Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 21:32

General

  • Target

    562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe

  • Size

    55KB

  • MD5

    64876dd17eeef3cc362598def1050351

  • SHA1

    ddb4e811626869ba40a0e3e0417700a71a6676a2

  • SHA256

    562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499

  • SHA512

    92d6bfa1ae16352e2b3bbcf2190fdcc270ade9dbc2fecd9dc3d8bbdea69a39942566e474ce735a20e2db186324a7d3a57a65f88ac7d537a33157d591873b604e

  • SSDEEP

    1536:BnMFtQWcGKf6kVxQP+2ydbc7YzNSoNSd0A3shxD6K:eEG6Exya7YzNXNW0A8hhz

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe
    "C:\Users\Admin\AppData\Local\Temp\562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\SysWOW64\Nnneknob.exe
        C:\Windows\system32\Nnneknob.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\Ndhmhh32.exe
          C:\Windows\system32\Ndhmhh32.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3216
          • C:\Windows\SysWOW64\Nfjjppmm.exe
            C:\Windows\system32\Nfjjppmm.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4012
            • C:\Windows\SysWOW64\Olcbmj32.exe
              C:\Windows\system32\Olcbmj32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4540
              • C:\Windows\SysWOW64\Ocnjidkf.exe
                C:\Windows\system32\Ocnjidkf.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4388
                • C:\Windows\SysWOW64\Ojgbfocc.exe
                  C:\Windows\system32\Ojgbfocc.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2060
                  • C:\Windows\SysWOW64\Opakbi32.exe
                    C:\Windows\system32\Opakbi32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1708
                    • C:\Windows\SysWOW64\Ogkcpbam.exe
                      C:\Windows\system32\Ogkcpbam.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2092
                      • C:\Windows\SysWOW64\Oneklm32.exe
                        C:\Windows\system32\Oneklm32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2184
                        • C:\Windows\SysWOW64\Odocigqg.exe
                          C:\Windows\system32\Odocigqg.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4588
                          • C:\Windows\SysWOW64\Ofqpqo32.exe
                            C:\Windows\system32\Ofqpqo32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1780
                            • C:\Windows\SysWOW64\Olkhmi32.exe
                              C:\Windows\system32\Olkhmi32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:992
                              • C:\Windows\SysWOW64\Odapnf32.exe
                                C:\Windows\system32\Odapnf32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4208
                                • C:\Windows\SysWOW64\Ofcmfodb.exe
                                  C:\Windows\system32\Ofcmfodb.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:4072
                                  • C:\Windows\SysWOW64\Onjegled.exe
                                    C:\Windows\system32\Onjegled.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4140
                                    • C:\Windows\SysWOW64\Oqhacgdh.exe
                                      C:\Windows\system32\Oqhacgdh.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:800
                                      • C:\Windows\SysWOW64\Ofeilobp.exe
                                        C:\Windows\system32\Ofeilobp.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:3236
                                        • C:\Windows\SysWOW64\Pmoahijl.exe
                                          C:\Windows\system32\Pmoahijl.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:1704
                                          • C:\Windows\SysWOW64\Pcijeb32.exe
                                            C:\Windows\system32\Pcijeb32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:1600
                                            • C:\Windows\SysWOW64\Pjcbbmif.exe
                                              C:\Windows\system32\Pjcbbmif.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:3408
                                              • C:\Windows\SysWOW64\Pfjcgn32.exe
                                                C:\Windows\system32\Pfjcgn32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:1952
                                                • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                  C:\Windows\system32\Pqpgdfnp.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  PID:1668
                                                  • C:\Windows\SysWOW64\Pgioqq32.exe
                                                    C:\Windows\system32\Pgioqq32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Modifies registry class
                                                    PID:2016
                                                    • C:\Windows\SysWOW64\Pncgmkmj.exe
                                                      C:\Windows\system32\Pncgmkmj.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:4020
                                                      • C:\Windows\SysWOW64\Pqbdjfln.exe
                                                        C:\Windows\system32\Pqbdjfln.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4032
                                                        • C:\Windows\SysWOW64\Pgllfp32.exe
                                                          C:\Windows\system32\Pgllfp32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:4036
                                                          • C:\Windows\SysWOW64\Pjjhbl32.exe
                                                            C:\Windows\system32\Pjjhbl32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1936
                                                            • C:\Windows\SysWOW64\Pnfdcjkg.exe
                                                              C:\Windows\system32\Pnfdcjkg.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1212
                                                              • C:\Windows\SysWOW64\Pqdqof32.exe
                                                                C:\Windows\system32\Pqdqof32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:432
                                                                • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                                                  C:\Windows\system32\Pdpmpdbd.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:228
                                                                  • C:\Windows\SysWOW64\Pcbmka32.exe
                                                                    C:\Windows\system32\Pcbmka32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    PID:2708
                                                                    • C:\Windows\SysWOW64\Pfaigm32.exe
                                                                      C:\Windows\system32\Pfaigm32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:4328
                                                                      • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                                        C:\Windows\system32\Qmkadgpo.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:464
                                                                        • C:\Windows\SysWOW64\Qdbiedpa.exe
                                                                          C:\Windows\system32\Qdbiedpa.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:448
                                                                          • C:\Windows\SysWOW64\Qceiaa32.exe
                                                                            C:\Windows\system32\Qceiaa32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:2012
                                                                            • C:\Windows\SysWOW64\Qfcfml32.exe
                                                                              C:\Windows\system32\Qfcfml32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1168
                                                                              • C:\Windows\SysWOW64\Qnjnnj32.exe
                                                                                C:\Windows\system32\Qnjnnj32.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                PID:3768
                                                                                • C:\Windows\SysWOW64\Qqijje32.exe
                                                                                  C:\Windows\system32\Qqijje32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:4684
                                                                                  • C:\Windows\SysWOW64\Qcgffqei.exe
                                                                                    C:\Windows\system32\Qcgffqei.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:4560
                                                                                    • C:\Windows\SysWOW64\Ampkof32.exe
                                                                                      C:\Windows\system32\Ampkof32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1332
                                                                                      • C:\Windows\SysWOW64\Acjclpcf.exe
                                                                                        C:\Windows\system32\Acjclpcf.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1480
                                                                                        • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                                          C:\Windows\system32\Afhohlbj.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2868
                                                                                          • C:\Windows\SysWOW64\Ambgef32.exe
                                                                                            C:\Windows\system32\Ambgef32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:4092
                                                                                            • C:\Windows\SysWOW64\Agglboim.exe
                                                                                              C:\Windows\system32\Agglboim.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:1588
                                                                                              • C:\Windows\SysWOW64\Afjlnk32.exe
                                                                                                C:\Windows\system32\Afjlnk32.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4056
                                                                                                • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                  C:\Windows\system32\Amddjegd.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:3784
                                                                                                  • C:\Windows\SysWOW64\Aeklkchg.exe
                                                                                                    C:\Windows\system32\Aeklkchg.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3300
                                                                                                    • C:\Windows\SysWOW64\Ajhddjfn.exe
                                                                                                      C:\Windows\system32\Ajhddjfn.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      PID:2312
                                                                                                      • C:\Windows\SysWOW64\Aeniabfd.exe
                                                                                                        C:\Windows\system32\Aeniabfd.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:3948
                                                                                                        • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                                                          C:\Windows\system32\Afoeiklb.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2948
                                                                                                          • C:\Windows\SysWOW64\Aadifclh.exe
                                                                                                            C:\Windows\system32\Aadifclh.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:4760
                                                                                                            • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                                                              C:\Windows\system32\Bjmnoi32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Modifies registry class
                                                                                                              PID:3604
                                                                                                              • C:\Windows\SysWOW64\Bagflcje.exe
                                                                                                                C:\Windows\system32\Bagflcje.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:4592
                                                                                                                • C:\Windows\SysWOW64\Bcebhoii.exe
                                                                                                                  C:\Windows\system32\Bcebhoii.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:392
                                                                                                                  • C:\Windows\SysWOW64\Bjokdipf.exe
                                                                                                                    C:\Windows\system32\Bjokdipf.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Modifies registry class
                                                                                                                    PID:4112
                                                                                                                    • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                      C:\Windows\system32\Bgcknmop.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:2128
                                                                                                                      • C:\Windows\SysWOW64\Balpgb32.exe
                                                                                                                        C:\Windows\system32\Balpgb32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:4924
                                                                                                                        • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                          C:\Windows\system32\Beglgani.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:3148
                                                                                                                          • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                                                                            C:\Windows\system32\Bfhhoi32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:3952
                                                                                                                            • C:\Windows\SysWOW64\Bmbplc32.exe
                                                                                                                              C:\Windows\system32\Bmbplc32.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:804
                                                                                                                              • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                C:\Windows\system32\Bhhdil32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:944
                                                                                                                                • C:\Windows\SysWOW64\Bmemac32.exe
                                                                                                                                  C:\Windows\system32\Bmemac32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:1388
                                                                                                                                  • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                                                    C:\Windows\system32\Belebq32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:5072
                                                                                                                                    • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                      C:\Windows\system32\Cfmajipb.exe
                                                                                                                                      66⤵
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:4632
                                                                                                                                      • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                                                        C:\Windows\system32\Chmndlge.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:4860
                                                                                                                                        • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                          C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                          68⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:3320
                                                                                                                                          • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                                                            C:\Windows\system32\Cmlcbbcj.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2164
                                                                                                                                            • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                              C:\Windows\system32\Ceckcp32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:2072
                                                                                                                                              • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                C:\Windows\system32\Ceehho32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2512
                                                                                                                                                • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                  C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:1744
                                                                                                                                                  • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                    C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4908
                                                                                                                                                    • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                                      C:\Windows\system32\Dejacond.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:4796
                                                                                                                                                      • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                                        C:\Windows\system32\Dobfld32.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1240
                                                                                                                                                        • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                          C:\Windows\system32\Daqbip32.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2788
                                                                                                                                                          • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                            C:\Windows\system32\Dkifae32.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:960
                                                                                                                                                            • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                              C:\Windows\system32\Daconoae.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:1500
                                                                                                                                                              • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:5040
                                                                                                                                                                • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                  C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:1320
                                                                                                                                                                  • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                    C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:1836
                                                                                                                                                                    • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                      C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:2112
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 396
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Program crash
                                                                                                                                                                        PID:3508
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2112 -ip 2112
    1⤵
      PID:3264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Afoeiklb.exe

      Filesize

      55KB

      MD5

      76b50aa18b4ccac6f004010f7510a9ef

      SHA1

      d628085184706d6c6ed686d992eca5fd31de12b6

      SHA256

      87ed21893a321c02fea6394e433aeba00258b80f92f98a078a3b04ed8b0ed585

      SHA512

      584748f053fe42ebdb906c93385014927519819cf0f7c993cd0dae0b673840af2df530b197421321395ec3488ae71da2be2a7d0bd93d04ebb778c4b438b8eeb2

    • C:\Windows\SysWOW64\Ajhddjfn.exe

      Filesize

      55KB

      MD5

      6981e0f5225495e27747acd70ede2bee

      SHA1

      d8e9921e2be24e0c456f9d9f712e7db8558d6429

      SHA256

      4844e436302de236159fdc1304a02ad30ca406b1bfcd0deacfe79941a274c470

      SHA512

      bd0c35667f22203f5dfe59c24df4913022b18840af5adde511c8fb17beb21aeb228f7dbc4c042d1235f37cecf047d1cb32189fd4df85bc328fe58bd76bb0fe09

    • C:\Windows\SysWOW64\Amddjegd.exe

      Filesize

      55KB

      MD5

      a8b38204464acfea637a5d0cf4f5bb15

      SHA1

      dafd8b05763a5f0a00ad9b38a0d7afefc26d5b40

      SHA256

      af8464d2253b2b9e0109c84ae98c549b481f225ee1015b1e1e8bf24db4e95033

      SHA512

      d8887b1d62f9f6e6f9be22f583ee72bdfe64b02a4a9e2d2ff4e5da80e086251e31c678be3c35aeae6a3ea1921e07e9b1ea4f6885208cafeb1930063d4e94098e

    • C:\Windows\SysWOW64\Balpgb32.exe

      Filesize

      55KB

      MD5

      7b12a01e7da416961269fbd5d56eeef4

      SHA1

      6d109f3352beda1eabd15a430fae96b463df058c

      SHA256

      5f531d7292ec86c509b2b519a52f4485d3042b82426331cc85519e130a9270f5

      SHA512

      50ea5751cc92bdb7ac95291cf5bd22cc34c933c1376704d3577b9c95702ddb0a74119e493521b14deeed4cdadbe429c26cf2fcca29787b8fc35ea40f687d0f37

    • C:\Windows\SysWOW64\Bhhdil32.exe

      Filesize

      55KB

      MD5

      5cc0630480a0d19fc8f71a78e61fe0a6

      SHA1

      173b964fae46fc5e7d44d2f3ec11e03f22166810

      SHA256

      368414a8373569e9ac2508410770e498a4252a369e24d8340788e01377d668b5

      SHA512

      38ed69c4c9d0f540ee993a1260772666d50ef2193d4ee2b43c099b80cf1546900347685565d7b30d378391d3999525bb8fbb665336f8ac949eadc31e652072bb

    • C:\Windows\SysWOW64\Bjmnoi32.exe

      Filesize

      55KB

      MD5

      ae1f2fe44ac0ee4989685865c803b85f

      SHA1

      69a21205e4df9560e1368a4db9d1eaaa5d36767e

      SHA256

      1c5eef2688522d11995185e082b337e0ae61dcaa0d395e1d83da70c8db16f743

      SHA512

      7233cd80fcb1674a919c70c2ae02f4e2e83bc98c49b5d2869f7c689cc15e9e02e3b54153ded93a039f22f2b889b61dbd955000d142291f56951399b873c0a147

    • C:\Windows\SysWOW64\Cfmajipb.exe

      Filesize

      55KB

      MD5

      2159adbb30b2d9763a4e1373909440a3

      SHA1

      8220afc7f40dd5130be4671f2553e56d05f74e16

      SHA256

      bcf2482bc87629bb5276fe003f815f4e1581efa17ef9eff39bc67e7187d8160c

      SHA512

      3ac5c825d1524eb5c9cf47d6ede6d292f35474b5e0b5fd84c8c14af1bb630e484d9441173db2ff809a9fadc00fad65d6685e34c5ee986a3b470aff21f8841cef

    • C:\Windows\SysWOW64\Ndhmhh32.exe

      Filesize

      55KB

      MD5

      91588a7f76c6b632cb523c813aabaf02

      SHA1

      8eb072bbeac4dbe1826b9d444cea8dbc5b071593

      SHA256

      f35996b1fdfc29979bce08228654477afbacb0be255fc1b7e3ee9ca8b8040e1d

      SHA512

      db1a008e3fc42f1b448bcc4f82cbfbfe564e95ce4516362fa58027228e7003f45d4b03a8da8b80372e9ff0461a00e42d51463093c3c890cdf2871c76a3e21caf

    • C:\Windows\SysWOW64\Nfjjppmm.exe

      Filesize

      55KB

      MD5

      fa92a7b37839f404cc7dc019da74857d

      SHA1

      fe1c707cd6633db8ceb5ca4111ef4346514030e0

      SHA256

      10d9b2fc875e64c15515bcce94706184fe36bbb41498bf20916c40181d7ac500

      SHA512

      f685c56c412a6ce1612b3ae61d5be97ae956908d6f7cac501f9743aa2f772ad080e93b5d7bbdf9de732c0cbbc2d5ec2aafcb1db0c00574ba2a9dc65f96aeacd9

    • C:\Windows\SysWOW64\Ngdmod32.exe

      Filesize

      55KB

      MD5

      16278eae22fdbc06a80375505c1b0997

      SHA1

      d2ffa3ec764a08b1a16b71b54922f5070951348d

      SHA256

      223d7489a32508705ee44762ee232819e0c31ad2bdc599cc6b983e9d359f7702

      SHA512

      93753bb3829d47a3bb19243fdfb4da2eabfec455a29c44ad210ee69b3d8d157e5ed1d5dc5b5e736beec32c648dd8553dc4aea785ff77a256ace225d593aee844

    • C:\Windows\SysWOW64\Nnneknob.exe

      Filesize

      55KB

      MD5

      f583f9e7b90fb10548196e8d6424ee30

      SHA1

      47fbf9008045069ac988c98db78f91428252bce0

      SHA256

      6ea0dc89657151149bdae5b53b75f8d36304675820f392dcae62a3414d3743d0

      SHA512

      e192daf3a969bd762854be33e666805b5e7d4454501bb231806e5f69e003c7bd99b789a2a5caf9219ec009aecf11bc71f78a881d8227514d9b1032452b5b81f6

    • C:\Windows\SysWOW64\Ocnjidkf.exe

      Filesize

      55KB

      MD5

      69a574886e3c75700bae688b8bd4516f

      SHA1

      95c2ca6aff2d19c0e9bad5242152e97f654e5a53

      SHA256

      31b536f05f6a0a55993f757c9c1501aff888085b5ff8891f31394c7d5eb11985

      SHA512

      3b81c1e39b3b414fb77ff1e2c8c422ebbb335944f60fdc555346c6fa4c15f7eb0141f4bc179a34ab4d04ba2030a9e96be33543aa89097f96185e0004fb69e7ef

    • C:\Windows\SysWOW64\Odapnf32.exe

      Filesize

      55KB

      MD5

      fd1520260c59934daca1aad737da13df

      SHA1

      69881cf1c10c94b50aabb76f36b3dc2cb92c82cb

      SHA256

      8d422c417b975d32519d39cbd96605b8e51a2fb70bda1813fa307d58a0c37870

      SHA512

      45b8802fc4279a2dd39013b04cb242cfa3f0d3c3a25926362003ace9347eef995f1e85df6308e9c63bf63e8031e0a41002e8efd19465cb226fa0f5441767d40f

    • C:\Windows\SysWOW64\Odocigqg.exe

      Filesize

      55KB

      MD5

      6106283d2b7ff6f6ffcea1bdafd13afd

      SHA1

      ee8ed428f4b7aef089d7d9d72fb469af72387a97

      SHA256

      25c417dde458a967df3137c0bca5a084a81fe35f9a1db93d61525ee9883aabeb

      SHA512

      9c42cbdd5ebed0e81a694b55b2e91c037d8cf1782c1caafce0ae4d31503228b455b0068dd0e1971a1efc03e5962a40548ee70e0147f98d22adcd90cf4cc6879e

    • C:\Windows\SysWOW64\Ofcmfodb.exe

      Filesize

      55KB

      MD5

      de1b9e30b33c41ae1d3a36656c117955

      SHA1

      33105eeaac250db56d70b0cc285c123b3a473508

      SHA256

      e1350f09403fc4b35c0d8c0ca9e6c8bd7b12bbd1d508a1f4794475edb0d52328

      SHA512

      a7d568c3649469d2d6201d292f8ee62f10e2f1e4311a308b73ca58bf1865d8055234b184ea7573a83fd490bb0861379cc7ad53896f939b85dc6905889e3ba9e3

    • C:\Windows\SysWOW64\Ofeilobp.exe

      Filesize

      55KB

      MD5

      39eca305b8e9ab6bc12b848e96d440c6

      SHA1

      62439f398b23cf933bac63c17b24927398f543c3

      SHA256

      94f187855e5be5f86a35bb60ed1fea6fa69742ad241dde8a0ed2880b2129ff3d

      SHA512

      f5a605c978cfb8814b32c77917183542ffa1f9e217c9a96f4969f0d7a3621dbeb8ace2fe7929beed8c9aa660ee0e7536252530dfd3991ce03a9b6ec18b5d727c

    • C:\Windows\SysWOW64\Ofqpqo32.exe

      Filesize

      55KB

      MD5

      1d7897488d9f61722e047acb4974d6e0

      SHA1

      d837d5796c5ee936623fd4c56dfe2910be7fd6d8

      SHA256

      17f6b4006aff99fef249caa101c87a236bc0dc9594b2b60a177e0332416d51c8

      SHA512

      66cd90781d6a35c482768ca9a64d6bd5c313b277772360379fbb7a359e4a62e85b26a6dd1b39ad8d9575207f08f34e2c9d258db5bfab896bff08cd8716be7a55

    • C:\Windows\SysWOW64\Ogkcpbam.exe

      Filesize

      55KB

      MD5

      1ee28e447f19d3eb1224386e7d5920a9

      SHA1

      4a304729771598a5e18c6071f02ed2a4866aae2a

      SHA256

      a5599252313331b0267cc2d4d5f03f0b27299b1d5bda86c09437eba644d49716

      SHA512

      07d5a8b90f708b7ee3daf5bd41261ec3a1cda8b07d074478cb6c0f63f7222d5946879535490cbfd55ff31231e23268c74fbfd1f109227130e234466304ab6ae9

    • C:\Windows\SysWOW64\Ojgbfocc.exe

      Filesize

      55KB

      MD5

      1d96e6d211b925f923ed27027f6d038c

      SHA1

      e312de66ceb97a44b871682a0358afa1adb8f4ea

      SHA256

      8cd677ad9c92a2e69ea6e0f1bd008f21fdc50cb6c79fa625508a4e80bb04c10b

      SHA512

      e3c8839ad6357b8236e9e8b3f36c1bd721913ebd7ef793fcf44f5fc7ab752598a0a891e79b0a45bdff6c6870b61485aa250dde12d550318c0ac8b8d66ab15aeb

    • C:\Windows\SysWOW64\Olcbmj32.exe

      Filesize

      55KB

      MD5

      7430db3531f1535434a360d22eed8845

      SHA1

      a6cae609a25d567a57d0b066740f5e8e3eb23e64

      SHA256

      a7a88ea434f0a7296e39abb62ea9ca7ce737b5cacde30c7ddaf43ff32a259475

      SHA512

      5253b591576f906a0140e4a7d704183e7f65fa2e98cf0e698a4e7960c05575116e194274b62c47e0ad6ff5337f27b00839fadcf6de3db8d224d3016637452d6a

    • C:\Windows\SysWOW64\Olkhmi32.exe

      Filesize

      55KB

      MD5

      c74a3c1d261035a52aa7544d63f4462d

      SHA1

      88a450aef6a55ef96fa36013d3a2e1234da6239c

      SHA256

      48447518697b7b92643b4a4e2d530692a2d3be48b9511465f21908aba415f227

      SHA512

      3ad4f66b239695a66dac79fb7bd26f5743fcc1cbd20a384acddbe55f87f10bd6e429f4ee2f223f0e1ba8f98adb0b5d7218b4059bd3d06e3a6f1305cfc5d77456

    • C:\Windows\SysWOW64\Oneklm32.exe

      Filesize

      55KB

      MD5

      a0398a3eda3aa7d36999a723fedacfcc

      SHA1

      8f00bcecde3895b8701091e37787f4d43eb8a455

      SHA256

      878d19e4e58b86f383e659bb0e405287b1433aa32ede19e6813e2749b7677783

      SHA512

      dfa44d7c36b5b235a4354fa6e8fafc0b3a50f0495371475161cf6e78c1a11fd58d83deb8fee2a7d24be06f9574ee878fc68d919ecd5397feff95827248a140d4

    • C:\Windows\SysWOW64\Onjegled.exe

      Filesize

      55KB

      MD5

      88b5d558fe8ca14e26208dd2ec5f1a54

      SHA1

      66717de81bb06990f9d9ea22efe26d373e020989

      SHA256

      cbe33441309ddc732b45b6b81b635c9294cfd7efa604a41ae61cd314ae41d077

      SHA512

      290b782bb805466a2f05c4390b86feb054adc8240c423dba6487e8502757e1c44108976bf4e9f53dfc64ce3116e73b933786a3d6ce9f4185688ce34e0338eb5f

    • C:\Windows\SysWOW64\Opakbi32.exe

      Filesize

      55KB

      MD5

      f220381fb27684446a7a5678892f29dd

      SHA1

      86b7ed3c32c4487e64f62d8da8875e6f3a43aa26

      SHA256

      d7cb56336cc748676fc17ea6e0bec927c0b5512835211777183056e2a7800825

      SHA512

      12d48f3d7a6842f95841e0248675994e0ba724d4ff5b51ecac7ad8232f85ffd852589a6abc29265f70347c3c8410c7e5d74a2b5f1b75d556c881caef43f73c33

    • C:\Windows\SysWOW64\Oqhacgdh.exe

      Filesize

      55KB

      MD5

      f799c9ffb29bb0998e0a9211fce1c817

      SHA1

      e236a74cc8f191296dd41a5781ac0a92cf17187a

      SHA256

      37366dab8506b398c545fbdd311d2fcf6befaafcf250249e062143a3dc2a6fca

      SHA512

      1345a997d1acedf647945de504452a477babdfb41c146ffaab849f3c128ef0b2ae2d4c592b66a0134c66fddda6f3d7de6381e8a3fcceae64320ff7c13e7dbbc3

    • C:\Windows\SysWOW64\Pcbmka32.exe

      Filesize

      55KB

      MD5

      304c7272d897c80f1c03d3e62a2f338a

      SHA1

      191ad5b16b49c0e5826399d87473a924c204b4f0

      SHA256

      8ebb23a45598a3293ae7dc3834b8070db6616a9f40c994e5b57d024fd03f4c41

      SHA512

      1980a4e47f9a1bb3ee2ae57dbbaf9aa8231545307e55040664e5c89819de59c8671514793b6cdc3d3cbfe3dfb5b64d7925bba895d1815db80458f126ca672ac8

    • C:\Windows\SysWOW64\Pcijeb32.exe

      Filesize

      55KB

      MD5

      1cafc98f58f3fae6e6aadcf57cb7cfe9

      SHA1

      7581ad50d714704255d3477501e54efb9dbceff0

      SHA256

      6304ddd2160349bc45012e58ca245947569deafd47df0f87bd3fcb12f13b5ca6

      SHA512

      bbdce3d828168d34e15ee3bf0fa21a4eb5992aec6cfe4a868c0a2f7dc302cafe38c39b00aac9d65194b37b360782be71805ac039cdac7d2dc66f9dae28e71d8d

    • C:\Windows\SysWOW64\Pdpmpdbd.exe

      Filesize

      55KB

      MD5

      c2dfc373f25f93fb9a452e1eb085145c

      SHA1

      0569abd287ba57db08aece92c7e28269b7770f43

      SHA256

      2fb5eba91fef62440520ffaf34b6e06cbbf79f30e68819348d1296e17369a1f1

      SHA512

      633e1315fe65bc00cfe41f7b22a49e7cf563a492c3736f1a6bf973b3a1bfd7ad18c2605ef5459dc8806d18ed109f2ab77221f0cf0bbd5ad5b198f8f8eb3499a2

    • C:\Windows\SysWOW64\Pfjcgn32.exe

      Filesize

      55KB

      MD5

      1daed21f321b347ba107286ea584a071

      SHA1

      a3640970d89d000913a8eb89d3b4ec72b5752ad9

      SHA256

      172f592b41061e92a683e2d8d6a4afb0f123817da5c64bf517edb87b8f78eeaf

      SHA512

      2f27fa6fdf61cc6aeee7bc5a2d184cd2d601c7e25505796a912226a2f413b33ef5820238fe5632dd5fd2ac34dec82fab50419a157ac2b5e11b0d36e674490c67

    • C:\Windows\SysWOW64\Pgioqq32.exe

      Filesize

      55KB

      MD5

      703694c537b0668ffecbcb603c60d104

      SHA1

      da06e5a3cf44e23b3c4c3aa4a82688f757b13f5f

      SHA256

      115c39538cc58beb5a59a53817d6eec8c3ab8dcf219ad7bc12afcf543715d83e

      SHA512

      3b26e5407f3e3f69d650fde5c3f4821c6ee48e2a8d13f32d452de327d47bb241c7cab51815155ca83f2eecaf43eeb3336d0a2165400896c831353344864c84fb

    • C:\Windows\SysWOW64\Pgllfp32.exe

      Filesize

      55KB

      MD5

      cdee68ecf832a70ae98273136c5db2fe

      SHA1

      e134b320344b862acb5589eda1424c660b6633b7

      SHA256

      6473d39a08ad90d1a216b07f9a3a888f08cf365322e7b5928a77210ef8bda2ba

      SHA512

      9f119fe8b12c9d512e4867d556a48eb1d1ccf022972b0e32910888e0ef0030fd17cfd73fa89aa9dc2c80d8cb00c9e32ccf7903ad62a98aaaa1091c498ddd046f

    • C:\Windows\SysWOW64\Pjcbbmif.exe

      Filesize

      55KB

      MD5

      8f4f1c3f113619694759557266dbde58

      SHA1

      08de8b43362aa6c8a7d03b69c066076ac2df7e4d

      SHA256

      3edaad27fb416d9417b29a300b6a5cf6becffb1235994fbc886bc6362002043d

      SHA512

      8df973eeb852590602181b4cd60c7971473f20b401ffa207d8b74e83037f74f96a2631132e2876deb7e50e9dfbda6bd8b9a1683a392f433367aa532e44a2edb2

    • C:\Windows\SysWOW64\Pjjhbl32.exe

      Filesize

      55KB

      MD5

      a1187aea8704eac8a0a8156dabdb7e70

      SHA1

      0ac4264a46ec578c4e71db3a44a24679a73e7bc0

      SHA256

      edb08f21b6c506e81d154c1087274f17dd3281e693f4eda9fd93bc10e8050e3d

      SHA512

      a812628a0aaf61a746b41a9ff4e2348972499ad551bf7b9c07b395fc2e3b6a2e8c2f8cca6d6e81f45f3f8f132323633a29885ee3c50ea4d6dcb1a857ebc788cf

    • C:\Windows\SysWOW64\Pmoahijl.exe

      Filesize

      55KB

      MD5

      8e0ecccab1ea12f2d2b44a32265a1700

      SHA1

      6b55574b24fbb663aa8c4053d81ae97a4d0533b7

      SHA256

      6cefdb61ca1d19d6310fe1c476a3c52a1c1e55ffbcba2095703c517f4e2813ec

      SHA512

      1341023b8bc655e43350b2211e56e0c721fb427fba1907e252105d4c8f32d7afd007226f453cdf26c440e1be65873cd7cca29661866809f3caf9473df7c85eec

    • C:\Windows\SysWOW64\Pncgmkmj.exe

      Filesize

      55KB

      MD5

      454b973984b124174a8982ba716411e3

      SHA1

      19362d14a105873afc9f4cc23268bc321ef0e059

      SHA256

      2cd16c672c65d4fbd5f8390f660768b7f94f365079028c724c48ef67b61cafc3

      SHA512

      0e8594b87291b32da2827353113e9d29037623ead045f63d30d39d5fba63d7c3842dc50b15b862a10b6f06f711e4ae5864fd4bb3f7576c6c1fa3fe383905e2fd

    • C:\Windows\SysWOW64\Pnfdcjkg.exe

      Filesize

      55KB

      MD5

      4b9ace2f7323798cf1ca6787ec3a9a3f

      SHA1

      5a483365a31438f5caaa555b4f8fb131240ab918

      SHA256

      1f77c4eef5bd9cf114cf1c69a35a91bf1bae273b98a9acd0b3556227bbf6387e

      SHA512

      c3d7a59c5f972e497e15c6d0c6cc46d9bfaedc11b3b30ddccc4bc0363c622102769be42526e30e534e47588603e10cdb53c63e1dbd9acd2ad7720268a9bf224c

    • C:\Windows\SysWOW64\Pqbdjfln.exe

      Filesize

      55KB

      MD5

      e50c961394f8ec7e2dd7661c7dda520d

      SHA1

      c55bdcd8e9b0f665595ca45b6c75d1043650b49f

      SHA256

      440a18109c37d57b528f257e78598b49a10b48136a65c4457ca7efa844258f0e

      SHA512

      c4756343467f02f195c6faf8024ce17c46e53f1a11d77f2cf4f76a19a4f3ccac38d3ab8f1ab3bf8c8e023c23fe803c067349a037d62c66d7bc7c702929da4dfa

    • C:\Windows\SysWOW64\Pqdqof32.exe

      Filesize

      55KB

      MD5

      ebc41c73792c16f87d7871fe38db2161

      SHA1

      c70d0c130e56334d492c4f463a1896944fcd111e

      SHA256

      aa1858dbae789bf0bc0df46f97fb146bc7dbcd303a2500ec415cb7de25dac7af

      SHA512

      ae1c32113d55e4662f9951ee460d1b8e98e2ca24aec9a85fc424eb37d334ed25ed403e8560968d1c06c0849728bfb40ef33eee3fffce829f9e11cd94005e8d0c

    • C:\Windows\SysWOW64\Pqpgdfnp.exe

      Filesize

      55KB

      MD5

      74a84aba929cee1c0dd2d475e989b4d4

      SHA1

      d7c9389bc498b6c0e61a787599066e85ed574c30

      SHA256

      ac74c103c0766c77655c809ad12246fb5a15384c13e9ad864780b21879ca1d65

      SHA512

      69fcf16020ab1a4a311c445a00fe54095515945c79b36d51c6a5bdecff1e9944533b9e84e743e6b115f0e46d52ae5a0bb629fc4a718b1c545e6324658f97d0f3

    • memory/228-252-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/392-394-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/432-244-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/448-278-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/464-268-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/800-135-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/804-430-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/944-436-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/960-564-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/960-520-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/992-103-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1168-286-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1212-232-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1240-568-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1240-508-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1320-558-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1320-538-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1332-310-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1388-442-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1480-316-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1500-526-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1500-563-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1588-334-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1600-159-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1668-183-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1704-151-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1708-63-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1732-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1732-553-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1744-490-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1744-573-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1780-96-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1836-556-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1836-545-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1936-223-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1936-653-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1952-175-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2012-283-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2016-660-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2016-191-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2060-55-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2072-577-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2072-478-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2092-72-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2112-552-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2112-554-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2128-406-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2164-472-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2184-79-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2312-358-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2512-575-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2512-484-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2708-261-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2788-514-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2788-566-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2868-322-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2948-370-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3148-418-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3216-23-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3236-143-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3244-8-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3244-551-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3300-352-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3320-466-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3408-167-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3604-382-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3768-296-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3784-346-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3948-364-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3952-424-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4012-31-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4020-199-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4032-207-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4032-657-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4036-216-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4056-340-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4072-120-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4092-328-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4112-400-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4140-132-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4208-112-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4296-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4296-544-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4328-262-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4388-47-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4540-40-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4560-304-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4588-87-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4592-388-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4632-454-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4684-298-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4760-376-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4796-570-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4796-502-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4860-460-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4908-496-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4924-412-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5040-560-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5040-532-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5072-448-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB