Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/11/2024, 08:28

General

  • Target

    a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe

  • Size

    608KB

  • MD5

    b9197b7ef5911ed4e525fc07f33a2bc0

  • SHA1

    27d405f93270678b7f5fea07014b1ac5544c2d04

  • SHA256

    a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3

  • SHA512

    3a53148862d3999cc9a7d02e40a796f5c79a52b42ee7265f15b2df295befc2bb11137967fd028df35dbf1b66079fc0bea75fa450f363294b6d9576f9d71650ec

  • SSDEEP

    12288:ITCJ4skY660fIaDZkY660f8jTK/XhdAwlt01t:8bsgsaDZgQjGkwlg

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 56 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe
    "C:\Users\Admin\AppData\Local\Temp\a6d6fd54e517c895f47abbb8b3e1d2c4cbead48496e419e2ea325566abfe06d3.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\Lcofio32.exe
      C:\Windows\system32\Lcofio32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\Lfmbek32.exe
        C:\Windows\system32\Lfmbek32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\Loefnpnn.exe
          C:\Windows\system32\Loefnpnn.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\SysWOW64\Mgedmb32.exe
            C:\Windows\system32\Mgedmb32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\SysWOW64\Mcnbhb32.exe
              C:\Windows\system32\Mcnbhb32.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2196
              • C:\Windows\SysWOW64\Mbcoio32.exe
                C:\Windows\system32\Mbcoio32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2500
                • C:\Windows\SysWOW64\Nedhjj32.exe
                  C:\Windows\system32\Nedhjj32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3048
                  • C:\Windows\SysWOW64\Nefdpjkl.exe
                    C:\Windows\system32\Nefdpjkl.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1720
                    • C:\Windows\SysWOW64\Nhgnaehm.exe
                      C:\Windows\system32\Nhgnaehm.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:536
                      • C:\Windows\SysWOW64\Ncnngfna.exe
                        C:\Windows\system32\Ncnngfna.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1688
                        • C:\Windows\SysWOW64\Onfoin32.exe
                          C:\Windows\system32\Onfoin32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1716
                          • C:\Windows\SysWOW64\Opglafab.exe
                            C:\Windows\system32\Opglafab.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2776
                            • C:\Windows\SysWOW64\Oeindm32.exe
                              C:\Windows\system32\Oeindm32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:468
                              • C:\Windows\SysWOW64\Obmnna32.exe
                                C:\Windows\system32\Obmnna32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1132
                                • C:\Windows\SysWOW64\Pbagipfi.exe
                                  C:\Windows\system32\Pbagipfi.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:376
                                  • C:\Windows\SysWOW64\Phnpagdp.exe
                                    C:\Windows\system32\Phnpagdp.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:2540
                                    • C:\Windows\SysWOW64\Phcilf32.exe
                                      C:\Windows\system32\Phcilf32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      PID:344
                                      • C:\Windows\SysWOW64\Paknelgk.exe
                                        C:\Windows\system32\Paknelgk.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        PID:568
                                        • C:\Windows\SysWOW64\Pkcbnanl.exe
                                          C:\Windows\system32\Pkcbnanl.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          PID:3004
                                          • C:\Windows\SysWOW64\Pnbojmmp.exe
                                            C:\Windows\system32\Pnbojmmp.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            PID:2088
                                            • C:\Windows\SysWOW64\Qkfocaki.exe
                                              C:\Windows\system32\Qkfocaki.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              PID:2528
                                              • C:\Windows\SysWOW64\Qndkpmkm.exe
                                                C:\Windows\system32\Qndkpmkm.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:1924
                                                • C:\Windows\SysWOW64\Qdncmgbj.exe
                                                  C:\Windows\system32\Qdncmgbj.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:884
                                                  • C:\Windows\SysWOW64\Qjklenpa.exe
                                                    C:\Windows\system32\Qjklenpa.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:796
                                                    • C:\Windows\SysWOW64\Ajmijmnn.exe
                                                      C:\Windows\system32\Ajmijmnn.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2164
                                                      • C:\Windows\SysWOW64\Aojabdlf.exe
                                                        C:\Windows\system32\Aojabdlf.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2968
                                                        • C:\Windows\SysWOW64\Ajpepm32.exe
                                                          C:\Windows\system32\Ajpepm32.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:1332
                                                          • C:\Windows\SysWOW64\Alnalh32.exe
                                                            C:\Windows\system32\Alnalh32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2740
                                                            • C:\Windows\SysWOW64\Akabgebj.exe
                                                              C:\Windows\system32\Akabgebj.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:2888
                                                              • C:\Windows\SysWOW64\Abmgjo32.exe
                                                                C:\Windows\system32\Abmgjo32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:2632
                                                                • C:\Windows\SysWOW64\Agjobffl.exe
                                                                  C:\Windows\system32\Agjobffl.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2596
                                                                  • C:\Windows\SysWOW64\Akfkbd32.exe
                                                                    C:\Windows\system32\Akfkbd32.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2444
                                                                    • C:\Windows\SysWOW64\Bgllgedi.exe
                                                                      C:\Windows\system32\Bgllgedi.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:1812
                                                                      • C:\Windows\SysWOW64\Bjkhdacm.exe
                                                                        C:\Windows\system32\Bjkhdacm.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:2412
                                                                        • C:\Windows\SysWOW64\Bbbpenco.exe
                                                                          C:\Windows\system32\Bbbpenco.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2472
                                                                          • C:\Windows\SysWOW64\Bjmeiq32.exe
                                                                            C:\Windows\system32\Bjmeiq32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:108
                                                                            • C:\Windows\SysWOW64\Bnknoogp.exe
                                                                              C:\Windows\system32\Bnknoogp.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:1684
                                                                              • C:\Windows\SysWOW64\Bqijljfd.exe
                                                                                C:\Windows\system32\Bqijljfd.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:616
                                                                                • C:\Windows\SysWOW64\Bjbndpmd.exe
                                                                                  C:\Windows\system32\Bjbndpmd.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:2908
                                                                                  • C:\Windows\SysWOW64\Bqlfaj32.exe
                                                                                    C:\Windows\system32\Bqlfaj32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2564
                                                                                    • C:\Windows\SysWOW64\Bjdkjpkb.exe
                                                                                      C:\Windows\system32\Bjdkjpkb.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1528
                                                                                      • C:\Windows\SysWOW64\Ccmpce32.exe
                                                                                        C:\Windows\system32\Ccmpce32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:3008
                                                                                        • C:\Windows\SysWOW64\Cenljmgq.exe
                                                                                          C:\Windows\system32\Cenljmgq.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:556
                                                                                          • C:\Windows\SysWOW64\Cmedlk32.exe
                                                                                            C:\Windows\system32\Cmedlk32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:496
                                                                                            • C:\Windows\SysWOW64\Cileqlmg.exe
                                                                                              C:\Windows\system32\Cileqlmg.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:2504
                                                                                              • C:\Windows\SysWOW64\Ckjamgmk.exe
                                                                                                C:\Windows\system32\Ckjamgmk.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:1700
                                                                                                • C:\Windows\SysWOW64\Cnimiblo.exe
                                                                                                  C:\Windows\system32\Cnimiblo.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:1652
                                                                                                  • C:\Windows\SysWOW64\Cebeem32.exe
                                                                                                    C:\Windows\system32\Cebeem32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:2280
                                                                                                    • C:\Windows\SysWOW64\Cjonncab.exe
                                                                                                      C:\Windows\system32\Cjonncab.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:1596
                                                                                                      • C:\Windows\SysWOW64\Caifjn32.exe
                                                                                                        C:\Windows\system32\Caifjn32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:1492
                                                                                                        • C:\Windows\SysWOW64\Cgcnghpl.exe
                                                                                                          C:\Windows\system32\Cgcnghpl.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:2876
                                                                                                          • C:\Windows\SysWOW64\Cjakccop.exe
                                                                                                            C:\Windows\system32\Cjakccop.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:2884
                                                                                                            • C:\Windows\SysWOW64\Cegoqlof.exe
                                                                                                              C:\Windows\system32\Cegoqlof.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:2852
                                                                                                              • C:\Windows\SysWOW64\Cgfkmgnj.exe
                                                                                                                C:\Windows\system32\Cgfkmgnj.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:3060
                                                                                                                • C:\Windows\SysWOW64\Dmbcen32.exe
                                                                                                                  C:\Windows\system32\Dmbcen32.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:1808
                                                                                                                  • C:\Windows\SysWOW64\Dpapaj32.exe
                                                                                                                    C:\Windows\system32\Dpapaj32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1296
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 144
                                                                                                                      58⤵
                                                                                                                      • Program crash
                                                                                                                      PID:2960

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Abmgjo32.exe

          Filesize

          608KB

          MD5

          dd928ada094bbe527ce4871ccf444cae

          SHA1

          a6508940a791e373f88391a133545f47eab27bcd

          SHA256

          4dd526a1c81f53e751b6180135ac6599b62b168c60283145f3d208ddf97dda5c

          SHA512

          e9b7a95f7fb4eced7ff64ed4618c040b133fa6905af5df7e14138f3cb57d954ae150c363f8480a122be23fc63ebfbad0a11e762945ce3f1c0a07776a19ed9bdd

        • C:\Windows\SysWOW64\Agjobffl.exe

          Filesize

          608KB

          MD5

          5debc0b2872ac46db9ea016d8721cc8b

          SHA1

          07afbeb5bd59dd62b358ebefefb44d0ccc818256

          SHA256

          fd050ba7bdc60d68155d0ea3d4688b282485baead7cc27e89e85be25a5da0d2a

          SHA512

          e65577f492b950d91726999ed5e038f8231076c1758a30f34035de37ac9b8617645d9a5c3f5f7d428ae1a8a44cdc04ce9f01f6ecfdfee8754b7e5f7732883431

        • C:\Windows\SysWOW64\Ajmijmnn.exe

          Filesize

          608KB

          MD5

          b5d1e68a4b1724b7b03048b24640b01d

          SHA1

          d04a6fb10f675f87a951911e717fbaae684c1809

          SHA256

          d363eb487e482b34ca3b9ad2573fd2a5e073e730d6b93b5817c3650503eb8453

          SHA512

          8b83f95209176e8edd7a5ec87a9b142563d3826cf32f7a0cc7e8c8dceaa8e2484943fba804e210107adb0683f78b9d5ef33668613b2762ca3288484a3148d4d6

        • C:\Windows\SysWOW64\Ajpepm32.exe

          Filesize

          608KB

          MD5

          1f87c7492a72aab084a4fece279d43c1

          SHA1

          bf0c98bf0b604c5a270e8bac797d15895d0ed4b4

          SHA256

          e0c12180b1260eef77a7e88c333a007dcb57c0136002433ba312add7102a63a3

          SHA512

          1138cf54e2ac0d3a134304688613a76d9f269a673cb1b73017cbd2d08d31ee19f2ef5af4ea2c95e4e6cc942deb0240e383b6dead06e9082d06c7c08051ba9d8f

        • C:\Windows\SysWOW64\Akabgebj.exe

          Filesize

          608KB

          MD5

          237e8d7400ba1d523fe678e98c28d94a

          SHA1

          e2b21498e7349c85ca9d596be7b592862d54aad6

          SHA256

          e4fd6a6b3bd5d4b3146e23570d7c88c08d4b4980976f54ab16e5e76a6d195858

          SHA512

          d70415eafd708e838824929b316986ac6758e1676606fc037f6db42623039c43646d994547e32f95183824786a8a6aaee3860835555387a8af54146af4dc4531

        • C:\Windows\SysWOW64\Akfkbd32.exe

          Filesize

          608KB

          MD5

          a0428fe4359daa0f5d95be9475520a13

          SHA1

          a5cde4b64af545745264b144a3a899ae40909d15

          SHA256

          32897bf384fda2acadaab6131ca3615c9e902db76705f4ca7c0f08ae5041cc27

          SHA512

          98561e7082349755ebaa3a6f2b48ba994d96f2ec8872b3fac5df993afb666a8bb37af26d0b1051275b617000b6ae7eaa118a12c385141d853e4ddb8bba4b7223

        • C:\Windows\SysWOW64\Alnalh32.exe

          Filesize

          608KB

          MD5

          6a61c69ce688fd071c2b278eab6e88ce

          SHA1

          831fb52ec1efb8ec56926de96937b854ba0756bb

          SHA256

          d5183afd30e08d59765a872f7cd759a291ce58d255b3daca8fc62ee038410deb

          SHA512

          0a276cb9ba1509e96a11e18f9a296613a7614228e280d3dd301e083271d767014989b186b35e1c3c01711faef69aa1e0d1d92fe62acd149b5c2f16e76ee542dd

        • C:\Windows\SysWOW64\Aojabdlf.exe

          Filesize

          608KB

          MD5

          4fd4b64295727b847678b130a92d88b3

          SHA1

          1a4d6198ff31090d050e61d3e2f90f6d7870c361

          SHA256

          f42567ff6a97a58e1b12c5d29d3bc4b326d2c00a39abe8080becc1ec562c934a

          SHA512

          c5d1232ed82070a6d09a16c6654fb7ae919895a9987ce4b87ad6a2a06642c2120010a778861207d51405810e2b6f393511ccd1f915a28a23565073fe10ed0749

        • C:\Windows\SysWOW64\Bbbpenco.exe

          Filesize

          608KB

          MD5

          794080037bcaf128480e3d173e3231f4

          SHA1

          903a9406b4f214b25faa554b775084669bbef61e

          SHA256

          374d59888cea85b24a87938bb86d11a01b83e54bc4865d55781733ac320f038f

          SHA512

          d6a0f44929f32ceb8649a9b9043fbf20e75001306f83f12e161d3363be4330e87046b93ec3035d5645c6323cfc8f515449fedd2970f14b02783846190008abff

        • C:\Windows\SysWOW64\Bgllgedi.exe

          Filesize

          608KB

          MD5

          e20d31312917c90f8b90e5c07fed7e59

          SHA1

          e0ad6a51665689ae540bc81c019493ccc7823349

          SHA256

          740e85174a8ce0f275436ca0ab2344f8b306a45f04b1b05e99ca7cbbce7e6c73

          SHA512

          548c06aa82470a6a04f3360cdbb846edf619eb02d7c0a649fa8dc867114516ce0dcc98dc09e63b1bf14e33c259461fcb59208562de9dbe2c886d2c723a1cd0de

        • C:\Windows\SysWOW64\Bjbndpmd.exe

          Filesize

          608KB

          MD5

          2af6e77c8791aba644036fe1fda915be

          SHA1

          3bb9b93d8db286f7f0ecd3f6094e50b89de47711

          SHA256

          c19186fdff2528b5811b90712a1340053936b0d83fe37f4ad3232797779b828e

          SHA512

          cf3d053b77ee12bee74acd8932a2e1aa13c628d324951c41b8091f5d5dfce0f7003cc06ccd4bf99546655e0ff3535947a61aedb94fdfda27ac0baa4e15b3e958

        • C:\Windows\SysWOW64\Bjdkjpkb.exe

          Filesize

          608KB

          MD5

          dd234fbe8f8c941aab7707563538bdd7

          SHA1

          affa7957e48141a2e4ae1dad155971c170508a3b

          SHA256

          595d2a33808632d0a360e1d23409ababaf9f1706ab629686aa13da1358907423

          SHA512

          bdb942b4090e8685b8c1a195b348590753a995d6a67465d4be86ecc8dba43841bca435686401cceda46946f8ca45ebf23700374218b67f625afd20d111c04017

        • C:\Windows\SysWOW64\Bjkhdacm.exe

          Filesize

          608KB

          MD5

          8c83f8ad982e465cf0c4bde843000108

          SHA1

          e4a5a10f7ba190a3254ed0adcbede40953b2afe1

          SHA256

          97640232560b152b54bbf211bc18bffd5b421751d688b7817059307f3ca56312

          SHA512

          d43376ba144fe00f2a4cfca514f1650043a3ffe231b90b43b8b9ca44e4ab0f187697d73c88ca1c9903b71fb060d27eac52c411a818db0242317cdebf673cdb13

        • C:\Windows\SysWOW64\Bjmeiq32.exe

          Filesize

          608KB

          MD5

          309649fe5409232627efcdf620e067ad

          SHA1

          0aa5888fc928b1bde0a38f2f1ae84384403e0a67

          SHA256

          135dc6603d0f5c33b41f808cca03b7fc69960899eb7f0d2cca368fe72643d8b5

          SHA512

          539fde80139fc2c64153a6efdbcaebdd78cb02eed89764ce03b5e51e249087ebf0dba576899c61e7b64518119d8981220d24657fa5afcb65e8e844623918286a

        • C:\Windows\SysWOW64\Bnknoogp.exe

          Filesize

          608KB

          MD5

          00b0b959a8f3b0958aee534ab5171226

          SHA1

          c317f041189d0e235f97bb747bcd84f7a41c8cb3

          SHA256

          af12d264f2a3e35bbcadd28452d89c407a3a6b67ebb57befa87fdd1e2d6ca082

          SHA512

          748018b29e5d37e3253f6510b9ed1f08866371dcf8e7df82b9d1f18aa0643e8ce038893909124f4055fa7b62be7c2f25fdc7fcac0fb2da9a8b098ab5401b9d3e

        • C:\Windows\SysWOW64\Bqijljfd.exe

          Filesize

          608KB

          MD5

          3812e16918b1bbfa99179021fc6b3412

          SHA1

          d506c0247c6300aced4bc77b533b56075612c29f

          SHA256

          0ab853e6aa8cc0945dce76e510aeceea81f079339c9bf0412f85e1d8b5d50dd3

          SHA512

          12beadcfcf4905abea64d1279c7feb9063f41eb7a63f3884a2e0b1f468de140375b567b85224fe416bb03201056b5f3f18f9b693fa00e01413cf11029e289ad4

        • C:\Windows\SysWOW64\Bqlfaj32.exe

          Filesize

          608KB

          MD5

          b25f7bf0882970d89bfad058755d7705

          SHA1

          a008437cf84b819ea544defe8fd20b81e99cc90f

          SHA256

          1fe944b625018211cf37648c1a34eab6262ef24a79a8a2d9ec168ecb820be2ff

          SHA512

          9519b16b542bf15179cf1c8904726938d817734f23acb9fcb9f6dd415cdeb30a237a3c1b293d06b1b77b4c76c0ae29fd50c543e2f2dc85b3c0b7be0970af19b4

        • C:\Windows\SysWOW64\Caifjn32.exe

          Filesize

          608KB

          MD5

          3e23107fe357ee8c35077851ccc9df91

          SHA1

          6c9aef0d3743c9ca4fa39d012eb214bf2053430b

          SHA256

          b3e9228c94f6830b57228f6d8811c2c7d67bc41f097b2340bcae44c53a1ee4ee

          SHA512

          cefeec5254a6b073c7730302815b7f0aece23f210a3d7c7aca650d17e6923fa793cd6d6237031eb258701998d53202cc14737c4dd9fcc5683ec51e908e7eb344

        • C:\Windows\SysWOW64\Ccmpce32.exe

          Filesize

          608KB

          MD5

          d91be54f6e48b2d11008d4f2970d0c7a

          SHA1

          5351679fd47d7eabdc345b05b5ec934b8b2e3e81

          SHA256

          b45b183ac863cf0f36a2adfe68a6059ac02a9c3697bd36d491db1adb0735df56

          SHA512

          81f10af885e80da5f28509696e285fd029452fa6b89dd97623b26671caaddc9d766ff3e47dea5874532774baf21aef94087fe90c04dd5e0f4ec506b3f5fd35f8

        • C:\Windows\SysWOW64\Cebeem32.exe

          Filesize

          608KB

          MD5

          0885540efb107fb673d4a8cf034eb0dd

          SHA1

          bb9a16a11008d4113cb83023781f653b0f59825f

          SHA256

          d967ca84d1a5c6c6f3a1dfcde1632970689d3ec7d69114df2288edbe7512f589

          SHA512

          252f4a3574c6b9403334502694d49b9741206715279245f089f1642c6cc2c5804ed165e0ee206fde45cef5820258d4ba02fc7600c6f0bbb6e7a881097646177e

        • C:\Windows\SysWOW64\Cegoqlof.exe

          Filesize

          608KB

          MD5

          10a6f3564fb2be0ab03edb59a5e21589

          SHA1

          60bec0507006f985182158a2bd6dfcb9e57e832e

          SHA256

          825a43990e0b93f79b8396bcd3ee5b8b18e26a498ec060320ffc5c258684da90

          SHA512

          2f397934b2bdaf8d5a2e27619c23e8f7dbda10685c5e92fd3e739c5bed25bca89012a4e7e96e46641a19825a3d3be03a88130f5c114eaba22ef9cf096a828746

        • C:\Windows\SysWOW64\Cenljmgq.exe

          Filesize

          608KB

          MD5

          64efcf17e3b17749159f0ccaad07ce49

          SHA1

          eda952df51313e827ceead154aa6a75278983407

          SHA256

          870feef4d3ee9f01e8caeb472a040db9b8c189ef4890ced80352faba3c35b2c6

          SHA512

          293964c94d97984f5784a05d190712bde1e6288449e42c12b74f4fe61a642b25ad21462559c102d4c663b5d6b4d940ef7eb623a611746d8ff66f73d8af14a2ec

        • C:\Windows\SysWOW64\Cgcnghpl.exe

          Filesize

          608KB

          MD5

          839809f44da5f4dbe8c1350faa40d26e

          SHA1

          f22662b6cd3db37533449e4db2dd3cf48dd34867

          SHA256

          daa91db475df24a550f5b30ecfb8e0e8afcd6a6dc9ba12d65a6f4a38abac67f2

          SHA512

          33f8c7336c2911eacf336ec7d3f7d78dd6b768821b9f5ce48c50fe76f0db94421c778f84fdcdd7d3db58d4face9ce61aebff4601bb17b12bf598de25066394a6

        • C:\Windows\SysWOW64\Cgfkmgnj.exe

          Filesize

          608KB

          MD5

          3f1d19d4e63131f4f12167f3de07cbd3

          SHA1

          bf32155ddff6d8f75d9131a6c1304c84e9547d2a

          SHA256

          7c145407165989c48fee479e41872a35753693e1b308182941d902adfd6efbeb

          SHA512

          11a3cc234f088dbcf0bda9f314ae68d9732d5f87ca7d2023f085a3712d1d937d8def6a0b567aafcb45be2de85cb602a20c9d6a6770386380fbb8a534bc7eee06

        • C:\Windows\SysWOW64\Cileqlmg.exe

          Filesize

          608KB

          MD5

          049a7832972d4bd84b42cfbe47098649

          SHA1

          4569b9d3355cfdc42ac26ad11a90599af8906cb3

          SHA256

          4fc4984bcb0261124219e60dafb6a9002c18a4f6d8c82733a945cb285e067c41

          SHA512

          13121ae7a7d8d06992b6616f0f501c80c60609bf768cf396798e539ad0b5a5123aaccac6e01280463c4f1afd538dc7066361edacee16e4c7837e6243053f6205

        • C:\Windows\SysWOW64\Cjakccop.exe

          Filesize

          608KB

          MD5

          3cf922da08e96b9e924110b881525267

          SHA1

          5b96438f1874a15c9b0c9bb52f39c2c625a608ff

          SHA256

          747fb4138211d9fea5db0bd3f99c3337327e355f5db22cbf1d30027e2ef01d3e

          SHA512

          8c072a264a5b060c20a1004e3f0e1d2047b26967cbc916643001e1cf2b6bf4bbaea695c235f12523286b227226541e9b8dab811133077e30197315fe599b5d49

        • C:\Windows\SysWOW64\Cjonncab.exe

          Filesize

          608KB

          MD5

          1cab6b9605effb6d90f52b62c2a27720

          SHA1

          745f712203d8c6b05aed9d87734db3d4c96c63f1

          SHA256

          24b287887f6d948815da2738f767d57526950981501101a77d2e97a55bbb15f5

          SHA512

          189ecb418d1385ff01f9611a3d976b7b514ae5eae94a4dc15a9adeeb1da7d89e08ef55b90e52241a56bf74e881897f67212c812115e5129d8054ab4ceac8d08d

        • C:\Windows\SysWOW64\Ckjamgmk.exe

          Filesize

          608KB

          MD5

          02a0cec7dcb932579817167215697558

          SHA1

          1a4acb3ff6ae698152c862378d59b6e4db8c1756

          SHA256

          c256c604ab1e1d2ada9b1f84380fdaf5de3f81996e9f992e90751a5edee2202d

          SHA512

          735c07a2eedf85891f25b65558a197425a4a57bb4aae10199a092b59022c082569bdb4252f6cf37206cd925e14acf9f647d596a4b3fa522db975e6ea8d68d2d8

        • C:\Windows\SysWOW64\Cmedlk32.exe

          Filesize

          608KB

          MD5

          1f1a61d751af94c04c09bf80eb3867fa

          SHA1

          cc0fda71c81296ba4cc94fb844c90a43ad3c9cd5

          SHA256

          61969b663303e2140101e337fa2a8e02dfe6a4c4e3da60dd3321869d43a109fa

          SHA512

          c8503f9ad484fb6c020c3f3e5ca095925c2d13a4e8c04c7d75859f3a0e2ef2564d113814e363664e6f4c06134b2aa0acabf695a59ba6e8a21fb4da11c2edca5d

        • C:\Windows\SysWOW64\Cnimiblo.exe

          Filesize

          608KB

          MD5

          e15248b02118509d96a4903a272107e1

          SHA1

          bfb2b62a49808389aef889d1fac12a891737f5b5

          SHA256

          312823c76128976a31efab76f742b18f4305ee40244877ba968cf3390157761e

          SHA512

          095a919813841388ff688b8e11351c3bc5a004e0d721ab53be53c9db8490a90a283bf323ca30771ea246988e6486f998a52bc15b96fbb55af18988751553b34e

        • C:\Windows\SysWOW64\Dmbcen32.exe

          Filesize

          608KB

          MD5

          34dce908940c06cff062fdc95b584fb3

          SHA1

          b5d5c87e18d099e17767f503be889582498baeaa

          SHA256

          0098129d98572077f4b437ef74071a96623c126c7aad7ef6e2003a134bb2a783

          SHA512

          1bf167b11e43f06baa56054e08dd79b6197e9fab6893490b5d6cddb1f34e36fe23078e5d86957b8215b6c0ff4014ce6f382846654e2b0f4ab2070667d5422a15

        • C:\Windows\SysWOW64\Dpapaj32.exe

          Filesize

          608KB

          MD5

          16e0912b51ea7adfde3e40df63d827bb

          SHA1

          e60a1f58f0ea4956baa990afaac250603abfbc2c

          SHA256

          147a88c83646a2a5dbadbc620675b49eb7e884510634ce762389739e6948958f

          SHA512

          49a0a524ad2f721e35370cecf3bb9711667117455cc3f11d14f5ba64d0f95b9a3984418900699d12d40d4a29214cc85bfc6565786f239f52d2569b508c14312b

        • C:\Windows\SysWOW64\Kjkfeo32.dll

          Filesize

          7KB

          MD5

          d35df5bf85623ec120a1bb6d2f890c55

          SHA1

          8608bb6e3f8101e8a69b50fe8ab7995fcc4c4dc0

          SHA256

          3f1266ddabeeb241871b817849d623b638ba1073f99eaa59805e6d8c4e8ced59

          SHA512

          5c82a5a62b0a8d784c25860331a09c051e979080dfbab839f7405dcbf0ab7fa134f3776ae3598bdb0aa8937bf2febb5419099790b3b4075bd525b17f9d0d1b3b

        • C:\Windows\SysWOW64\Mbcoio32.exe

          Filesize

          608KB

          MD5

          28a65af0249dbe559dc02c4e733fd4d8

          SHA1

          543b125aa3b7cb3bcdcccd9cb4545a398655fca4

          SHA256

          2ec7b3b77d5b9f8d7ddbc4a13fa6378d07d8902420ac17d88a1a2939608764ee

          SHA512

          7c1ecb3631d3b18ccdb4f20bc30dbfe9a2658afac95054db2c8a31f32c444074af3046fbc41cb22d1dbd40ec2f5fa8a71cfe683b6ac2c59657d75a4f9359e177

        • C:\Windows\SysWOW64\Mgedmb32.exe

          Filesize

          608KB

          MD5

          8131356f19f134d37dfe4f3620eb2fb4

          SHA1

          454a2ec2a208d21dd959d0abc52ae5d80aeedb66

          SHA256

          2aa38a4d46c7fb40fcfe3679e69276da1c4ab2ce6c3477cbea5b420380db6eeb

          SHA512

          189aa1bcdc92c4cce90997ad17ac5332b797fd73b2b95a8f2e9acd1cc57f9fadd895f8b800b9f20eba80ca8b3d9d685304ba44afa84330474196b77087abdccb

        • C:\Windows\SysWOW64\Ncnngfna.exe

          Filesize

          608KB

          MD5

          8aaa78d52dd6f1ade93c153a169b4e37

          SHA1

          39a1a85901c1b4fdaf038b70c6fbed3bca77d6c8

          SHA256

          032aa641c09551d1aa217686a67ec870a7332f7a164a15f9b2cb61815b568255

          SHA512

          8e96c04b1f517c54800a1654ff3545cfc4d5b512e3f8388c5ce614c58058a09a803b875047cdc6189d0c0c3c29c285046e0358e848c2d191e1cedb832c4244b0

        • C:\Windows\SysWOW64\Nefdpjkl.exe

          Filesize

          608KB

          MD5

          a16bb286e5ad72e9db6e6af48d90708a

          SHA1

          7bcffc31d4e18c45874996f87486823dd40fdf19

          SHA256

          04f7d5bea8f2814f825b27df8c630591b31f38c1fc3ef03880ab863b22b511b6

          SHA512

          e61fa55b04789259c27c22521ea40da7db88a02bd4306c484813d0aac12a189284da5f6f5cde53896189c1768f2ebfbb7abc93ad6a09421c70950c1f86a3a410

        • C:\Windows\SysWOW64\Obmnna32.exe

          Filesize

          608KB

          MD5

          410635dac0bd15b7d3cf9e4e0f6ea098

          SHA1

          7c7e62df655ae5879273504335bb4f5501978987

          SHA256

          240455b7d34069bf1f8c97343a8e84d477fbe21dd0f0a17a6608e936aa7173d0

          SHA512

          80787fed7006ec94ccea00ef683d0e9707d245c252e1a51af408900ef4016fe1ef0605724a9c3dae8c0e73656e31e13667f53fd2ea797b635a2c491ae61e1e63

        • C:\Windows\SysWOW64\Opglafab.exe

          Filesize

          608KB

          MD5

          4a6249603e593571b33cc04963722e06

          SHA1

          449a912fa9cb96df440ed8258226a4b2ea8c0173

          SHA256

          3971c0478c1e297fa03c64d8fd2cf607db401516d5415f3ef77fa5e9e0861827

          SHA512

          b6f5b7a4e5016bb4291e1b7a1c924379cff542dd41eaa74276ee388e438285ccf6e8bf7d7f5b792b115a964f982128df2f4e9e64d28b203fa59fc5e3ed003388

        • C:\Windows\SysWOW64\Paknelgk.exe

          Filesize

          608KB

          MD5

          9e1a8cfa4e633ef7c3bc0299e376b001

          SHA1

          690d80e052f6b91b897261e1bf499065672167a5

          SHA256

          e98892960ff419f25c7bebca4cd8984d4a29fae9eec8f23a325c9fed032aa568

          SHA512

          34a04a7ddfb1fe16d1ed7074c32502520d67d735fe103f5535512ea199c8217243c39282136cdc997672f5f7f51a3a546137c7ba56f6879d36f29d70669b2c3c

        • C:\Windows\SysWOW64\Phcilf32.exe

          Filesize

          608KB

          MD5

          79bfa43a343a58016fb34b1a4f5a1b27

          SHA1

          e9e13547daacdbdf471c5091cfa60b5365c0e19a

          SHA256

          83729d7a0819eea767c48f6ad404917b75ba415245cb45ff76f3b9f115c32e06

          SHA512

          fe10554746c22215ee6c4b19d79dce5a9f8dc107a95fca811aeda7ba6515486052c93ed4c69090bb068a7848d5bee88838ff8bbbda4dd351c6008bb27a95de19

        • C:\Windows\SysWOW64\Pkcbnanl.exe

          Filesize

          608KB

          MD5

          8fd5818972e2b6aa9132b90931411a14

          SHA1

          17961e291d2a21de6793392c971b1c5e701febb4

          SHA256

          6b7576069af400056625704be9efe854a762b4d5ce416bebb0d8399b63f7ae22

          SHA512

          652dd463f4efdcbf376596d369552cd56b0dc4713508bcaa27c04cba82aa6e937262cfbe14072c541a8ad33a7f230ef3f83e95acf1a6f7208c4df68ff0b4e854

        • C:\Windows\SysWOW64\Pnbojmmp.exe

          Filesize

          608KB

          MD5

          829b76689f7100cab8592b9e8171f9f6

          SHA1

          d31d692517aecf86728a6509c66018b922d1dcbc

          SHA256

          757d8104f6a3f28db633760092878eb63aec1e362c3bcdf35a89afec418bd0bb

          SHA512

          3a4c59cd41d5f2c9807dd58cdf8632d9464223f842cdfc54101d5980d38be862e3f0071b0eea0e7c9d8fb9a674330573ba9e899ba1e08581d287261abcf4548d

        • C:\Windows\SysWOW64\Qdncmgbj.exe

          Filesize

          608KB

          MD5

          cb4074950483522063c083481fb35c52

          SHA1

          70f17c55feb609f953b39f26d0537c74d3572c7e

          SHA256

          f2b069491e58278ed4a833021c5925f46c7b8f576845d41ebacd5525ff04a630

          SHA512

          b6bf42a6cc9ad67b662540bf03014298f2cea15390feedad3e46fcfc2a7fee37833984e43b6459351b4527d18901a61556fd2503f55965d3992bf88d53fcc3a2

        • C:\Windows\SysWOW64\Qjklenpa.exe

          Filesize

          608KB

          MD5

          9d7542f3c06c1b43e3e14c1beccd8bdb

          SHA1

          e7e90fd8d4354834e1ae0707e43bb72c3b46f2e6

          SHA256

          f42d6ceb959d95f5a0d6d4630028ab12fe00285562ad943421c459e651278fdb

          SHA512

          03bdaeab2156cace07c34ec3b1b7265f8dd768b5da71ee8e442bc96f17ca429016d60f81acea660c4a253603d9a492f20d41653d07c6bdf60b278e9349d07d44

        • C:\Windows\SysWOW64\Qkfocaki.exe

          Filesize

          608KB

          MD5

          e28b52cd88c0d778cc58e4e9c11739f5

          SHA1

          38ca58171eb4de11de58aa487e283df322278545

          SHA256

          eec81eac5df19dfa174fcc61ea95799039ced0653bc3668fb561cdfc3159ee30

          SHA512

          95b53de7332a34f9097e0a8edfd39900168fb3191179ece9821b9de2afd1ffdb43edd2176c4023010c0eb63b804688451fc8c147ad09e947bd4a385b3f90f58f

        • C:\Windows\SysWOW64\Qndkpmkm.exe

          Filesize

          608KB

          MD5

          ec09d5f23b4fdbad20e0814ee1661af2

          SHA1

          61c029188ac6a3285fae625f12d7f720c4dbb4e9

          SHA256

          0b6c456063fe5ebf5ddf1743f2ae706d07396b1ff1ab1d30560e582e6e99b7bd

          SHA512

          f79e0e3d6f220d6a252ede6961be1db328579afecd6dfe6fdae180feb9666c70c1bb648c58ee7cf035d829198fab52c08340d51ffc0231b2f71c33aff73cb7a0

        • \Windows\SysWOW64\Lcofio32.exe

          Filesize

          608KB

          MD5

          b8219f98f29a812018bf18ec80cdd2b7

          SHA1

          3eb19a4317626f7dcef75fa3a3f075a2b160ab80

          SHA256

          5a7762a351d404d076705136d4d1733a3ed5077a3f56db26ba2b22d14baf4f91

          SHA512

          75911fb1dceb198bd3d8a1215060fdf6fc2c993d1aa5d68d878630261e03ca29988e5a2366d7f5e5225860dcf6275756842c6765bec50e8f3cd212b7c442d071

        • \Windows\SysWOW64\Lfmbek32.exe

          Filesize

          608KB

          MD5

          8d7202d9ea4d9a71b9b9138f60fdd7d4

          SHA1

          d614a860656c26983a2492c478d794d0dbf6083e

          SHA256

          681ac23945e30b511785fff882b299d6d8b70c3559256195c62b1658b546499e

          SHA512

          745cfb7d1ea736b6052d04330c13dce7bafeffb92aa8dc3ad6159f01e922b24fd1403adf9fc5f89f5e714f61ba1b3d515d5bae540b93292ea45dfce68a9a930a

        • \Windows\SysWOW64\Loefnpnn.exe

          Filesize

          608KB

          MD5

          bac153bd503ba32f8d1d3c324f3fe450

          SHA1

          6db949a250d0110dbdd7b9d57f69036979a530a7

          SHA256

          183c47e31d5b18d1c2d3d4c47b4bdc2a9b334cc75837346d5934a6bcb04b1f83

          SHA512

          f27bf0260dbb6b85863d624a495d96f54f8fb653c6c94f1810982e643a84d88efebbcede8f8f0e5155585bc90ac74d65f6bfedba33d7c4974f0eda99f150f529

        • \Windows\SysWOW64\Mcnbhb32.exe

          Filesize

          608KB

          MD5

          b54e77323e545bca0695fa4b36abea5b

          SHA1

          a54f58cd2b7ca7aa2b6f28028ee3463411c15e31

          SHA256

          f27518a8d19d8ac47e21841c84b588384e27af8dab80b7ca00bcb94315861692

          SHA512

          733fe625c1c27f75be3df060f30a0e626e22492b8ebb763471e4b35ab587995dbe7afa9e77406551bbf369ec984024696f72614de1b24b24d05fc7d951ebc64b

        • \Windows\SysWOW64\Nedhjj32.exe

          Filesize

          608KB

          MD5

          b55a25e0732494dcfba199eeb567a7f4

          SHA1

          9f1208329b0848c9289597f11158c8f13d935b08

          SHA256

          31b0f735250d34fbd274b9e9b6a26ccc7f95001593e57efbd38cf7f2415d5032

          SHA512

          d53db36de34d344a3bd0b557e19513ace56ab41af4038cc797966aee86cabd772e61f96350b047c67da084f8e964362b32fb3f2ca4a05e32993b3c9718966199

        • \Windows\SysWOW64\Nhgnaehm.exe

          Filesize

          608KB

          MD5

          9d9f07e2ae79f6af7e32cd43ccb34721

          SHA1

          ba6b64849d21811942ba9d63ab7af9ab0efdad35

          SHA256

          e3f84ba79706ab3768cd97903a353283b5a8377de83a46d5182110d8146ca615

          SHA512

          bff389e97eb1f7cf7b1fea77a6088bf8ac55dc3d562cdb0271b9cd8e6cfbbe23ff4b8e01b5f59b5a49d17197f012b772964737cb6f76bc55b2ccbe3611865875

        • \Windows\SysWOW64\Oeindm32.exe

          Filesize

          608KB

          MD5

          cabbedfd2aacaf668a76c049eb7785e1

          SHA1

          626c8ec1c44bd262205fa9c81a7a669820ad497b

          SHA256

          d30ad4cf366b3dd4288a71669a1540077cdddae15a93860569d0942ab424167f

          SHA512

          9bdca921de29462beb67e9f4afb4e6da514d3cb63394917b29446e131fbd84d370c8065b2223af093132e05fdd407ccd242d61fba1e2f609c81fc0a60ae4025a

        • \Windows\SysWOW64\Onfoin32.exe

          Filesize

          608KB

          MD5

          36968992311943dca3aaf92460602258

          SHA1

          6cd275db90cf932414567ba190920c1aa8c83c1d

          SHA256

          3c4f01e849c2a733f542732ea9a1379de5903a87bafab22c2fddfa153c8b90ec

          SHA512

          9a312700eb5624b060b76b01eafbafb7160a385d2524292548b725fe179e3a05a0b6d41fbca29252e1ba52b6e0a42c5c8168de6ca6b436c4fdb4eef20486c0f2

        • \Windows\SysWOW64\Pbagipfi.exe

          Filesize

          608KB

          MD5

          10255faf630476bad330cc92d212ec5d

          SHA1

          3f56a1a37b9f542c5a0cbee1dfa9412c9e275b08

          SHA256

          a429a7d5039f5508fa8234b299069ed0c53e9f21114f3a714df4d722706e69d6

          SHA512

          5fa72785d6d117286f5970eb1bf81e5d99c8a783cb84d71a397ad2ebc0e37368750233333a20f35aba48e11bd633d560b2589c833d17b0a4c868fec3971ae68d

        • \Windows\SysWOW64\Phnpagdp.exe

          Filesize

          608KB

          MD5

          bf9f4678d81592fb6567ff339084ff35

          SHA1

          a878463c5166f6c12876542b103c110076c1733b

          SHA256

          2fe1f65abcb2be973fded036fe091fe1207def3af66da76764c0441188d99974

          SHA512

          32995c5fa87521486a35be297558ebbe01f6667507eea7659a55ac8abd3e300c93ae32e91dd88993148751d4ad477c813d698cc0f97f21279091b042d58b38df

        • memory/108-429-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/108-438-0x00000000002D0000-0x0000000000304000-memory.dmp

          Filesize

          208KB

        • memory/344-229-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/376-206-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/376-505-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/468-190-0x00000000002A0000-0x00000000002D4000-memory.dmp

          Filesize

          208KB

        • memory/468-183-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/496-510-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/536-127-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/536-439-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/556-509-0x0000000000260000-0x0000000000294000-memory.dmp

          Filesize

          208KB

        • memory/556-504-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/568-238-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/568-244-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

        • memory/616-449-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/796-308-0x0000000000330000-0x0000000000364000-memory.dmp

          Filesize

          208KB

        • memory/796-298-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/796-304-0x0000000000330000-0x0000000000364000-memory.dmp

          Filesize

          208KB

        • memory/884-297-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/884-291-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/884-296-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/1132-493-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1132-192-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1132-498-0x0000000000260000-0x0000000000294000-memory.dmp

          Filesize

          208KB

        • memory/1332-341-0x00000000002D0000-0x0000000000304000-memory.dmp

          Filesize

          208KB

        • memory/1332-331-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1528-479-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1684-445-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1688-136-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1688-149-0x00000000002F0000-0x0000000000324000-memory.dmp

          Filesize

          208KB

        • memory/1688-148-0x00000000002F0000-0x0000000000324000-memory.dmp

          Filesize

          208KB

        • memory/1688-458-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1716-156-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1720-116-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

        • memory/1720-109-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1720-428-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1812-399-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1924-286-0x0000000000290000-0x00000000002C4000-memory.dmp

          Filesize

          208KB

        • memory/1924-277-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2088-258-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2088-264-0x00000000002D0000-0x0000000000304000-memory.dmp

          Filesize

          208KB

        • memory/2164-318-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/2164-319-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/2164-309-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2196-390-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2196-395-0x00000000002E0000-0x0000000000314000-memory.dmp

          Filesize

          208KB

        • memory/2196-69-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2196-81-0x00000000002E0000-0x0000000000314000-memory.dmp

          Filesize

          208KB

        • memory/2376-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2376-12-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

        • memory/2376-13-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

        • memory/2376-340-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2412-416-0x0000000000300000-0x0000000000334000-memory.dmp

          Filesize

          208KB

        • memory/2412-406-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2444-385-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2472-427-0x0000000000300000-0x0000000000334000-memory.dmp

          Filesize

          208KB

        • memory/2472-426-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2500-83-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2500-405-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2500-415-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/2500-90-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/2520-14-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2520-343-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2528-276-0x00000000002F0000-0x0000000000324000-memory.dmp

          Filesize

          208KB

        • memory/2540-218-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2540-225-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/2540-515-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2564-469-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2596-384-0x0000000000250000-0x0000000000284000-memory.dmp

          Filesize

          208KB

        • memory/2596-374-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2632-364-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2632-373-0x0000000000260000-0x0000000000294000-memory.dmp

          Filesize

          208KB

        • memory/2740-352-0x00000000002D0000-0x0000000000304000-memory.dmp

          Filesize

          208KB

        • memory/2740-342-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2776-171-0x00000000002D0000-0x0000000000304000-memory.dmp

          Filesize

          208KB

        • memory/2776-474-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2776-164-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2828-46-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2888-354-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2888-363-0x0000000000290000-0x00000000002C4000-memory.dmp

          Filesize

          208KB

        • memory/2892-62-0x0000000000260000-0x0000000000294000-memory.dmp

          Filesize

          208KB

        • memory/2892-383-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2892-65-0x0000000000260000-0x0000000000294000-memory.dmp

          Filesize

          208KB

        • memory/2892-54-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2908-463-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2908-468-0x0000000000280000-0x00000000002B4000-memory.dmp

          Filesize

          208KB

        • memory/2964-27-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2964-353-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2964-34-0x0000000000280000-0x00000000002B4000-memory.dmp

          Filesize

          208KB

        • memory/2968-330-0x0000000000290000-0x00000000002C4000-memory.dmp

          Filesize

          208KB

        • memory/2968-320-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2968-329-0x0000000000290000-0x00000000002C4000-memory.dmp

          Filesize

          208KB

        • memory/3004-248-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3004-257-0x00000000002E0000-0x0000000000314000-memory.dmp

          Filesize

          208KB

        • memory/3008-488-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3048-417-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB