Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 19:28

General

  • Target

    09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe

  • Size

    96KB

  • MD5

    7715d63e9f2dfe8926f48d81bd019fdc

  • SHA1

    a227fa00fd700cd76f6d137d182ea271b5ae10e5

  • SHA256

    09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772

  • SHA512

    3ba20bf1f64be8f9add3f879971e5ad8521a486ff9c2395fa03c5616e6affae49eeb165864eaf02e77037b4c6767359b83a33390c38f2d570e25ce73e6bd377d

  • SSDEEP

    1536:/XEq82JQ8zdLj6APuHX9HzT7Qd9OyPFC/DQ6d+//BOmwCMy0QiLiizHNQNdq:/t8EV6AP+XBTQtPF8u5OmwCMyELiAHOi

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 25 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe
    "C:\Users\Admin\AppData\Local\Temp\09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\Cjinkg32.exe
      C:\Windows\system32\Cjinkg32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\SysWOW64\Cenahpha.exe
        C:\Windows\system32\Cenahpha.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Windows\SysWOW64\Chmndlge.exe
          C:\Windows\system32\Chmndlge.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\Cmiflbel.exe
            C:\Windows\system32\Cmiflbel.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1264
            • C:\Windows\SysWOW64\Cdcoim32.exe
              C:\Windows\system32\Cdcoim32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2324
              • C:\Windows\SysWOW64\Cfbkeh32.exe
                C:\Windows\system32\Cfbkeh32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4688
                • C:\Windows\SysWOW64\Cagobalc.exe
                  C:\Windows\system32\Cagobalc.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4008
                  • C:\Windows\SysWOW64\Cdfkolkf.exe
                    C:\Windows\system32\Cdfkolkf.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3124
                    • C:\Windows\SysWOW64\Cjpckf32.exe
                      C:\Windows\system32\Cjpckf32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1548
                      • C:\Windows\SysWOW64\Cmnpgb32.exe
                        C:\Windows\system32\Cmnpgb32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:3076
                        • C:\Windows\SysWOW64\Ceehho32.exe
                          C:\Windows\system32\Ceehho32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4548
                          • C:\Windows\SysWOW64\Cffdpghg.exe
                            C:\Windows\system32\Cffdpghg.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4976
                            • C:\Windows\SysWOW64\Calhnpgn.exe
                              C:\Windows\system32\Calhnpgn.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4144
                              • C:\Windows\SysWOW64\Dhfajjoj.exe
                                C:\Windows\system32\Dhfajjoj.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4012
                                • C:\Windows\SysWOW64\Danecp32.exe
                                  C:\Windows\system32\Danecp32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2260
                                  • C:\Windows\SysWOW64\Djgjlelk.exe
                                    C:\Windows\system32\Djgjlelk.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1544
                                    • C:\Windows\SysWOW64\Delnin32.exe
                                      C:\Windows\system32\Delnin32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2232
                                      • C:\Windows\SysWOW64\Dfnjafap.exe
                                        C:\Windows\system32\Dfnjafap.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4036
                                        • C:\Windows\SysWOW64\Daconoae.exe
                                          C:\Windows\system32\Daconoae.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:1004
                                          • C:\Windows\SysWOW64\Dhmgki32.exe
                                            C:\Windows\system32\Dhmgki32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:2396
                                            • C:\Windows\SysWOW64\Dkkcge32.exe
                                              C:\Windows\system32\Dkkcge32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:2368
                                              • C:\Windows\SysWOW64\Daekdooc.exe
                                                C:\Windows\system32\Daekdooc.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:1000
                                                • C:\Windows\SysWOW64\Dddhpjof.exe
                                                  C:\Windows\system32\Dddhpjof.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:4632
                                                  • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                    C:\Windows\system32\Dknpmdfc.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:4580
                                                    • C:\Windows\SysWOW64\Dmllipeg.exe
                                                      C:\Windows\system32\Dmllipeg.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:4516
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 408
                                                        27⤵
                                                        • Program crash
                                                        PID:4068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4516 -ip 4516
    1⤵
      PID:5068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Cagobalc.exe

      Filesize

      96KB

      MD5

      acc9817011b59594dd98db4b93d203d2

      SHA1

      c489ac21cabf2adf4d0af13c59b6f80b15bfd87a

      SHA256

      4b8cfcde4b01b111ec743f7003000d315fcc2035136436b2d61d22a5c07d5a8a

      SHA512

      f4516426cdf92b23703277eb6de90e5924f9c28365d0d1757fe7b2c176a6807475f50025db0f047546334092374618f776c495a8444d7cc1d4de1a14f7d5a1aa

    • C:\Windows\SysWOW64\Calhnpgn.exe

      Filesize

      96KB

      MD5

      fc16ba432e8e586e484ac6fa73ca2a20

      SHA1

      91ac86dae300d095b203c1446b0dccc775dbb9e9

      SHA256

      bafb1805d8b7bbf0182276f8743860c7450fc0b4272f693d6631d5eb44f7e3cd

      SHA512

      12457f4add308413dc1423c2412f4c9ccab855627694f826ba9289b9bdd0228cacf191494bd3a3f90527cfc46725781cfd1c1d3f3522e55b3e85f937407f3685

    • C:\Windows\SysWOW64\Cdcoim32.exe

      Filesize

      96KB

      MD5

      80f21db2012400e398233a05862f1adb

      SHA1

      92e89a2575b4c8d0fb89fdc4d6c554217e1e03ec

      SHA256

      6c10431c7758428571b3a45719747eb6561a7d3b2d67ffcfc23e192fe05facf0

      SHA512

      96b8445ae78e26071f1310e26008d5480c0ddd5341e326462f6b66afe21f5e70fbd19dfafc578c37a822a20d41a0102a1e0e883cc4f3738de736e6cfb9ed171c

    • C:\Windows\SysWOW64\Cdfkolkf.exe

      Filesize

      96KB

      MD5

      463a3da432239701995405bd62666bf2

      SHA1

      06b21fa010c6dc20897a61f8e43b3e0cda5ff465

      SHA256

      60c08bc5a6032c1ba958275f5e7a11a5e2b698f5a7ce072ff7bda162c564d2a2

      SHA512

      3e4bd6c3a0ef174c31c44dff57bf3708c23f3bcc41926e4f5b7e77f79c19f284c31500c21f4c8a8a5a99ed1f59d6663f90bfd1c8534ccd0319203822b5c8d613

    • C:\Windows\SysWOW64\Ceehho32.exe

      Filesize

      96KB

      MD5

      011ea5f3eed3eddae60e55d0980b21fb

      SHA1

      6e284c5c7fb373dc085d836629009ddec01cb008

      SHA256

      d444b1afb23a7a3041ba0cfb039931d1247c59e94d678f4c7737f023a5bb6ec9

      SHA512

      908af9933f67affe36c1fc946f838ecc66cb5ebb93987ed461a1cf243e6337397a309ab0997432c833043ef8f17ed66146c32fcf6bc5cfac6b1ef3939ecbfe40

    • C:\Windows\SysWOW64\Cenahpha.exe

      Filesize

      96KB

      MD5

      985fe0579cfa8843864ccad6bc54b45e

      SHA1

      4d3ba36f7bf590c08b6a4025d17e99bc7e9b8647

      SHA256

      fd48227dccd907b7842609c7bc69c4824e46a6a19bf7636cf8dbd92166dd29f4

      SHA512

      65f299a8228552d6b5335962e5388d0674d1c2164cf42d23a5bb6352b03787aba3fe41da5d44b991d9baa72e7359c71ab382474a01939ad3ad18a9f30b6dc38f

    • C:\Windows\SysWOW64\Cfbkeh32.exe

      Filesize

      96KB

      MD5

      49bf3c3b47524f834f6a97dce382b608

      SHA1

      0f4820a2f4f94f3ed04a7fc0e94b0c4bb3b802ea

      SHA256

      f9201961cef73cd66d784ca09d633822f51787d06500421ad8310a702d75324e

      SHA512

      7572c118cba81acc59ea5688b363e399d3035110466134128b733f47c492f608cb4823c46aaceacf67d6d3620d8dfa23e75c85b8a9f8329fbaeb5d968ecaf9b8

    • C:\Windows\SysWOW64\Cffdpghg.exe

      Filesize

      96KB

      MD5

      2cfbe3565f4557f4283c5ce2e6e6b10a

      SHA1

      73772cefd6fd753684794795643186127841d7fb

      SHA256

      35f6209c37e54f33d0a0cb4716985a259e09e2c793f42501d63ea7719715da3d

      SHA512

      103be7d0a1faad1554da7dc71065f592bf83c515c3a73d6dd9cffb30e9160efe076dcde968160e7a38fcf67aae92f70e9b7f64ed4b79c221782ffe979489866d

    • C:\Windows\SysWOW64\Chmndlge.exe

      Filesize

      96KB

      MD5

      eb0833a6c8fc9db9e289e27b6eec8f72

      SHA1

      a76a4e8c5967988f96a5f06dc4cdc6baf5707426

      SHA256

      57cfc8b310ad3fa5d7f39205363426ccbf2ec014af7799fe3ca20bbcbadb1b02

      SHA512

      ffbf27e662bf5f78a021c960d8085b68b6ae3f1adddeca08ef5ea5c28228e2fb27324b28595c9e52d278156eedddc7d5a48f3c962e93990f62a67645666e8bba

    • C:\Windows\SysWOW64\Cjinkg32.exe

      Filesize

      96KB

      MD5

      980935bfcdd05233f87259ac3f5857b0

      SHA1

      5a8078d9ae5075d7611d71617283fb4a871e0cab

      SHA256

      ff64c2d37fa62706b29128114676fb5e5dcb4943758e522c250b2ae8fc7f62f5

      SHA512

      d7ca62a44af705df8596704691a955db56a451f4b6d61c3ed140ea627328b537c776770ee8e4d5d71a0dada93b7b5c6d975f1fe965b9897428da6630f6398b0b

    • C:\Windows\SysWOW64\Cjpckf32.exe

      Filesize

      96KB

      MD5

      13ab8a805ff13da33e433fe6cbf9387d

      SHA1

      c13e0d8af64bd55ff361d145c0de4079e00c86f9

      SHA256

      589a47530a84387753f0c447cbb7b3cb0075314980214f945957a993e73ea542

      SHA512

      1c07d6a7e9c08a413b968a2604e9c80f7088cc0c9b66e9c8eba0e99030f817a8472f20b4e7eda9832722c8d1a56cfcf59538f4912d301bb162c50ca9193b9452

    • C:\Windows\SysWOW64\Cmiflbel.exe

      Filesize

      96KB

      MD5

      14c6ac79c0a01e1016af4971c7eb9104

      SHA1

      2c324769ac130ac979f5a34f80c91a935f79c62a

      SHA256

      b9ecf75430f226e564629a7d3bb4c96861b62fb8211a6e57752f1b949d031d8e

      SHA512

      78d0177ac397a588154ff11653b22353b983acf3c95621f345af054d309bf93add686b2b898b6fa85523d0ee70c5a0ab39000ef4670f16e2cd6e2f04ef39d6d2

    • C:\Windows\SysWOW64\Cmnpgb32.exe

      Filesize

      96KB

      MD5

      85d109ed25ed6235c4ac5ffa213df4e6

      SHA1

      b3d59d0d5e09362c835a1b47a241c4d228cf8d05

      SHA256

      a5c41caf433d07355cdcfe56a5c9f2a9c6f6bc7d2b71df0196aae6654bcb5ab1

      SHA512

      b094b9ca516898634079f0be2af461b8a1ec7e1d6b48859a22a37dcc5890072a08485712bbce44da49d0c0610b6d9d1a6ec012bdd81a731a326e6d36d54ffdc4

    • C:\Windows\SysWOW64\Daconoae.exe

      Filesize

      96KB

      MD5

      302771000152c87fb693a433a844b1f8

      SHA1

      35f4011a9120c4c328cfba711743366841e51c46

      SHA256

      1af288102e225a0a372d8960a8f49093309dd54da82437c45349d29f1f44f0ea

      SHA512

      4d424f5299e23b7bbbb91721e09e5262be139cf1e821ba8e0f1a4d234c7e88bf4921a568a21f1e10641da5fc3cb84b69a115f3a6b1d10a800b89eacacd201b04

    • C:\Windows\SysWOW64\Daekdooc.exe

      Filesize

      96KB

      MD5

      8ad7344d20722749e5c1cb9c78d1788c

      SHA1

      8df79602f5d6986da582d320e084673a1225df39

      SHA256

      4f6712e36016d76ede0ce25964b69cdd9c4532173050bd9b77354a0bd0ac2fb7

      SHA512

      27dbedbe18e9126c68b446540b45f4312f556ae6e32defe3d074598ce1469183a71c6afd2a6d9f2bc400b9bde36b22f9e8fc89258c17b98fb5737bd170cb36aa

    • C:\Windows\SysWOW64\Danecp32.exe

      Filesize

      96KB

      MD5

      b230a243dba20855ef89eb380327812c

      SHA1

      2b6628426e202a89986f2e0bf671a0a9b3a6478b

      SHA256

      df71c8083e2310d1db9227c7379ff13271e5f84e9405863b2ca697715090399b

      SHA512

      54fad79aa8f453ddcb2508b7ffc069bf4ac0658f4fbd7753bd2ab4f7cb6f806cb9bc8bc1b6991ed1e79ffe78e7532e2c00a7c411ecba66af0a4a11af5c7dec47

    • C:\Windows\SysWOW64\Dddhpjof.exe

      Filesize

      96KB

      MD5

      11751c85e90e97df7727fa38c0202498

      SHA1

      8dda29139d3767dea65d288208e47b160b78d663

      SHA256

      59f23225c8948b667e2f3a52550dfb340a2ac06e74056727249aa4121ab566b2

      SHA512

      b25587662299cfca497e2198d36c81cc2b853a282edfc97f3d6b40a4c22852c3f74da3722483d29bea408e1cb4dd711f3814159b01de06b70148d958aeacdfe9

    • C:\Windows\SysWOW64\Delnin32.exe

      Filesize

      96KB

      MD5

      9f8981f0136fa3707c9418486eac98ab

      SHA1

      aa6ac894b7b6105c44680b2304cff856484a362d

      SHA256

      1dff1c5a5689306251786ff444d81541db40981bcd09bfed06dd9dba5452b1a0

      SHA512

      068899b35bc0ecc539e77850b0bee8b630e268d9fd0b794cc36d7d97f4c2e1f90c452c9c71da1a33e3aa92e881582ae5a3f58fc90745d02a3104738f4735031d

    • C:\Windows\SysWOW64\Dfnjafap.exe

      Filesize

      96KB

      MD5

      258ea2f21be219ee16ad51bb32f12034

      SHA1

      9d64994d1386443e6777aed3ba13f9362fe2895c

      SHA256

      f8394ce057e76fd18d54fcdf16a70667bf3a3705a2fc01f13ca376446cc4144a

      SHA512

      3aa814ebd3dafe427022f3676f195b06aab668f4c932170c27d14f2c8b4668ef2f5455c0f33bdcc3965b8ef6381b564ca1a24f39d1c932f595e1fb5012051026

    • C:\Windows\SysWOW64\Dhfajjoj.exe

      Filesize

      96KB

      MD5

      c82afcd50509d7aab8b89d9b3e8e8da2

      SHA1

      27a186b291696830b081679cdc1a21325a5735aa

      SHA256

      7a921bca8d1895392e99879506e4a8697b3b89c8f35a2a4c6b0383b7984dffd7

      SHA512

      f15e2d32d014425ecbb2ffadb0422c49a741d9aed85f55a087fa1b749315fc2d35132a0ceb0aa7cddf2cbfac74c5b4cb3b30a6070a9bf27d584cb2f927fb2059

    • C:\Windows\SysWOW64\Dhmgki32.exe

      Filesize

      96KB

      MD5

      76455e8ad9ebe3710f2b8281c518b384

      SHA1

      893b80ed18db3e2f4df35a035a510b12d6c8fc02

      SHA256

      3943199d9f0681e4cf13c7a96663bd7657a150c6e2a29b6745b1f66fc21270cb

      SHA512

      09cbd53a291d95e6c812dd2de5faf87e90c756fcf35358ab38fe4dabfeda485eeaed59d012e938240d9d1a94619f062eef5a068ff47946fde9d8a3186670aaf5

    • C:\Windows\SysWOW64\Djgjlelk.exe

      Filesize

      96KB

      MD5

      b49ad5003032a05f6b5b7aa685de1997

      SHA1

      10b34fe90f5288749d324c00b571b6d794598d97

      SHA256

      c5d6487003a006db95cea87ff53d8ab7dc3b3779a6349fe0db25090f38c20f08

      SHA512

      e26a53404349006f2ef24af254e98e3e27bd3d3c652275bd70e9ce3dc68fd17526ec5a2c81190ebd6a2c913bb16ea5abddbba07495175bca4d84dcc9624bb0ee

    • C:\Windows\SysWOW64\Dkkcge32.exe

      Filesize

      96KB

      MD5

      f7e7350061471f205e6c41a3fd4a2728

      SHA1

      4c1711be609cd8c1c200e4735bce49bf646595ae

      SHA256

      5653b6df7f41ad75f470da43e3c8b9b8a8c67f4fa918e21d9a04de4dee04a99d

      SHA512

      b89d24b4d1704de35fc76e481831fa06e2a48abeb9000512187d077ccf77c63ac26f64a643f8363bfb0d8808c9399a15f0074a4ae9a0d6eadd049e3bd96e5ff5

    • C:\Windows\SysWOW64\Dknpmdfc.exe

      Filesize

      96KB

      MD5

      bc5399ac3ce4ac2c5a728b068de4219f

      SHA1

      ed6f31babb397d3bc728300df3b50a83e21797f1

      SHA256

      c0eb5c7c7c1e0359a03dcbd389f2ffef0c90b99a0b89639bad713d27535d9ce1

      SHA512

      5786f921737a1e5fa01c7a00e5c7c5fcab005f43ac9be20250466bfc080ddae35e660dc3e604b535e616e3309caca1f2db4976332b8d732a87705611849e174d

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      96KB

      MD5

      876606dc936cbbfbbfc02e436616b0a4

      SHA1

      d2ec459ad3b27a3f12e9b9984f3f175abe85dd67

      SHA256

      cf7cbb297694c61ea2e5c9bd14a1d36a2ab02c7b804987babf21677ac70d14b5

      SHA512

      fc1eefa377cdd0a7226a2a71b83872f7555f3a63df8039ea0090de20f1c3a4b000fd1d7427879f74d79129afecd446bfc4b5900dbe2ba29d4e52fa49b7d01026

    • C:\Windows\SysWOW64\Nedmmlba.dll

      Filesize

      7KB

      MD5

      af1da632033bd44b7626581019df4b25

      SHA1

      249c432b9f06b792a1f914f2bb6b39086ddec5c5

      SHA256

      95226d5e16e5b6fef77c3695b3847bd29dde17c10b1a0b6074be3d6a1bf86e76

      SHA512

      31ba7a47beea8f048c9920e2c9d7b065f2d1451043424fd621a3b7616c1c168be4bfa5cd0dffaa3e7411ce9245acc7b78de7e2f20b979de890dd3b71936bbe63

    • memory/1000-188-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1000-220-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1004-161-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1004-223-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1100-79-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1100-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1180-97-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1180-15-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1264-31-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1264-115-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1544-134-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1544-217-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1548-71-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1548-160-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2228-106-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2228-23-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2232-143-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2232-225-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2260-215-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2260-125-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2324-40-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2324-124-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2368-179-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2368-221-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2396-222-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2396-170-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3076-169-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3076-81-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3124-64-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3124-151-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3832-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3832-88-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4008-142-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4008-55-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4012-116-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4012-205-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4036-224-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4036-152-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4144-197-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4144-107-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4516-216-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4548-90-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4548-178-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4580-206-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4580-218-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4632-219-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4632-198-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4688-133-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4688-47-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4976-187-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4976-99-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB