Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 04:07

General

  • Target

    e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe

  • Size

    90KB

  • MD5

    0f9eebf861111b8ef7cc0a03befc561b

  • SHA1

    9a9c5f93ef3f90cf9949625238005154181507ee

  • SHA256

    e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa

  • SHA512

    ad10f84f6f49899dc00bffc4e61587a5a0da11a6d4cac7384a473b4d6b028608c61ab4001138e43594ef541c3ba8fec93a136f83c3b1996882e5ca4caea31fa9

  • SSDEEP

    1536:j/0kkZnWGM4R/6oHUZmwKthSSNEgBx0sl9XL7XnYGlu/Ub0VkVNK:jnk1eop0gBx0SBYGlu/Ub0+NK

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
    "C:\Users\Admin\AppData\Local\Temp\e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\Olkhmi32.exe
      C:\Windows\system32\Olkhmi32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\Ogpmjb32.exe
        C:\Windows\system32\Ogpmjb32.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3656
        • C:\Windows\SysWOW64\Onjegled.exe
          C:\Windows\system32\Onjegled.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\SysWOW64\Oqhacgdh.exe
            C:\Windows\system32\Oqhacgdh.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1968
            • C:\Windows\SysWOW64\Ocgmpccl.exe
              C:\Windows\system32\Ocgmpccl.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2152
              • C:\Windows\SysWOW64\Ofeilobp.exe
                C:\Windows\system32\Ofeilobp.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3944
                • C:\Windows\SysWOW64\Pdfjifjo.exe
                  C:\Windows\system32\Pdfjifjo.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4748
                  • C:\Windows\SysWOW64\Pfhfan32.exe
                    C:\Windows\system32\Pfhfan32.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:5052
                    • C:\Windows\SysWOW64\Pnonbk32.exe
                      C:\Windows\system32\Pnonbk32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2492
                      • C:\Windows\SysWOW64\Pqmjog32.exe
                        C:\Windows\system32\Pqmjog32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1004
                        • C:\Windows\SysWOW64\Pclgkb32.exe
                          C:\Windows\system32\Pclgkb32.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:212
                          • C:\Windows\SysWOW64\Pfjcgn32.exe
                            C:\Windows\system32\Pfjcgn32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1988
                            • C:\Windows\SysWOW64\Pmdkch32.exe
                              C:\Windows\system32\Pmdkch32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:208
                              • C:\Windows\SysWOW64\Pcncpbmd.exe
                                C:\Windows\system32\Pcncpbmd.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3444
                                • C:\Windows\SysWOW64\Pncgmkmj.exe
                                  C:\Windows\system32\Pncgmkmj.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:4564
                                  • C:\Windows\SysWOW64\Pqbdjfln.exe
                                    C:\Windows\system32\Pqbdjfln.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:3260
                                    • C:\Windows\SysWOW64\Pcppfaka.exe
                                      C:\Windows\system32\Pcppfaka.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:4144
                                      • C:\Windows\SysWOW64\Pjjhbl32.exe
                                        C:\Windows\system32\Pjjhbl32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4336
                                        • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                          C:\Windows\system32\Pdpmpdbd.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:4528
                                          • C:\Windows\SysWOW64\Pfaigm32.exe
                                            C:\Windows\system32\Pfaigm32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:3676
                                            • C:\Windows\SysWOW64\Qnhahj32.exe
                                              C:\Windows\system32\Qnhahj32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:2720
                                              • C:\Windows\SysWOW64\Qqfmde32.exe
                                                C:\Windows\system32\Qqfmde32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:644
                                                • C:\Windows\SysWOW64\Qceiaa32.exe
                                                  C:\Windows\system32\Qceiaa32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3964
                                                  • C:\Windows\SysWOW64\Ambgef32.exe
                                                    C:\Windows\system32\Ambgef32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Modifies registry class
                                                    PID:4448
                                                    • C:\Windows\SysWOW64\Aclpap32.exe
                                                      C:\Windows\system32\Aclpap32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:5084
                                                      • C:\Windows\SysWOW64\Afjlnk32.exe
                                                        C:\Windows\system32\Afjlnk32.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:4716
                                                        • C:\Windows\SysWOW64\Aeklkchg.exe
                                                          C:\Windows\system32\Aeklkchg.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:4856
                                                          • C:\Windows\SysWOW64\Afmhck32.exe
                                                            C:\Windows\system32\Afmhck32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1556
                                                            • C:\Windows\SysWOW64\Aabmqd32.exe
                                                              C:\Windows\system32\Aabmqd32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:1408
                                                              • C:\Windows\SysWOW64\Acqimo32.exe
                                                                C:\Windows\system32\Acqimo32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:4252
                                                                • C:\Windows\SysWOW64\Anfmjhmd.exe
                                                                  C:\Windows\system32\Anfmjhmd.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2144
                                                                  • C:\Windows\SysWOW64\Accfbokl.exe
                                                                    C:\Windows\system32\Accfbokl.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4412
                                                                    • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                      C:\Windows\system32\Bjmnoi32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:2784
                                                                      • C:\Windows\SysWOW64\Bagflcje.exe
                                                                        C:\Windows\system32\Bagflcje.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3872
                                                                        • C:\Windows\SysWOW64\Bcebhoii.exe
                                                                          C:\Windows\system32\Bcebhoii.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:2828
                                                                          • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                                            C:\Windows\system32\Bnkgeg32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4100
                                                                            • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                              C:\Windows\system32\Beeoaapl.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:912
                                                                              • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                C:\Windows\system32\Bmpcfdmg.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:1912
                                                                                • C:\Windows\SysWOW64\Beglgani.exe
                                                                                  C:\Windows\system32\Beglgani.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1680
                                                                                  • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                                    C:\Windows\system32\Bfhhoi32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:4900
                                                                                    • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                      C:\Windows\system32\Banllbdn.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:4740
                                                                                      • C:\Windows\SysWOW64\Bfkedibe.exe
                                                                                        C:\Windows\system32\Bfkedibe.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:4760
                                                                                        • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                          C:\Windows\system32\Bjfaeh32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:440
                                                                                          • C:\Windows\SysWOW64\Belebq32.exe
                                                                                            C:\Windows\system32\Belebq32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3140
                                                                                            • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                              C:\Windows\system32\Cfmajipb.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:1940
                                                                                              • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                C:\Windows\system32\Cndikf32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4512
                                                                                                • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                  C:\Windows\system32\Cenahpha.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2052
                                                                                                  • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                                    C:\Windows\system32\Cfpnph32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:3156
                                                                                                    • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                      C:\Windows\system32\Cmiflbel.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:2008
                                                                                                      • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                        C:\Windows\system32\Ceqnmpfo.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:2780
                                                                                                        • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                          C:\Windows\system32\Chokikeb.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:3712
                                                                                                          • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                            C:\Windows\system32\Cmlcbbcj.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:4904
                                                                                                            • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                              C:\Windows\system32\Cdfkolkf.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:3652
                                                                                                              • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                C:\Windows\system32\Chagok32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:3144
                                                                                                                • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                  C:\Windows\system32\Cnkplejl.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:2812
                                                                                                                  • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                    C:\Windows\system32\Cajlhqjp.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:1040
                                                                                                                    • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                      C:\Windows\system32\Ceehho32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Modifies registry class
                                                                                                                      PID:1652
                                                                                                                      • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                        C:\Windows\system32\Cnnlaehj.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Modifies registry class
                                                                                                                        PID:4356
                                                                                                                        • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                          C:\Windows\system32\Ddjejl32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:3496
                                                                                                                          • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                                                                            C:\Windows\system32\Dfiafg32.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:2124
                                                                                                                            • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                              C:\Windows\system32\Dopigd32.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:2532
                                                                                                                              • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                C:\Windows\system32\Danecp32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:3036
                                                                                                                                • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                  C:\Windows\system32\Dfknkg32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:2384
                                                                                                                                  • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                    C:\Windows\system32\Dmefhako.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4124
                                                                                                                                    • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                      C:\Windows\system32\Ddonekbl.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:3752
                                                                                                                                      • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                        C:\Windows\system32\Dfnjafap.exe
                                                                                                                                        67⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4480
                                                                                                                                        • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                          C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:1232
                                                                                                                                          • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                            C:\Windows\system32\Dhmgki32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:716
                                                                                                                                            • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                              C:\Windows\system32\Dogogcpo.exe
                                                                                                                                              70⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:408
                                                                                                                                              • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:2292
                                                                                                                                                • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                  C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:5068
                                                                                                                                                  • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                    C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:3464
                                                                                                                                                    • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                      C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:4736
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 408
                                                                                                                                                        75⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:2376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4736 -ip 4736
    1⤵
      PID:4340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Aabmqd32.exe

      Filesize

      90KB

      MD5

      cc548f0b617abbd8f7b08ba6babecc3b

      SHA1

      0da55986434190080e2cef647043664d74d59679

      SHA256

      2cdf96618a7608a7ed15727fbcd0627ea86288db6487e02e1da3cb43325edb9f

      SHA512

      d30812dfc41c0dafb0319715a414ffed178c7605fec9973bc14e075070f5c817b7ae1864168f7c10c079f6eb961655d78ce85466a120ed87bfa034936aa7cd3d

    • C:\Windows\SysWOW64\Accfbokl.exe

      Filesize

      90KB

      MD5

      ad33f1c63af4ee3f4cf21ce248d84dd1

      SHA1

      0f02c9e930222e9f694ffbc6c0981d92c14bef2b

      SHA256

      cfb2fddf280a127c9ab545e225e1f38f1d6123a97e33a4390db764441a942585

      SHA512

      dec1c1c278b24d9c7f2d1db5dee705bc22506ae867bfdb2d86762023532eb7411133838e23ad1d730827b31f7d8fcb8d5b7fe62abe02521a8b02ae904764cd1c

    • C:\Windows\SysWOW64\Aclpap32.exe

      Filesize

      90KB

      MD5

      53674b7df80d8201994fc825c389e0a8

      SHA1

      9153eaf54aeea3865f57a0fa77a304f5f2c72808

      SHA256

      3ce6e0ca4adccfef349be052fe1051787552f6716f41e3f0d45b2cd9fa967e53

      SHA512

      24a37170241e4eb91ee1e133c5ac4e30484a1faef939ae2a4ea599aadb230b2da551168a041f008dca2f83063f27cccb03ffdc544ab3504cb21e609f1f70da7f

    • C:\Windows\SysWOW64\Acqimo32.exe

      Filesize

      90KB

      MD5

      252f2a7a35791f29a940bc30dd98f662

      SHA1

      bde301ccf1db4469b4c2df142ba4b612156117cd

      SHA256

      19c5fe8237a51ccb5b92c1d12ec3e6d24b9dc077baf9ea63f5b4d01653aa842e

      SHA512

      f01a77ea1769afd9f658671bd869f0c00a4bdb66fd3c5552ae95ccb566b2f24ab12f11a477bbfb19ad44fafcd024d8cf2bb0808d7187b8ff1081614cb788a58a

    • C:\Windows\SysWOW64\Aeklkchg.exe

      Filesize

      90KB

      MD5

      6f2430d952ef0d6b54f4f4debfd51d83

      SHA1

      a668d06db0f883984d66aecee41f8f81430f31d0

      SHA256

      51e11b5c6a24441744777b1363e2b431ff55c8b2d4706997140aaf03c702b57b

      SHA512

      cdb81049874c70fe4b4ff808aefa47a719aabb70afdf64af66eeb1aabb2b72517ba1bac836d42a3948356bf06bfb4689ee1693275512db5e5b25ce224b1f9199

    • C:\Windows\SysWOW64\Afjlnk32.exe

      Filesize

      90KB

      MD5

      0fda709e91af155fcabaf54f7fc2db0d

      SHA1

      d56bc171105dfaebf2b5f0bb77c409ad26455a5e

      SHA256

      1b11d15e5ae2f56ec2708d579ed0816d0d553de7623567d1d8e8d4c43d34f448

      SHA512

      42c12ad4e6e970a2bb02e73c0b77086c365c8f042d282e5a497f05cd88109ad67a8f70a8efd8dfa4949ce4e9d13d4f2a535a50936c9ee4b2c178b41b7c6dcc91

    • C:\Windows\SysWOW64\Afjlnk32.exe

      Filesize

      90KB

      MD5

      b40320f2e8d8ed99e6586b09f203286e

      SHA1

      7fa72c6bd66ddfbb17a32c30958c7639e1beea35

      SHA256

      1e7da1d31fcf9a0aed124f0c44e2df4dec8fa1159bf3416c6ae98fc9ed4448fb

      SHA512

      b78673d876ab6131d1eee327b8b90b255a8986d9dc580150c50f12ecdc073a1e968e3b5574864b2c9b9fdacbc6ad0f70098dca9cc418fc8ce6acbb7f929d555b

    • C:\Windows\SysWOW64\Afmhck32.exe

      Filesize

      90KB

      MD5

      45afd99bee27d466dea9c5a17b9a0f59

      SHA1

      3bf59dda626cb4bfd6eb165891067b1710efe0d9

      SHA256

      7b42470ab28fa61ddc68ab639badf1235261aa04ad6452d2fe3bfab4b2b14b21

      SHA512

      297bd0ff8af6656c8abda0337ee0034120b1c80cbdd4b436b12557a6402bbf290c021c3a6be71f8a2b1ea0203722ae8d07933d3970540ea1ce2821859498437e

    • C:\Windows\SysWOW64\Ambgef32.exe

      Filesize

      90KB

      MD5

      64477a119c17625879b8616be21041af

      SHA1

      66d2b188ed5fbb8e243300ca4f0c746b4b3f6da2

      SHA256

      862d0727b78f8eeedf89c7dc36f4d1ae70689b2348a6015921f7d2fa2e35a7b9

      SHA512

      be67ff1d9195761edbdddda6da9264cb77b6ef99b7b37c143cc397a7e6a3731d5ef6060abe011721be26a383eea54faf7f90b1f9b1bd943cf328f4f0a3e99c23

    • C:\Windows\SysWOW64\Anfmjhmd.exe

      Filesize

      90KB

      MD5

      72a88335c4e9b9e13909b282c778e4fb

      SHA1

      29cd56b7237b3830f8ba2a3a0b9e24fd5eff8c65

      SHA256

      b12f93b4da873b04195f015ff6c5d662c22c3bc75b02abb241bff1823b30afd8

      SHA512

      888e906915372a8214acd844a75d50f1fcb9d1be2382a56d78d30d41b5b1c622a4c8e81ceaa956c9babaf168635e09b58e9445a96ec40ba0bf265d8935173a4d

    • C:\Windows\SysWOW64\Banllbdn.exe

      Filesize

      90KB

      MD5

      7a6ecb83849bd80340b948b3a9ce4f33

      SHA1

      935ada14fc696976ab3e7b5f18a7204d832fb878

      SHA256

      c2f677f02673b545a74e781ccdd15cf41a958a7df2c2de1dff1207ceb15416a0

      SHA512

      b38224292a8e9523ac17c32f5a28d3bf27232d9e24f6fb90c48da3c675c709cde861a2fb69648ff78898490cdab0df9897be820529b99ba70cbf3b904ee4779d

    • C:\Windows\SysWOW64\Beeoaapl.exe

      Filesize

      90KB

      MD5

      71ec93533a2fd2ce7891b758b8eca459

      SHA1

      6abea3bc1601fd67a721b882dc3c0bbd074ab0da

      SHA256

      942bf3fae01022f67c9504a46b3ca3f9de3d8393250554eb6e12dc83929dff33

      SHA512

      dc20651e02ccbed83068eeccdf78357df590adb3c5e84002341260b3243762ba2836be34d0b8cc78bc3ee94e92435a62c1e9172d71c50b8b7d2c3247db0d59d0

    • C:\Windows\SysWOW64\Beglgani.exe

      Filesize

      90KB

      MD5

      ac21171ff9fb6f1792033d10cd54773c

      SHA1

      6a1283169053c8487f63ff3385e45389e81d7c03

      SHA256

      324eb716cba1f07a3636c3962ef810a9a260e4b894dd43f7be7817b0b42c78e4

      SHA512

      d689bf216f89214981c59f1d47d5727af70f87d071536fdaf73dd12f27da8277ff013786ac332f14d83f4f4c2c9891486b05882801fcb5cfb183d0d9d5f93c27

    • C:\Windows\SysWOW64\Bjfaeh32.exe

      Filesize

      90KB

      MD5

      f97d5334f487d9da40284254072de3e6

      SHA1

      77fdeda80d1dcd284d81fc7487c001ec7b64a2d3

      SHA256

      63cd9c1c1a9aa67d9d09c615cc7b11115481acecb355180750bddd763781f38f

      SHA512

      c53fad58f6c43999d5f0689db734c92ea27aff44d33d748ac5543d3d842ef2a36fc17da29ad02c906162b8b084aefee798372615e495d80f086d0d2a6df351d1

    • C:\Windows\SysWOW64\Cenahpha.exe

      Filesize

      90KB

      MD5

      bb9b2b72ea2ad87402b0273cff2a4f43

      SHA1

      98655f65c867a9d1b77290ea81ea2c602708b242

      SHA256

      53465415c500979b7a598e9a7887b4e4e7a95948c18cdb096b9c5899ba5382c4

      SHA512

      ef6b3c02f8fa4bed7749822831aaafa49d671efb39abf809d318d4832f34c515e33ceed97d1127faf47488b3b4a5456df292a18b48c24aa07c05e163364ef2f3

    • C:\Windows\SysWOW64\Cmlcbbcj.exe

      Filesize

      90KB

      MD5

      cbfac3bb69caf74b940235a93e28d93a

      SHA1

      7bb1534b0d683cc169380536d047b7e0a672fb0a

      SHA256

      55711595bb5a2614e7bd7210ab028fa335bdb9ed2ff1a15b92158955b98a0373

      SHA512

      38c5c2535373a67527926399386abf805989e87107cb71d161e4f9a3b5f9230b51e7c04560b519d085b355367d07418e15c131beaf3f49af9a4ad779933d7cf0

    • C:\Windows\SysWOW64\Cnkplejl.exe

      Filesize

      90KB

      MD5

      a83cfe854d09492caf8d75f8fb81f6aa

      SHA1

      f4faecc14ce096f4d8552c3985664cfa06375b78

      SHA256

      44e81d7baed14f072550200d611b9ba91df6ae6a61fb8145b38f5477c394171a

      SHA512

      88ace07a7a80c2cb723e7402f424c4453d2a982267e982454b4b3259bee0e85d1234a3d7d82e02d77c453872f0dd64520077b9e416c667fc3a3a7e05402237af

    • C:\Windows\SysWOW64\Cnnlaehj.exe

      Filesize

      90KB

      MD5

      27ef7ade232d77b9aec48a95c46c75b2

      SHA1

      fe3e39ffe9d013f771397814741d4f4326c44174

      SHA256

      5561b252f0d213f375e82713b5ec54d5684e3ad3921db22d39da3fa539b9f3b3

      SHA512

      a8e0f1d9935ee105b0e796fc96412ab5247b6f23c51da8d1584ca2db363f5c33d00f46bf97d17e2c120e0319c415ec518e837364c4659beabf13b966350b6d22

    • C:\Windows\SysWOW64\Dmefhako.exe

      Filesize

      90KB

      MD5

      0103a8f0e6147ea89230e5af110fad8d

      SHA1

      b65a0685f229a2da1788ab845d00eda2344bbebe

      SHA256

      844de11a40a067128703274cea6da05bef2561ec377cc866916913aac17bd1c9

      SHA512

      c9bf09464ed6803775216bf18ee7ba7909cae5c0dccaf34b0ab8e0b8f0f112c61e9e2f0615f00683784d2234e2a3a619bfe83d0136380df06927cbc9da0d4f08

    • C:\Windows\SysWOW64\Dmgbnq32.exe

      Filesize

      90KB

      MD5

      db003acb085e06d5c648cfa8602e41c8

      SHA1

      e562798bb31f793ce5e205ed68a2cc939bdea02f

      SHA256

      f2de9a1e5e10a67181b34129855937fcdaa877a5affed9032d6d955a7cdd78fc

      SHA512

      1f6b1a784536a68f2c79d3a38a1f100dfda0dab1b5105bacb471254c1aaf0e2de3146dc322f55331c0027ad217dcd63781b18b3a304671bd1f14a86653ced62c

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      90KB

      MD5

      402c3c874f74bede4457a0b61acf0f93

      SHA1

      1fe106e7997b74d38685c7b44880738e928633e6

      SHA256

      4dad05dd36c40a2eafbb0d050956ce6d55c71c632d4eebdadd67b5ed798a4dcb

      SHA512

      53751bc581b6546a52e086e97f23b817fbc3f327c56dbcba0e69a258e57fd748e1846b47dad544f81cf2b7fe1506b5f97267c7d65cb30cad2f11e2b6f09385d6

    • C:\Windows\SysWOW64\Dopigd32.exe

      Filesize

      90KB

      MD5

      67872aabc9c4a74d22fa29513b7d2f85

      SHA1

      2703f3c8314f40c1d7d1e3cb333d337e2525e9cd

      SHA256

      1f25d7082e1e4dadefdb4ea8b2afc5bfd44aa594f53b8ebbbe1e6a46f6f88789

      SHA512

      1fd39c06509f60218e841f649513b563bfe0c1c338e246cc96de80ea9d8c48f0cd299b1b4dfb0a70dc7cb02d375680158c5bef345c49c4cf7f3fb1a35c1a2362

    • C:\Windows\SysWOW64\Jfpbkoql.dll

      Filesize

      7KB

      MD5

      697259be4b5e7d2c50f4108b9ee45ff2

      SHA1

      6cab5af33316409e3188a4d1fdde573784a0aeee

      SHA256

      3e3bc98dd0f4ea64d663de9b1e622f3be6fd05942deeb704b686ebfe4601500a

      SHA512

      f7f9695dc73cb2fd1a67e8f02fa56fea2507aa82da7bf466fe702af5868ab0f3e172a6b134a559d059b1fc5c8e04699227ee6fe88a85274eb26ec0d81d7d2768

    • C:\Windows\SysWOW64\Ocgmpccl.exe

      Filesize

      90KB

      MD5

      c163079f67b5322d23d1ce97e351c393

      SHA1

      a218809b107325642ac43ede3fdb4dd10ea41b49

      SHA256

      5c49a3ac84bf9ddd3029eefe65e0d32559d11c013bb9c8b3d831a4a5be5f7fc3

      SHA512

      acd6a994e4808c01ffe4cceba20786d37db9fda81a2af2caa48360345513527af2b5522f4231f36d315ea6c5809ff2a74d660bbdc72b6e7d5207fd6301ef608e

    • C:\Windows\SysWOW64\Ofeilobp.exe

      Filesize

      90KB

      MD5

      af41732381a8a4be6c24ac2eb26e5062

      SHA1

      94f6c531f05b34d220315798327de3f0d57570a1

      SHA256

      1f0a31a5b35bf4e5babab38fa84510fa6cfa05076d5efcd30be8db64cd449b30

      SHA512

      41a751c5cdfa8e94534e5aef84f94ffa9fbdad99ad145c07088efa30835edce1aadb82341b080a879c1a1901d613fe8f69f8b1603f68bf0b970cfc557236a079

    • C:\Windows\SysWOW64\Ogpmjb32.exe

      Filesize

      90KB

      MD5

      949b50bfb4f3a4bbb4bf1de95217b91d

      SHA1

      ca2aec55aa10f0db905579faeb65dc8122da5cc2

      SHA256

      2323d6731ee8628ec8702cd6c9b558141af52f66b68d56ab3a187309a0820a2d

      SHA512

      09252f03b2961b0df5653400af7e1aa6b22b960e18e0d674a943e50638ffc63c11f4cb85389ccd572dabc528e1ea6406658191927d5f7750dc602165c00026bd

    • C:\Windows\SysWOW64\Olkhmi32.exe

      Filesize

      90KB

      MD5

      61df0f256c9fdbc980c4c968a3512536

      SHA1

      f5eeb4e6f5da3fc19eafeb792f61605712c354bb

      SHA256

      93a0cde1aada7b1346613fb3712d8d526711a600b96fa55cb408fee7cb68dc2a

      SHA512

      a03b7bf65c756c3191e294e54cbb237af5570c0a11b9aab10228a0556b44130488102b022f471c8af741b0c2dcc2ec33a38e108063377afc7e64913717191ec1

    • C:\Windows\SysWOW64\Onjegled.exe

      Filesize

      90KB

      MD5

      d4283dec154c52faed6736f9d1764b39

      SHA1

      bf906810837a6c4f78e4140307a23ac85a3683f6

      SHA256

      69512d524facf36a73d057042efa889d81e1e66a0b01a77fb86f17bf0c3a2117

      SHA512

      b2293eef08e7c364c8315878ceca16d5751c841f40ad71ca170874c9875f73ce3f0bc3c8f707afd11e592fe06d5f6bb410ad219eb0d985a05bc775a3d0945d1c

    • C:\Windows\SysWOW64\Oqhacgdh.exe

      Filesize

      90KB

      MD5

      0d87fae205677fe146b08fb14d48d78b

      SHA1

      6a4227a8cfc5727755904243310ac5a0093df7ce

      SHA256

      11bed7424bb2676e2d1da1e36b2b9cfa9dfd6ff8356eb7557a4f3f151e8da6eb

      SHA512

      dd3740f426f4a3ceb701616b6a4d44b4c50853fe2512ddc26fd0d430d1ea4ad5f6a640f5c73e36ddcc8e9171c61e5f4508f9ca3fe3a7499db93269aca6e91c38

    • C:\Windows\SysWOW64\Pclgkb32.exe

      Filesize

      90KB

      MD5

      a6754271c0df2ce4fc002ab93c9283d6

      SHA1

      a5c0eddf7dc3ddf1d03debdcc3da4f6f18c06cfe

      SHA256

      9f0d89bc4f15df704c8b95d83b3cb9c603ea968c0c7afa56cb7e0eb1d06dc0ed

      SHA512

      b4165a97a8bbf912a3fe3405ea1aa69df8d22cb95cbc55cd8a4a5c69d053bae1949baf09eb30de2f382fa52c820d4d3956b1ac02ef5382d7817e14be28d4c6a0

    • C:\Windows\SysWOW64\Pcncpbmd.exe

      Filesize

      90KB

      MD5

      634bc376c3234ab9d5b02a328564149e

      SHA1

      544c73b55450536a5dee9493a9fdc8011c694ee9

      SHA256

      beae4029b5b07a336259283a93f711d73aa6c35cbf5e7da4d34c3cdfb3c51694

      SHA512

      1bbcf46e2838ec336a804619e7e8fdad91e485ffa0ad6159c35a59c860b1e9f649a54574fc14c2f20d83e9e91a827116d02467f17ee2c1ed368dd4a36df4e2ee

    • C:\Windows\SysWOW64\Pcppfaka.exe

      Filesize

      90KB

      MD5

      8f601dd7e055d33bc9613dd2bcdbfe28

      SHA1

      2e56bd6b5bb2dce28cb73a4a36b73eb4e7404d4d

      SHA256

      ffa25d63a935e81b5cef12cbdeda1cd61619720b74a55858aaf18f104ef57cfa

      SHA512

      04bc5268ce73a123c3a0da174622f28d20fa135d46eff6452770a80f3c0a526807465acc906d320ca42bd2e3c00b7dd733fd6be43b19ffd1f88d70d13e71ffb4

    • C:\Windows\SysWOW64\Pdfjifjo.exe

      Filesize

      90KB

      MD5

      fed2880bd43579132b398413d992c38e

      SHA1

      087e326bfb86f395707b55bca48833afe3e15647

      SHA256

      4e6aca13f2c5fb2363f031838d70fa8431dfefdd40aa024c0a516a7dfdb1c7af

      SHA512

      93c6ab3fccda0d8ed621a9825705a2c1b45334a8a78648e2036ef3999bc95621e57df6850f8ca0e161dab8ba1d271b236e240d52a35b3510a87b85cbbe5778c7

    • C:\Windows\SysWOW64\Pdpmpdbd.exe

      Filesize

      90KB

      MD5

      92f61b912bf375f409bc7e98c383db2b

      SHA1

      72bfd48eac529afd960847e05325025434d4391d

      SHA256

      adb71e442c73a65eeaeb9415fbca585b7b4f3a77542db047c4674de4d3463e80

      SHA512

      4849d3adedce6974584d0d5a514fc450f565a3b24f5b8fe6635dcaec0017cc99493dc201f9c8fd468193fdfcb251e0dda6a10aba462aca902604f3ee99ab795f

    • C:\Windows\SysWOW64\Pfaigm32.exe

      Filesize

      90KB

      MD5

      33bb0509602b4586611a78edc17b9c3d

      SHA1

      c726cea2c25f1dc8dc995b95f2507bdaeaf6b971

      SHA256

      cb6a64d1627eabc678a4540708499810b7cbb04c6a35a179659e491a3acf28bc

      SHA512

      0245b9866bc9bf2445a949e84689fba7546af05d5e874bcf9b44a9a0d103eb09c6431bf29d66498f4f047093738d651bc5e73fb6669602eef8546088cbc6d9f3

    • C:\Windows\SysWOW64\Pfhfan32.exe

      Filesize

      90KB

      MD5

      73c18a5682179d6c18edc140299aa3e0

      SHA1

      7a9b8428100ab4df72e94ef6d72ea42f3a25f4a3

      SHA256

      cb946d387843f68bc2ad78ac65781f62bb77b8f2b7f0d3e4ef687582ebb5ad8f

      SHA512

      770f1040d64e6108d46805a4ebea6b3c4a3f10c50c6b2b8c4a77e43e0687115b716df7c1abf88295577059f5ca678e9fa9e9ab6a8813b1bf7f0357f4c92ea97f

    • C:\Windows\SysWOW64\Pfjcgn32.exe

      Filesize

      90KB

      MD5

      c3a643cf7e1c3e465580e3afa5058042

      SHA1

      51090f16172496873aac4287ac412f17614add5f

      SHA256

      53e5cf5e7853427845825f1e0e6cf36427f2d0ee6e77c13747eaaf6f33c151d7

      SHA512

      e46e6aa5ca7b7c7e86233917788f23579b518755d60208bc2603f5a30de588fb78496d03d14266b432aa4c548074d7171c179d4e01f8ed20475c2ff2eb455da4

    • C:\Windows\SysWOW64\Pjjhbl32.exe

      Filesize

      90KB

      MD5

      b45186ea717ee90f03d0ba44649f62be

      SHA1

      876895bd1ec3bdc4df983f7b8dab7dfa001880b5

      SHA256

      ac5aba45ff22bd74c523d57c955e8342b415a1df2cb16bc55e5442306e1aa02a

      SHA512

      3ead52af5970bd7791216bddc973242bbb0db144b776e6c495163d1945abc753d13cda93785becf01af955f9aaa2a5dfd9b01ba6814ede52c31e9cc6e428ebc0

    • C:\Windows\SysWOW64\Pmdkch32.exe

      Filesize

      90KB

      MD5

      2fcb3557906ccf5caa458082c60fd942

      SHA1

      917b4a3bfd5058b8135c2d712c8e0de72aeb3fd2

      SHA256

      4ea4c0e717caeaf2862e6691b5beef545985f6fc82ea0587e621a0facc882bca

      SHA512

      aaae019dd9ded9826f97438b57971437715b470af8dea4a0bd40520ffd7329d3a1822e448c7e88437da7bd505c35353ecc6e366f872a3877e3ed08dbe5029a2c

    • C:\Windows\SysWOW64\Pncgmkmj.exe

      Filesize

      90KB

      MD5

      7e9ccfae5f18297759f151a96d7c4f8b

      SHA1

      d2389f4e13ecd618266b3112289abf5a11c2d66c

      SHA256

      4f336fc52c69fca06a2dc442e0b57b6f4837caadccb60bc1d33a3e73f4318981

      SHA512

      9cc42996b6ae24e1064c81da13c5f63c61ce347f16f131cbd04dc927ea44163272798a0a97788a8909ff36b278a652dc51eec219f3dc7efd79bdae26ab067d4d

    • C:\Windows\SysWOW64\Pnonbk32.exe

      Filesize

      90KB

      MD5

      20aa1042dfd47cca3f21c3732fcff341

      SHA1

      23e027b1cc2442e2fde6b6ec1ac80aebe043c99f

      SHA256

      b893148004de9ce7afb3c3b361ddf64934875aeaac590ba7950659c61ad29f9d

      SHA512

      dc5239762df48c6b2c3d7ce8319cb5b227c70ed0ffe35a0212dbc26424225de034af6e6fb8a16638c3b2ed3efcb10a06ed849789b7cd7c2cff14cab455d812ac

    • C:\Windows\SysWOW64\Pqbdjfln.exe

      Filesize

      90KB

      MD5

      894a26839307f3219293abe1cceb4be9

      SHA1

      967313f02aa1d795a0ecc172e9fe3ebf6e52071d

      SHA256

      d35baaa2872b7aefb47d6a7e4a99929954bb39c1900ad9486a6bc1ee679df3b0

      SHA512

      3f1bcbcba450c0988ad0181c1dd0a4f8e960e2c97957f8edba82b06ae40e4d93528e49de920b47c17ff55fd91280fbfbf0813c425aff5dbd4231460cf34cb19c

    • C:\Windows\SysWOW64\Pqmjog32.exe

      Filesize

      90KB

      MD5

      cc3bcdf7ffb87ace0ca09e1153c3dcec

      SHA1

      29c6d0b6908ef667d9739570f1699befd986c208

      SHA256

      084ce93e0fa79b806437e173ee56fab4b0da27611801578b1eb5bb0754cbf379

      SHA512

      e46d0d3ca992ce39431c33d544d40d92187062bcbc7c58ffe97dceed301cf941cc83695727e89c0ed733aa2d90639d68975bab27324ab845c3f0665e73568bce

    • C:\Windows\SysWOW64\Qceiaa32.exe

      Filesize

      90KB

      MD5

      1a19721596ac3cace1bfc6599d2d61e6

      SHA1

      88f456313a422b2999dbe591576ecad7ea42d392

      SHA256

      4d3815a0dfa50d8c03488fcc2d14cd88719b5e3103879000fdf859c9a8e9f41f

      SHA512

      61c7bdcd135257e138f59de171bbaf3326e3e18f2544d8aa0932b4933c1f7c5ddcfd28668baa0739f134331bc24b62f267083f4c8e0cd3cd3c500739affdc53c

    • C:\Windows\SysWOW64\Qnhahj32.exe

      Filesize

      90KB

      MD5

      e75de4064b01a04527be04b72bc00dec

      SHA1

      2e70dfacfc0bb40791674e4e4f6b5de7fb736e87

      SHA256

      043ca813803f67d83232a0f83125d5611c9c80ff7b8bebea856dd83d287c9322

      SHA512

      18a1c8cbdbbaee9842d5e5d3b52dabb1c32779d08567cf57ba351fed6b0509c305f06b1d436f3a54e9fa6499dc0918a29782ba5d48164439354954ecd86f7068

    • C:\Windows\SysWOW64\Qqfmde32.exe

      Filesize

      90KB

      MD5

      e4dfe4293e6582a2d54b051d5633f934

      SHA1

      6858e50c62fd6c0dcdbff0d4643ead773f53457a

      SHA256

      c55c93effd522742e2f2b28a845641ee5a789a348ab9fc2c371bb88bea28ef6c

      SHA512

      331e1799b2ef748c926b7bf5cd0af41584bd3d3a202dc670d034fd6740cfaf84d4d3f9de8f549d2ea250c30f02f05cffc19d19be47bcd413419b3948d27f8b90

    • memory/208-103-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/212-88-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/408-482-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/440-322-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/644-176-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/716-472-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/716-507-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/912-286-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1004-80-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1040-400-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1232-508-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1232-466-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1408-231-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1556-223-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1652-514-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1652-406-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1680-298-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1912-292-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1940-334-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1968-36-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1988-96-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2000-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2008-521-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2008-358-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2024-23-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2052-346-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2052-523-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2124-511-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2124-424-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2144-247-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2152-39-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2292-484-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2292-506-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2384-442-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2492-71-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2532-430-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2532-510-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2720-172-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2780-520-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2780-364-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2784-262-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2812-394-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2812-515-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2828-274-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3036-436-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3036-509-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3140-328-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3144-516-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3144-388-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3156-522-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3156-352-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3260-127-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3444-111-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3464-504-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3464-496-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3496-418-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3496-512-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3652-386-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3652-517-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3656-15-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3676-159-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3712-370-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3712-519-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3752-458-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3872-268-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3944-47-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3964-183-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4040-7-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4100-280-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4124-448-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4144-135-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4252-239-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4336-143-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4356-513-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4356-412-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4412-256-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4448-191-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4480-460-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4512-340-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4512-524-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4528-151-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4564-119-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4716-207-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4736-502-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4736-503-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4740-310-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4748-55-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4760-316-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4856-216-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4900-304-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4904-518-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4904-376-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/5052-64-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/5068-494-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/5068-505-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/5084-199-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB