Analysis

  • max time kernel
    94s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 20:56

General

  • Target

    3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe

  • Size

    96KB

  • MD5

    8a8dac66ee82f2a53d6ed181cd0fc9ba

  • SHA1

    cd2423566fe2e0b8d7830b9e5d0d81e6094e9fd0

  • SHA256

    3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684

  • SHA512

    a78ade0cda2315f73c2a93d420db988e67d258401da1b2e2ce7ea8f01610f344d1b630801a302155d2e10ad5bf08a88c84f36d6e1bbed2c8a92b2fd6955d5464

  • SSDEEP

    1536:zjyesN0FugpMcHHpE2Ve5cxuLeWZnFto3STX7fjnLvz3b/DHrP7fjnLCWS+sOK2g:6esN0XpzE3XLeWZFKCTX7fjnLvz3b/Da

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe
    "C:\Users\Admin\AppData\Local\Temp\3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\Pdpmpdbd.exe
      C:\Windows\system32\Pdpmpdbd.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\Pfaigm32.exe
        C:\Windows\system32\Pfaigm32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\SysWOW64\Qnhahj32.exe
          C:\Windows\system32\Qnhahj32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\SysWOW64\Qmkadgpo.exe
            C:\Windows\system32\Qmkadgpo.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2032
            • C:\Windows\SysWOW64\Qdbiedpa.exe
              C:\Windows\system32\Qdbiedpa.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2292
              • C:\Windows\SysWOW64\Qceiaa32.exe
                C:\Windows\system32\Qceiaa32.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4764
                • C:\Windows\SysWOW64\Qfcfml32.exe
                  C:\Windows\system32\Qfcfml32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1464
                  • C:\Windows\SysWOW64\Qmmnjfnl.exe
                    C:\Windows\system32\Qmmnjfnl.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:3772
                    • C:\Windows\SysWOW64\Qcgffqei.exe
                      C:\Windows\system32\Qcgffqei.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3560
                      • C:\Windows\SysWOW64\Qgcbgo32.exe
                        C:\Windows\system32\Qgcbgo32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4656
                        • C:\Windows\SysWOW64\Anmjcieo.exe
                          C:\Windows\system32\Anmjcieo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of WriteProcessMemory
                          PID:208
                          • C:\Windows\SysWOW64\Ampkof32.exe
                            C:\Windows\system32\Ampkof32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4056
                            • C:\Windows\SysWOW64\Acjclpcf.exe
                              C:\Windows\system32\Acjclpcf.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3704
                              • C:\Windows\SysWOW64\Afhohlbj.exe
                                C:\Windows\system32\Afhohlbj.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4812
                                • C:\Windows\SysWOW64\Anogiicl.exe
                                  C:\Windows\system32\Anogiicl.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2240
                                  • C:\Windows\SysWOW64\Aqncedbp.exe
                                    C:\Windows\system32\Aqncedbp.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:4840
                                    • C:\Windows\SysWOW64\Aeiofcji.exe
                                      C:\Windows\system32\Aeiofcji.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:3748
                                      • C:\Windows\SysWOW64\Amddjegd.exe
                                        C:\Windows\system32\Amddjegd.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:5116
                                        • C:\Windows\SysWOW64\Agjhgngj.exe
                                          C:\Windows\system32\Agjhgngj.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:4804
                                          • C:\Windows\SysWOW64\Acqimo32.exe
                                            C:\Windows\system32\Acqimo32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:3688
                                            • C:\Windows\SysWOW64\Ajkaii32.exe
                                              C:\Windows\system32\Ajkaii32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:1564
                                              • C:\Windows\SysWOW64\Aminee32.exe
                                                C:\Windows\system32\Aminee32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:3156
                                                • C:\Windows\SysWOW64\Accfbokl.exe
                                                  C:\Windows\system32\Accfbokl.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:2488
                                                  • C:\Windows\SysWOW64\Bfabnjjp.exe
                                                    C:\Windows\system32\Bfabnjjp.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:4172
                                                    • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                      C:\Windows\system32\Bmkjkd32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2900
                                                      • C:\Windows\SysWOW64\Bcebhoii.exe
                                                        C:\Windows\system32\Bcebhoii.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:652
                                                        • C:\Windows\SysWOW64\Bjokdipf.exe
                                                          C:\Windows\system32\Bjokdipf.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:3040
                                                          • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                            C:\Windows\system32\Bnkgeg32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:1496
                                                            • C:\Windows\SysWOW64\Bffkij32.exe
                                                              C:\Windows\system32\Bffkij32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:3548
                                                              • C:\Windows\SysWOW64\Balpgb32.exe
                                                                C:\Windows\system32\Balpgb32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:2784
                                                                • C:\Windows\SysWOW64\Bcjlcn32.exe
                                                                  C:\Windows\system32\Bcjlcn32.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2112
                                                                  • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                    C:\Windows\system32\Bfhhoi32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2960
                                                                    • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                      C:\Windows\system32\Bjddphlq.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Modifies registry class
                                                                      PID:1640
                                                                      • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                        C:\Windows\system32\Bnpppgdj.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5088
                                                                        • C:\Windows\SysWOW64\Banllbdn.exe
                                                                          C:\Windows\system32\Banllbdn.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:4148
                                                                          • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                            C:\Windows\system32\Bhhdil32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:3092
                                                                            • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                              C:\Windows\system32\Bnbmefbg.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:1400
                                                                              • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                C:\Windows\system32\Bapiabak.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Modifies registry class
                                                                                PID:3756
                                                                                • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                  C:\Windows\system32\Cfmajipb.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  PID:3972
                                                                                  • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                    C:\Windows\system32\Cndikf32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3732
                                                                                    • C:\Windows\SysWOW64\Cabfga32.exe
                                                                                      C:\Windows\system32\Cabfga32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:2512
                                                                                      • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                        C:\Windows\system32\Cdabcm32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:4128
                                                                                        • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                          C:\Windows\system32\Cfpnph32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:4072
                                                                                          • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                            C:\Windows\system32\Cnffqf32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3044
                                                                                            • C:\Windows\SysWOW64\Caebma32.exe
                                                                                              C:\Windows\system32\Caebma32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:2128
                                                                                              • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                                C:\Windows\system32\Cdcoim32.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Modifies registry class
                                                                                                PID:2172
                                                                                                • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                  C:\Windows\system32\Chokikeb.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • Modifies registry class
                                                                                                  PID:2460
                                                                                                  • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                    C:\Windows\system32\Cjmgfgdf.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2884
                                                                                                    • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                      C:\Windows\system32\Cdfkolkf.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2092
                                                                                                      • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                        C:\Windows\system32\Cjpckf32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:2204
                                                                                                        • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                          C:\Windows\system32\Cajlhqjp.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:4280
                                                                                                          • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                            C:\Windows\system32\Ceehho32.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:1692
                                                                                                            • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                              C:\Windows\system32\Cffdpghg.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:3680
                                                                                                              • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                C:\Windows\system32\Cnnlaehj.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:3760
                                                                                                                • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                  C:\Windows\system32\Calhnpgn.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:5084
                                                                                                                  • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                    C:\Windows\system32\Ddjejl32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    PID:220
                                                                                                                    • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                      C:\Windows\system32\Dhfajjoj.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:3180
                                                                                                                      • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                        C:\Windows\system32\Djdmffnn.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:2824
                                                                                                                        • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                          C:\Windows\system32\Dopigd32.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:4424
                                                                                                                          • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                            C:\Windows\system32\Danecp32.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:3500
                                                                                                                            • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                              C:\Windows\system32\Dejacond.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:4788
                                                                                                                              • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                C:\Windows\system32\Djgjlelk.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:2020
                                                                                                                                • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                  C:\Windows\system32\Dmefhako.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4868
                                                                                                                                  • C:\Windows\SysWOW64\Delnin32.exe
                                                                                                                                    C:\Windows\system32\Delnin32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:936
                                                                                                                                    • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                      C:\Windows\system32\Ddonekbl.exe
                                                                                                                                      66⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:1860
                                                                                                                                      • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                        C:\Windows\system32\Dfnjafap.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:4920
                                                                                                                                        • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                          C:\Windows\system32\Dkifae32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:4440
                                                                                                                                          • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                            C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3088
                                                                                                                                            • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                              C:\Windows\system32\Daconoae.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:1008
                                                                                                                                              • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                                                C:\Windows\system32\Ddakjkqi.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:1840
                                                                                                                                                • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                  C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:3992
                                                                                                                                                  • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                    C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:2388
                                                                                                                                                    • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                      C:\Windows\system32\Daekdooc.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:2432
                                                                                                                                                      • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                        C:\Windows\system32\Deagdn32.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:1908
                                                                                                                                                        • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                          C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2340
                                                                                                                                                          • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                            C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:5056
                                                                                                                                                            • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                              C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:4000
                                                                                                                                                              • C:\Windows\SysWOW64\Doilmc32.exe
                                                                                                                                                                C:\Windows\system32\Doilmc32.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:3872
                                                                                                                                                                • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                  C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:2760
                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 416
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Program crash
                                                                                                                                                                    PID:1584
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2760 -ip 2760
    1⤵
      PID:932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Accfbokl.exe

      Filesize

      96KB

      MD5

      0820bed4cd17fc676dd2b518aa5c5fbf

      SHA1

      2832b52f81fc9f668eb48841eb92db78e6255cb1

      SHA256

      3d6eba6dd53c8380d7b05128e19b916bb77f4324a7c92e880fdeaa621c74bdc5

      SHA512

      d70377dce10a037bebe06e835808faa98820446e0d6f5f46baea130a603c34139e644c5da8e500431436fa2d252fc5751cbc552552892c593174f169608a4db5

    • C:\Windows\SysWOW64\Acjclpcf.exe

      Filesize

      96KB

      MD5

      4eb6e202440be630965a5c9cb1ef0ad1

      SHA1

      93f2811f9a27dbeca762097d2164204848a2746e

      SHA256

      b0f7e4861c64cb93c064f5b7957cd915814cf0274c4ac0dd6ee5fe23d1745bd7

      SHA512

      740a4d76af093b4b7dc36df21c5e9106aff710fa9efeea19fa5a2297be80e647e8cc5d0dde8122c7dbf81e43b94c196a3e9cbbdc84edbd0e8cf6c9f12a729dc2

    • C:\Windows\SysWOW64\Acqimo32.exe

      Filesize

      96KB

      MD5

      839b69facf29c5a10667db87eb2ba42a

      SHA1

      9e2f58c4adae852e7c3ebb2152c2a6d6e117b938

      SHA256

      15210e01cd8be64035a9bc11bbf5459f2c2d06ea83df44a2267bf62ec8012be0

      SHA512

      4a5d804befb2b666967b86e2999d17b8adda4352c2476e183f06a94a77493704e6af1aecfbbf9327cd5a6423e7b6cdc7c7e4ed29936209366d5cd3d481c3c15d

    • C:\Windows\SysWOW64\Aeiofcji.exe

      Filesize

      96KB

      MD5

      d87ddd2579687b099e0f8f56906c70d5

      SHA1

      7c2a314752f934156c716a57e40d34f7b0d59646

      SHA256

      306f3374288ecb8b8dd59da6627d946055b3148b60c74b71ea2fed7221a50f6f

      SHA512

      8d096b49c917e7f9ef941250741a30993c5c604f0ace88d437ccbf701788403ec56bd6aefd6c1187db7b6cd2b37e4e7d94f97575ce5a3be43123aa4f30359d89

    • C:\Windows\SysWOW64\Afhohlbj.exe

      Filesize

      96KB

      MD5

      4862ebdd140f544d4b80d25551925d3f

      SHA1

      7d5d8507a6846c20aab53e1acf3e36577ea9d0be

      SHA256

      6bdc21a2146da8dd513e8149b66eb522cabebf24129c1456f91e85428aaa09ca

      SHA512

      e5b84a50cf27e5951486670c7a29db79e94a7bfcf3ee970a26def00d88198d6d0adc278a3e56cffb70a9b66f133e117b244fc250f9da582aa7db90bbdd9508a9

    • C:\Windows\SysWOW64\Agjhgngj.exe

      Filesize

      96KB

      MD5

      eca353a71e44bfaf8b50d8722052ab55

      SHA1

      74f0b8a5a98de5f9f9590f6903d0b87b65c5b088

      SHA256

      cfb8443c49e2b6b80c340fe0929b04d268159f66b35b24ba3535b0508b055970

      SHA512

      57eb2134cd07d63326e3943c7aea3980a4e98c7d083b114c3f5aa125f6edc497ad9f3ba28dcf89aaa8d415e95c3c19c6a010165b98f10c837c73ebeda1e7b4bb

    • C:\Windows\SysWOW64\Ajkaii32.exe

      Filesize

      96KB

      MD5

      b2ec89585ec854d73eda7c4fae50ed36

      SHA1

      c6b930860d34e6567c1f091391904eff9f563f49

      SHA256

      b9c77923fe20163d7283a4bc713c740757e22d61951e64a44cbf3a5ea18bab06

      SHA512

      2cbb01a82f4d77b1afa130d30af0f2165f0d8963fdfbbffccfec08da7a2b49d27bde7fe90bac6e69edadb6a09d330f761fa6f8bd56e74c0b3a7e2281562215fd

    • C:\Windows\SysWOW64\Amddjegd.exe

      Filesize

      96KB

      MD5

      20fb26d83f14f8596a0c1e95eeeae535

      SHA1

      5f42d3aeb3e1af9522341fb82ecc5c5996ed8c06

      SHA256

      090c633a8a1ea512cf1ff185181dc18977cea42133b6ad227f632544a4a28e3b

      SHA512

      6e11fe275a5d45e73c9474c66896b6b6259af632b8feb4b8311962cb4ed7b739d42d80f38970a94ab37f2a24fdeaea019775967ce0b99c5e3e6af038be48f864

    • C:\Windows\SysWOW64\Aminee32.exe

      Filesize

      96KB

      MD5

      39d9971c2d4f485a98df4b0c536e07c9

      SHA1

      6e155a5f301bc5886475cae5685a6eaa41ef65d4

      SHA256

      84815a6c0d6b12907012c21e4bce70419e22861b0d23c29281c5a49db734f12c

      SHA512

      8f970629b32e907fdb4406ca557d03bb9eaea889156b3b97ef272be5f71389ef3e9096389114fb4d09dffc26f13d39018090e6ecae8bdf8966a921d39f0a6a0c

    • C:\Windows\SysWOW64\Ampkof32.exe

      Filesize

      96KB

      MD5

      a4c0d053eebe2ef079c3c23f6bbf3d10

      SHA1

      0038aacffb5dbe1cc9071d2991e8aee18b5a93a1

      SHA256

      f7c48e285a637bed696a06143bd03f24671a74fb7c8017a366281c58136d1818

      SHA512

      0b21b25c9c107dede4937f7df8e5992ecd506872b999d3d36c4dbe4c8ceee1f80c0697a9dfa1b7ad28e570109240e86ba68931ce640e24343f491c6113f0933d

    • C:\Windows\SysWOW64\Anmjcieo.exe

      Filesize

      96KB

      MD5

      180bdf29137e8fd352b09db25d5f19d8

      SHA1

      94f1f0f34bc37e3a717455b479da5feffbdeb963

      SHA256

      a3256f661daf755e2e030dd94db8ad930a4eab66a42c2dcf7b7c77295bc2c554

      SHA512

      6449ebec01a7109d0ce35cd4f07212b013dcde52fb8de95ffb1406e6b887f45f3f03178507c749c7d6a4642c58d21b88c6099042599e3a4ad16abf7345d948f0

    • C:\Windows\SysWOW64\Anogiicl.exe

      Filesize

      96KB

      MD5

      3ad1a9eb36d7a9389130dd43984c34c4

      SHA1

      f2312d01a022e17e7dac685b3299b57ae35f4578

      SHA256

      a84b87c301da34eb8cb13c91da45d9bd6f7ad947a625d88e4efbebedd8db60e3

      SHA512

      18bace6ab41919a6ca13421f92f70f911c75b2daa3afd18dd818f4e94742a428e2bc2f22d5b007d40264800969e6df39564caa0cfafd085a45c0aa8a356b9806

    • C:\Windows\SysWOW64\Aqncedbp.exe

      Filesize

      96KB

      MD5

      2199ee03d721bda5e7dd4390916afd87

      SHA1

      0c20cc5a354838f25510da89fea426e3c408adc2

      SHA256

      5f581e8028023c460a1779aa1a39f892a0bdc699933801e7e62e3ad88f644d89

      SHA512

      909ada476dd7f4a2f6d0b1cb64f318c53f10060b899bca8df27c5e58e4d7fdbb08711dd1380eefe5147f64980df76d9a58800285ba7819af635f68803ded2d16

    • C:\Windows\SysWOW64\Balpgb32.exe

      Filesize

      96KB

      MD5

      b24ffdfd8a2e57192d95e8513b55261b

      SHA1

      6b0a8589916398771da4c4b1e215d95ef764857b

      SHA256

      d1ceb8812f07b1d68c80aa52bbaf393e7e8b04ad3f61c5a12f9f65ae458efc49

      SHA512

      0384450a49b3e2a6eea5a352ea833cbf17dbfef8245b96b0c65e2bb239ed81525ece071fc513b55072fceffd9c228b4e566ae2b2e9cefec8d648ef695bb97d3f

    • C:\Windows\SysWOW64\Balpgb32.exe

      Filesize

      96KB

      MD5

      48409bf4f9d339d2edf805821d389169

      SHA1

      75371344681d1f10ccbde53f04d689cad8893dff

      SHA256

      2b2ce7ef6303dfa127dcbfa02f4605a6a89f1535f7c22475b29872a7b0140f0e

      SHA512

      c5e1096b6c9145a28ab26a427103785269e0e12f8a511d163198bd58751b92481420ad9051b7fcff42c78f4422ddea3d29f4b790bff2303999d5686f9575b82c

    • C:\Windows\SysWOW64\Bapiabak.exe

      Filesize

      96KB

      MD5

      770cceeeb405c6f1e026bad5902fd98a

      SHA1

      550f0892c2186d4c70923f4c2545adee583dce85

      SHA256

      0faae2319726ebe32e07b19e648034fe8918237c08454b5af2a2567db9ef488c

      SHA512

      e263b349a83ac6a93773dd66c221c094bd8d719eb423b0858db06f8046123daf12c8e0520e4e0b426d5780126eaedbcf6736785003f1d56b69e4e828d0ce3fcc

    • C:\Windows\SysWOW64\Bcebhoii.exe

      Filesize

      96KB

      MD5

      13097f2781ab5de7c2e009d9925fb0a9

      SHA1

      26f42083dafed5f486c2de2bba035a9ce5859ffe

      SHA256

      a6046a3ca6eac9772e4d32f1b3c9e3a01cd15b66d8bb6609c90ded02498b257b

      SHA512

      734900f2f55bf6bb69ee5cd1e7165f885146b6ad1d9e57914f6515f605c70969f6671383c1de5e114fe780466ccf14c3133a26af29e9afb7c3240731251c0c01

    • C:\Windows\SysWOW64\Bcjlcn32.exe

      Filesize

      96KB

      MD5

      3942b980d45a77069bc5fc04f3a26a1b

      SHA1

      d4cb6c9649ebc2601e8315f76b7ec74431971657

      SHA256

      87e7337c58cb7fc279b26595f595d5045247307514c6260168a731e6fa93c423

      SHA512

      637b22ea94470832805edfe0119e7eee835aae49ae48c885b122aa8b586db3d95a1e06cf08b158ff67180ea93312db2eaa89b33d67e69949bd0b443bc97cf9f0

    • C:\Windows\SysWOW64\Bfabnjjp.exe

      Filesize

      96KB

      MD5

      8da72a136a3c881c4d080742d9008aca

      SHA1

      2ba1e01cd9817531749566eb08b33ad9dfd65686

      SHA256

      c0354805667121b47b01d8b79ba67c41693af6cc0cc02e0c8aef46bb79b75f5e

      SHA512

      17d3ccaa17f0af88173e7aedb5a1cf178d308f221af80ee9fcb6588287e3e68604ee2598ba8919d94b34a42db3eda1ea0b5adc3c905b0711e99f9dbca1b6907b

    • C:\Windows\SysWOW64\Bffkij32.exe

      Filesize

      96KB

      MD5

      52ffbb151281485c73063d8aecc452b7

      SHA1

      e94510a7e783e721331cbd497034daed66cdc933

      SHA256

      042217142fa18dccc42644e58cbdd7845f3bf8b1f33198453fa840ce3747782f

      SHA512

      e165b3b8766a9e45a9ebe9e393ae14bb2894a22c1d0dd95838407e63595670ff7489e06aa68ccfe57be93b83994179b1920f50284349d62495632a58a7799a23

    • C:\Windows\SysWOW64\Bfhhoi32.exe

      Filesize

      96KB

      MD5

      381c68a0e1422a92c564a095aa7e3d2d

      SHA1

      687ed7575aa0b65ed9e7be4a7b3baf58b793f927

      SHA256

      657765d757e2215e1925e2f39e8ae524a3effd5671ca50e1e982c7dbaf1d757f

      SHA512

      9d782800fbb2728c0fcec561bfa40792ba967651ed96fe1a22474795e7779c6b9ee6823de27fe4f87be75571942f371608236622c0dba261d67807460c255345

    • C:\Windows\SysWOW64\Bjokdipf.exe

      Filesize

      96KB

      MD5

      7498aa64840b5ce072a592dc4709a95e

      SHA1

      ca70d800ee9eb894ac8b4fe3f80724339c87ae63

      SHA256

      ad8b38711eef876b2f03e4b98a406a235096f751884eacd195f5db825a35001f

      SHA512

      207d90920adb7e358cb52ef2f24e2269610f6a1134ce04c50bb8d853bf844dd9c8c8b9be606464c7b18ffb723e75c6108ec2dab372b2f9a8d7cf7104bf7a2265

    • C:\Windows\SysWOW64\Bmkjkd32.exe

      Filesize

      96KB

      MD5

      5d7dbaf17813e501fb52d2b4d137b8a8

      SHA1

      a5ca498d8b7cad733d929a1ae05b02e0ae20da96

      SHA256

      3788467f001db33b0c92096f0f609f293da7be9ad316f36fe768056589a1423b

      SHA512

      6d09c1f087fce879eaee172b0582506ebb44fdf46e4ffcd770524713750a7f26f44a8d4968a3bf6a07281c7f4c8ff9268e9f7034d217c0992148de0987fccc75

    • C:\Windows\SysWOW64\Bnkgeg32.exe

      Filesize

      96KB

      MD5

      1411cd00a22d6dc93203badf2a31b3ba

      SHA1

      baffeffdc7bd7b97833cd0d8271139222d219fd9

      SHA256

      a1ea53de0cd247281429459e1c577f26f5bca1a61eff4dc5fe1ad80cd78dd671

      SHA512

      050f9321f21ee0f888b248e489b0fda4347f3ce306ca3a354592bb328076957043129f54661f79b2baba86d0e24f6ecd76ae249205eb04165d87a17d818d0212

    • C:\Windows\SysWOW64\Cfpnph32.exe

      Filesize

      96KB

      MD5

      6bad43615cf9fbbc00ced7e553f742c7

      SHA1

      2af9691b9a05a621edbba67c508c4a04315316ab

      SHA256

      7d7decf88802ee9fe515b2a67c60aa6f69c8f3a4a306c2bb37bc2c97c8d9f5f1

      SHA512

      319e57cce33199627e8d0b32fa875c518c53061449eb5dbe43acdd46a149a965cfedeba7a129a8069edec9b15beb06ed094597508dfa16f65fc1ef70a776def2

    • C:\Windows\SysWOW64\Chokikeb.exe

      Filesize

      96KB

      MD5

      0556b1d596a86980f17fea4f1fbddf9a

      SHA1

      03155ce089c94b83c40da060ba9204260ea22262

      SHA256

      9139ff223bab3aaf0f3076ea75399f99134c6bca81fb249fec6ca10c751255f7

      SHA512

      9d7bf38014be5ac598f2dea4bfedaa363faca0e4d86e8cf72a4c23128852eccbe2dae58a8dcae59ab09a84124242b9eac5d49bd1a842f1de1808e14cf4685bee

    • C:\Windows\SysWOW64\Djgjlelk.exe

      Filesize

      96KB

      MD5

      54fd462db8768d34cd5853020661d0c2

      SHA1

      eea6e40765a6eb081b9af177da1dfa7d1fd2ad66

      SHA256

      f073a08f9597722538176904819233c0f74e10344e939204ab88e9f4a07c4bf5

      SHA512

      99fcc61641d8504d6c5841a3af5dc865dedefceec439f27181cb59027f85465bab2200967481fc229abf9c6b02790db0e09d8168e777c3cd8ef94177be7440df

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      96KB

      MD5

      958fd10a6c6bb871f4647d32409d2db8

      SHA1

      18b2fb1f2fec9b19d6dd8db5d79f0e40e42d9b93

      SHA256

      e59ed1c7e019a87184c7a1aa553b9f05b5d3eca531e3316f615967b34dea9ead

      SHA512

      f78dff7421149d6b335f15bd7626c2320a9debdd8509eb272b072f2a8be9b3f345d0366104ffe84f7432c33cfc2bc79e630a368090de743e99e7841ef9cf5164

    • C:\Windows\SysWOW64\Dopigd32.exe

      Filesize

      96KB

      MD5

      cab713af9c5740e376abd9efef00ff58

      SHA1

      b979db494700b1bb39c0c6d9da8314c28ffd31cd

      SHA256

      3441c33f2a594fe27868c62d85cb544ed243838a685cec4ad1242b6d971476bc

      SHA512

      3fc34ad376a88d4494430b283bd5a35490ab62f4a0794fe9a8852b6e519aaad58d947beb124aa6652ba02dc2a857e39c951348b47efb13e6a43240fb39267493

    • C:\Windows\SysWOW64\Kgldjcmk.dll

      Filesize

      7KB

      MD5

      0786c3adab115575b0532ab03f00efe5

      SHA1

      78bb1a631bb9d0c4ac265b659b4f3a08bbdfd238

      SHA256

      cf7eff28a8db11e9ee6748d834c24d5c0b77b1b90a1a47312665e9ffa65e105b

      SHA512

      623dd5de7a49756fdc9c955f2cc3598c5969e8d9b2b6ab03fc5b2d260c1b173a6d456558f9abcca70916c538c7cb72a865146f797f8dd4619748071d68c416ca

    • C:\Windows\SysWOW64\Pdpmpdbd.exe

      Filesize

      96KB

      MD5

      74098834fe3da6093b5a66d75a57ea9d

      SHA1

      4bac8bed88ff5a8f25e0a014cf56771d6a06de3b

      SHA256

      d5bf03b26bf6a9d9e6821d74a2e7c72f72d0e8e5c4a8312619bb05e003a96dba

      SHA512

      39f4c52ac58e111a7a014e268a4ef553046b7b754e73ac0092cee36b37f6cda24a13b115dda27a8d4fcc3d928f7e9734008ce0f8b3886317cfd4aafbc645a2d3

    • C:\Windows\SysWOW64\Pfaigm32.exe

      Filesize

      96KB

      MD5

      cf2922fc102d485562308a1ef90da5eb

      SHA1

      6677202d81ea3b15c8434e58bd09a720fd2990a2

      SHA256

      f4c02818461f0c591e60dd9a10c3492174c269826a47afdb5970635db44762ec

      SHA512

      d8f5662ada3e6563a30f703c67bf5f778b99227193e0c66bd9726669ee1bb676a1888c3f2ddaa8fc2631205e638a36b3bf214abfb8e4c93702d49005ff629c9d

    • C:\Windows\SysWOW64\Qceiaa32.exe

      Filesize

      96KB

      MD5

      6e0f61a023ff23cf8ec66ec642431880

      SHA1

      3c73858db602ceb2e344e29ec83f2120c19332ec

      SHA256

      4fed787cc9d2e9b3dcbfb7de0a3ac4c535b5fd6da685d61a9172feef9a7b6f3a

      SHA512

      c95a02d0a440410286460ef622438d049939cff367797d34b166c66ee3a2497044e2fadc01a6049c0a472306dc50dfa6087ba64ef0876f8ebf88259438eddb41

    • C:\Windows\SysWOW64\Qcgffqei.exe

      Filesize

      96KB

      MD5

      ad7c066fd959f43430ebabddc5a713d6

      SHA1

      fba91903525cfc285fdab065584b45ab55ecc0f4

      SHA256

      90241c836843e9b6d38702722f23c565dab54c285c6f8d79bfffdf9d42c937da

      SHA512

      7685a191d22d0df9a139e1188d9376c7aa5e4e46359114de5d84314cc545e068d561680f1e52d9fc06ebacad51fb49dff3d85fa2efe0e34a0f0b578a74c72f97

    • C:\Windows\SysWOW64\Qdbiedpa.exe

      Filesize

      96KB

      MD5

      0da90764c3b23fb6b1e4e067cea2478f

      SHA1

      bedf63babc8a8266531a47f939e945daf307f7b3

      SHA256

      8a5dd21ddfef5c8aed8fe2e9f2b616f8484e7d2aec64cb61abf96f95524ee1b2

      SHA512

      6d12c9a006fd01cbef062d7ba5a6b3c0f0363f167719aa069a177dc82d5af5b98b3d240bbf7eb7a24d2640a1f8a6593cae8cdf7eb151c03366906d3afdb3e0c1

    • C:\Windows\SysWOW64\Qfcfml32.exe

      Filesize

      96KB

      MD5

      b6ff2dfd7dcc9aefe4538d77bc234fb7

      SHA1

      b08d0f4c6a14bc439ffb13d9a639526348aeb580

      SHA256

      1855e53e925250b590cbaa5fcb1f783e01524cccaee2e3c2150b191485ca6609

      SHA512

      f5d0d3ab2d0b0a10bf3170f5dc2cce547f6654205a74921791fb2eb9aedbe46b96cae95a3a94018ea6a2ea2dee654753fd94eb2989c0043d95e85e18dbdf20f6

    • C:\Windows\SysWOW64\Qgcbgo32.exe

      Filesize

      96KB

      MD5

      676e9c3e321530d6b378f0fbba7a50fc

      SHA1

      715ca7abaeb3d3a90d17233e5aab559e2539142b

      SHA256

      f2ae900c0f7f95b923ff35c39dd9534ac7e33e93fc05a2fd74615ee6a5cbd18b

      SHA512

      7d38e50092d47080145f68bfa033045d4b39a6402c40aa1b23bfece4d2044feb1ba3a2971cadbe4bd75d34d098bd4b076ec4bcec8a5a61ed7746e3bea7fe5c57

    • C:\Windows\SysWOW64\Qmkadgpo.exe

      Filesize

      96KB

      MD5

      8a8a6a98e809d74919fe768124456140

      SHA1

      18aa2a3c5592b433db0256aa45016f4112615704

      SHA256

      7db305a793e56e98114beb385ed0869933bce22db4b7352e3571405ce3c36173

      SHA512

      6ed09f36a010434a1ab51d0e479934526cdc23e53c9eb4c1f98645ef76a4d61b6b9f9b1c7d44629fd46a00c7c6b570dcf7c81be772031b3e4ecdf62201695346

    • C:\Windows\SysWOW64\Qmmnjfnl.exe

      Filesize

      96KB

      MD5

      baa914ab7d105ab714d7050b5baec87a

      SHA1

      3770a34d9b683fa2aa59c74527278461215fc014

      SHA256

      4d390609a56a07df3d42e9ab1690c94e0451420be2d7f012326c51e298ed82d3

      SHA512

      97fbeed8fced3e3ebf9d754757b1c3ea0ce451365d6a19f42e35d388a5a8460114839e48a6a95a77e18fbadeb4b238a6afe4a63ba089d03d7f4f84944d3aff8b

    • C:\Windows\SysWOW64\Qnhahj32.exe

      Filesize

      96KB

      MD5

      4948329a5da3f151d2b2f4ca5e1a7a80

      SHA1

      8b2babcd92090a82198596451988469a5071e8ea

      SHA256

      d119640b5b173e0126a362cdb7d7a29a7e93c73b93f7b7c5ac107c1b010b7db1

      SHA512

      72164885c82c90c08c63f703a03eaeb6b1ebf67c923f4159d4a24d547a5c6861257ffc38c878cf0a4f6079cf4cc0ebd84d4f287fce5e581114a2d24e79536744

    • memory/208-95-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/652-222-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/652-304-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1400-312-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1400-381-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1464-55-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1464-143-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1496-318-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1496-241-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1544-79-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1544-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1564-178-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1564-267-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1640-286-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1640-353-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1692-417-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2032-116-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2032-31-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2092-396-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2112-339-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2112-268-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2128-368-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2172-375-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2204-403-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2240-131-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2292-130-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2292-39-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2460-382-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2488-196-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2488-283-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2512-340-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2512-409-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2784-332-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2784-258-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2884-389-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2900-297-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2900-213-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2960-277-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2960-346-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2964-7-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2964-93-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3040-311-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3040-231-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3044-361-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3092-305-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3092-374-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3156-276-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3156-187-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3548-325-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3548-250-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3560-71-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3560-160-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3680-424-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3688-257-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3688-170-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3704-195-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3704-107-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3732-333-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3732-402-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3748-230-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3748-144-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3756-388-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3756-319-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3772-63-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3772-152-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3904-97-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3904-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3972-395-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3972-326-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4056-186-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4056-98-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4072-423-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4072-354-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4128-416-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4128-347-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4148-367-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4148-298-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4172-290-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4172-205-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4280-410-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4656-169-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4656-80-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4764-48-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4764-134-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4804-161-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4804-248-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4812-204-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4812-117-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4840-221-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4840-135-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4896-106-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4896-24-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/5088-291-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/5088-360-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/5116-239-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/5116-153-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB