ee068fd8f4224fbc87adc8c76527f004f2e29f475b

          SHA512

          8259422bcf1f6eacdcaeda3c1f21d75e6a17a05880f2df9873ed327462198f4e73a6d0fa9af028198f9183ed5828a86796d0ff5f35a92360954d8d390f6b6dd0

        • \Windows\SysWOW64\Mfihml32.exe

          Filesize

          77KB

          MD5

          98c0d304a420f0cbcc58e265d63d6ef8

          SHA1

          6a2a6580456fca98eb1c8fdf03c705d6a1d7f535

          SHA256

          ee3ef13ebb2dcc6497bc7af412b2b76f2f48a452e9cd78fa8a44a26d78908891

          SHA512

          ba63224c5faffb8d0270bd8f98f90bc1651f3fcee5ef343e92d09b898fc1ffdadee1050028b75211438dd33b64660975cda80bf207463d37bb5a0d42b9df2172

        • \Windows\SysWOW64\Mgoaap32.exe

          Filesize

          77KB

          MD5

          ebd41d0aa4eca9cf297e9ea4331da2ee

          SHA1

          832fd87e7da80373d92acfb3817dbcc3d220c868

          SHA256

          043768bbc37cef60f21e8bf0ee5124dfb1e6106549d6eac8e59307a8b43b6728

          SHA512

          34380fc57d2d575e6e56b47701d8c51b511f35e649b51b5ae09c906509b335fe6a6cee59151a9f29282a84b19c2840e04590077c34bdc60d3b5c57c6f5a6bb00

        • \Windows\SysWOW64\Mhckloge.exe

          Filesize

          77KB

          MD5

          5a578e0d1d31fea083f2d475936066a4

          SHA1

          9241bad84ad2864167cfaff859bcc5f63ccd3756

          SHA256

          72d9eebe3f6e4467e0612393b9d31f77bce53811d8548c2b74e8365ae1e73345

          SHA512

          69f39a0b2e98de0f947c16eb8d7187e606dfe140c22d50b37f049a8c1c013b1dc960e5c5466fb84ae0cfc22dedb6e892b92d2dec9a23bb641f68b571d19a12ac

        • \Windows\SysWOW64\Mmemoe32.exe

          Filesize

          77KB

          MD5

          968eb2e0149e96aa3b068d39602cc48f

          SHA1

          8d0b7d6de9756177d8341fb765b4ad72b35d22c9

          SHA256

          500a8a1f70b58b18514748f479bea438f37a776aacba643b2f2c1bae59f7d683

          SHA512

          cb6127d8c829bd713887e276d75a89f0b1625a8e753827ed1f555aa263ac237f2efe3acabd21acbdf7a1bee2638c8c0b818705449d3cfec1a4760a6cca340425

        • memory/548-436-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/548-426-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/616-415-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/736-447-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/736-108-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/812-404-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/812-410-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/816-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/816-12-0x00000000002A0000-0x00000000002D5000-memory.dmp

          Filesize

          212KB

        • memory/816-349-0x00000000002A0000-0x00000000002D5000-memory.dmp

          Filesize

          212KB

        • memory/816-344-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/816-13-0x00000000002A0000-0x00000000002D5000-memory.dmp

          Filesize

          212KB

        • memory/832-326-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/832-325-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/872-304-0x00000000005D0000-0x0000000000605000-memory.dmp

          Filesize

          212KB

        • memory/872-305-0x00000000005D0000-0x0000000000605000-memory.dmp

          Filesize

          212KB

        • memory/872-303-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/924-483-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/944-469-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/944-468-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/1064-267-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/1064-261-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1500-238-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1500-240-0x0000000000260000-0x0000000000295000-memory.dmp

          Filesize

          212KB

        • memory/1712-302-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/1712-298-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/1712-292-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1864-493-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1892-55-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1892-403-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1960-201-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1960-211-0x0000000000230000-0x0000000000265000-memory.dmp

          Filesize

          212KB

        • memory/2044-471-0x00000000001B0000-0x00000000001E5000-memory.dmp

          Filesize

          212KB

        • memory/2044-143-0x00000000001B0000-0x00000000001E5000-memory.dmp

          Filesize

          212KB

        • memory/2044-470-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2104-161-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2104-169-0x00000000001C0000-0x00000000001F5000-memory.dmp

          Filesize

          212KB

        • memory/2104-503-0x00000000001C0000-0x00000000001F5000-memory.dmp

          Filesize

          212KB

        • memory/2104-502-0x00000000001C0000-0x00000000001F5000-memory.dmp

          Filesize

          212KB

        • memory/2104-492-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2112-481-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2112-472-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2116-336-0x0000000000490000-0x00000000004C5000-memory.dmp

          Filesize

          212KB

        • memory/2116-337-0x0000000000490000-0x00000000004C5000-memory.dmp

          Filesize

          212KB

        • memory/2116-331-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2124-287-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2124-291-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2140-453-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2140-458-0x00000000001B0000-0x00000000001E5000-memory.dmp

          Filesize

          212KB

        • memory/2296-316-0x0000000000260000-0x0000000000295000-memory.dmp

          Filesize

          212KB

        • memory/2296-306-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2296-312-0x0000000000260000-0x0000000000295000-memory.dmp

          Filesize

          212KB

        • memory/2312-398-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2332-252-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2352-281-0x00000000003C0000-0x00000000003F5000-memory.dmp

          Filesize

          212KB

        • memory/2352-277-0x00000000003C0000-0x00000000003F5000-memory.dmp

          Filesize

          212KB

        • memory/2352-271-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2428-432-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2428-103-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2428-424-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2516-224-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2516-230-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2684-148-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2684-482-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2724-21-0x00000000002A0000-0x00000000002D5000-memory.dmp

          Filesize

          212KB

        • memory/2724-350-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2724-14-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2784-355-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2796-425-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2796-94-0x0000000000270000-0x00000000002A5000-memory.dmp

          Filesize

          212KB

        • memory/2800-414-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2800-76-0x00000000002B0000-0x00000000002E5000-memory.dmp

          Filesize

          212KB

        • memory/2800-68-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2804-360-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2804-380-0x0000000000250000-0x0000000000285000-memory.dmp

          Filesize

          212KB

        • memory/2804-376-0x0000000000250000-0x0000000000285000-memory.dmp

          Filesize

          212KB

        • memory/2824-381-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2828-133-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2828-463-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2828-448-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2828-121-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2888-369-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2888-40-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2900-388-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2900-396-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2900-382-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2960-175-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2960-182-0x00000000003C0000-0x00000000003F5000-memory.dmp

          Filesize

          212KB

        • memory/3004-399-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/3004-49-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/3004-374-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3004-41-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3020-348-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/3020-338-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3048-437-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3048-443-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB