Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/09/2024, 16:01

General

  • Target

    Backdoor.Win32.Berbew.AA.exe

  • Size

    77KB

  • MD5

    83f3054629691b5ae7a3282996cb1f50

  • SHA1

    8a3dc8c4c92514e2946d3f48ce44166116eb2374

  • SHA256

    2fcc4ee085f6f7629e950c9548917c0fbb58cd89adf60834154df7172b4745df

  • SHA512

    036f3f80fbfaa4fe5aea12901ed1b64f686126210de2380c372f02709e6b0f4172f7076b3ab289721f023661b756dedf711bae0aae9bdaa1fffa0a5d8f737071

  • SSDEEP

    1536:9XPV0ANuX4IWarUUCS0Ej/DGyP2LtpLwfi+TjRC/:RP6ANuX4FarUtEzDGrTwf1TjY

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\Jdopjh32.exe
      C:\Windows\system32\Jdopjh32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\Jnedgq32.exe
        C:\Windows\system32\Jnedgq32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\Jdalog32.exe
          C:\Windows\system32\Jdalog32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\SysWOW64\Jhmhpfmi.exe
            C:\Windows\system32\Jhmhpfmi.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:440
            • C:\Windows\SysWOW64\Jbbmmo32.exe
              C:\Windows\system32\Jbbmmo32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2440
              • C:\Windows\SysWOW64\Jlkafdco.exe
                C:\Windows\system32\Jlkafdco.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4540
                • C:\Windows\SysWOW64\Kbeibo32.exe
                  C:\Windows\system32\Kbeibo32.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2364
                  • C:\Windows\SysWOW64\Khabke32.exe
                    C:\Windows\system32\Khabke32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2912
                    • C:\Windows\SysWOW64\Kkpnga32.exe
                      C:\Windows\system32\Kkpnga32.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2296
                      • C:\Windows\SysWOW64\Kdhbpf32.exe
                        C:\Windows\system32\Kdhbpf32.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4396
                        • C:\Windows\SysWOW64\Kkbkmqed.exe
                          C:\Windows\system32\Kkbkmqed.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of WriteProcessMemory
                          PID:2500
                          • C:\Windows\SysWOW64\Kalcik32.exe
                            C:\Windows\system32\Kalcik32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1644
                            • C:\Windows\SysWOW64\Kdkoef32.exe
                              C:\Windows\system32\Kdkoef32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:3728
                              • C:\Windows\SysWOW64\Kaopoj32.exe
                                C:\Windows\system32\Kaopoj32.exe
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1520
                                • C:\Windows\SysWOW64\Khihld32.exe
                                  C:\Windows\system32\Khihld32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1716
                                  • C:\Windows\SysWOW64\Kocphojh.exe
                                    C:\Windows\system32\Kocphojh.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4804
                                    • C:\Windows\SysWOW64\Kemhei32.exe
                                      C:\Windows\system32\Kemhei32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:1836
                                      • C:\Windows\SysWOW64\Lkiamp32.exe
                                        C:\Windows\system32\Lkiamp32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of WriteProcessMemory
                                        PID:4440
                                        • C:\Windows\SysWOW64\Lacijjgi.exe
                                          C:\Windows\system32\Lacijjgi.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:5052
                                          • C:\Windows\SysWOW64\Lhmafcnf.exe
                                            C:\Windows\system32\Lhmafcnf.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:4244
                                            • C:\Windows\SysWOW64\Lbcedmnl.exe
                                              C:\Windows\system32\Lbcedmnl.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of WriteProcessMemory
                                              PID:3592
                                              • C:\Windows\SysWOW64\Leabphmp.exe
                                                C:\Windows\system32\Leabphmp.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:3052
                                                • C:\Windows\SysWOW64\Lhpnlclc.exe
                                                  C:\Windows\system32\Lhpnlclc.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1400
                                                  • C:\Windows\SysWOW64\Lojfin32.exe
                                                    C:\Windows\system32\Lojfin32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:3468
                                                    • C:\Windows\SysWOW64\Ldfoad32.exe
                                                      C:\Windows\system32\Ldfoad32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:3252
                                                      • C:\Windows\SysWOW64\Llngbabj.exe
                                                        C:\Windows\system32\Llngbabj.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:3772
                                                        • C:\Windows\SysWOW64\Lajokiaa.exe
                                                          C:\Windows\system32\Lajokiaa.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3216
                                                          • C:\Windows\SysWOW64\Lhdggb32.exe
                                                            C:\Windows\system32\Lhdggb32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:3040
                                                            • C:\Windows\SysWOW64\Loopdmpk.exe
                                                              C:\Windows\system32\Loopdmpk.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:1764
                                                              • C:\Windows\SysWOW64\Mkepineo.exe
                                                                C:\Windows\system32\Mkepineo.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:3344
                                                                • C:\Windows\SysWOW64\Mdnebc32.exe
                                                                  C:\Windows\system32\Mdnebc32.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3792
                                                                  • C:\Windows\SysWOW64\Mkgmoncl.exe
                                                                    C:\Windows\system32\Mkgmoncl.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:2592
                                                                    • C:\Windows\SysWOW64\Mhknhabf.exe
                                                                      C:\Windows\system32\Mhknhabf.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:3112
                                                                      • C:\Windows\SysWOW64\Madbagif.exe
                                                                        C:\Windows\system32\Madbagif.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:216
                                                                        • C:\Windows\SysWOW64\Mlifnphl.exe
                                                                          C:\Windows\system32\Mlifnphl.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • Modifies registry class
                                                                          PID:752
                                                                          • C:\Windows\SysWOW64\Mddkbbfg.exe
                                                                            C:\Windows\system32\Mddkbbfg.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:2016
                                                                            • C:\Windows\SysWOW64\Mahklf32.exe
                                                                              C:\Windows\system32\Mahklf32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:5060
                                                                              • C:\Windows\SysWOW64\Mdghhb32.exe
                                                                                C:\Windows\system32\Mdghhb32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:3524
                                                                                • C:\Windows\SysWOW64\Nkapelka.exe
                                                                                  C:\Windows\system32\Nkapelka.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5076
                                                                                  • C:\Windows\SysWOW64\Nefdbekh.exe
                                                                                    C:\Windows\system32\Nefdbekh.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:3180
                                                                                    • C:\Windows\SysWOW64\Nlqloo32.exe
                                                                                      C:\Windows\system32\Nlqloo32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2052
                                                                                      • C:\Windows\SysWOW64\Nhgmcp32.exe
                                                                                        C:\Windows\system32\Nhgmcp32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:5020
                                                                                        • C:\Windows\SysWOW64\Nkhfek32.exe
                                                                                          C:\Windows\system32\Nkhfek32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:4088
                                                                                          • C:\Windows\SysWOW64\Nbbnbemf.exe
                                                                                            C:\Windows\system32\Nbbnbemf.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:3340
                                                                                            • C:\Windows\SysWOW64\Nfpghccm.exe
                                                                                              C:\Windows\system32\Nfpghccm.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • Modifies registry class
                                                                                              PID:2420
                                                                                              • C:\Windows\SysWOW64\Ohncdobq.exe
                                                                                                C:\Windows\system32\Ohncdobq.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:5036
                                                                                                • C:\Windows\SysWOW64\Okmpqjad.exe
                                                                                                  C:\Windows\system32\Okmpqjad.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:976
                                                                                                  • C:\Windows\SysWOW64\Odedipge.exe
                                                                                                    C:\Windows\system32\Odedipge.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:4844
                                                                                                    • C:\Windows\SysWOW64\Ollljmhg.exe
                                                                                                      C:\Windows\system32\Ollljmhg.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:3488
                                                                                                      • C:\Windows\SysWOW64\Obidcdfo.exe
                                                                                                        C:\Windows\system32\Obidcdfo.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:2324
                                                                                                        • C:\Windows\SysWOW64\Odgqopeb.exe
                                                                                                          C:\Windows\system32\Odgqopeb.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2904
                                                                                                          • C:\Windows\SysWOW64\Oomelheh.exe
                                                                                                            C:\Windows\system32\Oomelheh.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:3320
                                                                                                            • C:\Windows\SysWOW64\Odjmdocp.exe
                                                                                                              C:\Windows\system32\Odjmdocp.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:4792
                                                                                                              • C:\Windows\SysWOW64\Ocknbglo.exe
                                                                                                                C:\Windows\system32\Ocknbglo.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:3628
                                                                                                                • C:\Windows\SysWOW64\Ohhfknjf.exe
                                                                                                                  C:\Windows\system32\Ohhfknjf.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:4636
                                                                                                                  • C:\Windows\SysWOW64\Ocmjhfjl.exe
                                                                                                                    C:\Windows\system32\Ocmjhfjl.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:3192
                                                                                                                    • C:\Windows\SysWOW64\Obpkcc32.exe
                                                                                                                      C:\Windows\system32\Obpkcc32.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:1128
                                                                                                                      • C:\Windows\SysWOW64\Pcpgmf32.exe
                                                                                                                        C:\Windows\system32\Pcpgmf32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1944
                                                                                                                        • C:\Windows\SysWOW64\Pkklbh32.exe
                                                                                                                          C:\Windows\system32\Pkklbh32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1676
                                                                                                                          • C:\Windows\SysWOW64\Pofhbgmn.exe
                                                                                                                            C:\Windows\system32\Pofhbgmn.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:4596
                                                                                                                            • C:\Windows\SysWOW64\Pmjhlklg.exe
                                                                                                                              C:\Windows\system32\Pmjhlklg.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:4976
                                                                                                                              • C:\Windows\SysWOW64\Peempn32.exe
                                                                                                                                C:\Windows\system32\Peempn32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:2220
                                                                                                                                • C:\Windows\SysWOW64\Pfeijqqe.exe
                                                                                                                                  C:\Windows\system32\Pfeijqqe.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:32
                                                                                                                                  • C:\Windows\SysWOW64\Pcijce32.exe
                                                                                                                                    C:\Windows\system32\Pcijce32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:3188
                                                                                                                                    • C:\Windows\SysWOW64\Qfgfpp32.exe
                                                                                                                                      C:\Windows\system32\Qfgfpp32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:2548
                                                                                                                                      • C:\Windows\SysWOW64\Qifbll32.exe
                                                                                                                                        C:\Windows\system32\Qifbll32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4740
                                                                                                                                        • C:\Windows\SysWOW64\Qbngeadf.exe
                                                                                                                                          C:\Windows\system32\Qbngeadf.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:428
                                                                                                                                          • C:\Windows\SysWOW64\Qihoak32.exe
                                                                                                                                            C:\Windows\system32\Qihoak32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3232
                                                                                                                                            • C:\Windows\SysWOW64\Qkfkng32.exe
                                                                                                                                              C:\Windows\system32\Qkfkng32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:1540
                                                                                                                                              • C:\Windows\SysWOW64\Abpcja32.exe
                                                                                                                                                C:\Windows\system32\Abpcja32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:64
                                                                                                                                                • C:\Windows\SysWOW64\Aijlgkjq.exe
                                                                                                                                                  C:\Windows\system32\Aijlgkjq.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:3612
                                                                                                                                                  • C:\Windows\SysWOW64\Amfhgj32.exe
                                                                                                                                                    C:\Windows\system32\Amfhgj32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:1584
                                                                                                                                                    • C:\Windows\SysWOW64\Apddce32.exe
                                                                                                                                                      C:\Windows\system32\Apddce32.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:4940
                                                                                                                                                      • C:\Windows\SysWOW64\Abcppq32.exe
                                                                                                                                                        C:\Windows\system32\Abcppq32.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:4904
                                                                                                                                                        • C:\Windows\SysWOW64\Aealll32.exe
                                                                                                                                                          C:\Windows\system32\Aealll32.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:3404
                                                                                                                                                          • C:\Windows\SysWOW64\Amhdmi32.exe
                                                                                                                                                            C:\Windows\system32\Amhdmi32.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5176
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
    1⤵
      PID:5000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Jbbmmo32.exe

      Filesize

      77KB

      MD5

      4b1b1289dd0b32a94cb763ddaaf458ff

      SHA1

      4e56060e5a30a744858dbeff3c3dc0ae5bc7aa7e

      SHA256

      5acfc1a7d3e39fa2c2ff52f4a248b2345cf4c97d62007a066222d499aef2f96e

      SHA512

      e5c4533d0ad987ce62c2e6e75cf2cb8f033f7447ce986ad3c352cfa1c741d4211f19233e4e6d0aa879ce793c15868ad3a4794e02a8a376685e5bcbe6d13aa01b

    • C:\Windows\SysWOW64\Jdalog32.exe

      Filesize

      77KB

      MD5

      434cb52b562aa826fd90b5152483e9ed

      SHA1

      3521c29e9c222b3ef16eabd95ee97ec0a63c0ad7

      SHA256

      fd52d9db91dc5fd9db8082f185fac15ff2d4c67df98b52d6f3c7db21461e5dae

      SHA512

      1dedb44ad01658b9f79e1a22efda90e7e6b108c9ab818f8915398fda820effbca9b406406964ceff4bc97afb2b6733b4f8de7a0da5df84a29e414b04ee49b929

    • C:\Windows\SysWOW64\Jdopjh32.exe

      Filesize

      77KB

      MD5

      d1b45ad560a5a7dbe691eb284ca8409c

      SHA1

      d4c2185552994f2282f38f8f5f8e78902f5101cd

      SHA256

      4147f1ef87b0a672a2ae39de0fb703344f0df73f76001748e5589cb7924a3218

      SHA512

      db829726151fcff4106d8019efc77d911b5e698df48e5cbad5cb9b9edb560fb1d621477f113f4add55adee953a7da2caf9a45cfbb7a9ec5474d2643fae40e4b2

    • C:\Windows\SysWOW64\Jhmhpfmi.exe

      Filesize

      77KB

      MD5

      3d0dd2cf8985e6312a6fd90a6c6347f4

      SHA1

      0cd184d149f12d648e322794ea4df7393be7dc4b

      SHA256

      be57f8beeeb2001f5ffd149a99120337cd2cf4b168d23747c299f1002d31e079

      SHA512

      e56f99f76713db2a917bd9011652c8275d59e0e40107b185ab7e28ff248879653be138f90d3613135ce8a646ee7864a428cee078f57f246af8310aa5a29e2b9d

    • C:\Windows\SysWOW64\Jlkafdco.exe

      Filesize

      77KB

      MD5

      72aaf034dfddae1a1648db2c28c497ea

      SHA1

      10643780b6446b111a68843d1ea7c95b4617aced

      SHA256

      e02619cdf02ba17f913f95fc1c2dfe0048af52515ca819d610f32a53640146e1

      SHA512

      c33050823c1aef5cd3e353865b366cb3d39a909b25033afe3ec74bf4999ec2cbc8863c1648afed3940c7deffcaae3ab429a7fa88047f02be9dada071bbc12d6c

    • C:\Windows\SysWOW64\Jnedgq32.exe

      Filesize

      77KB

      MD5

      f39f99503d78696f89b4e575464f8c8e

      SHA1

      8c91df56a71bd7f6ef0ec17dc71d72c300c3cb9d

      SHA256

      f33a553883bb844685c306497bc514139ba77946c647a7e9ba698173cf10ebe9

      SHA512

      2672de63dccb6dfbfb7825826df6f7ff2b4ea02053def9ae5f523520aad3feb465de372201942e71594e9918c90e9a9778ff1f167483610305eeb235936ac11c

    • C:\Windows\SysWOW64\Kalcik32.exe

      Filesize

      77KB

      MD5

      d6378eff5ad9be4ea84d04c204ec7a31

      SHA1

      e3077eabdac7ed3eae70ec5b9d635a4f626dece1

      SHA256

      d6027240d44d88f4c2fd25b9abbfd387ef6d4f2dc552a76e29e5670af2a60f2a

      SHA512

      7dd9bc27de2a2325e592d09da4c86dfc4cb1a45e99fdf5a1df36ceb273e3649b81627a77090e1613a71b68d0c697bd25e370039aaa4da67c02826e355b0799a7

    • C:\Windows\SysWOW64\Kaopoj32.exe

      Filesize

      77KB

      MD5

      78cac752684b6fb01e0775fbd9dd6eb2

      SHA1

      aafe6f51aa465b20a238384cd586f4cd76d45d93

      SHA256

      6e90bc94ca837e1fa508584bbd5e8393559cf4f111d9ea5d277157bc577425de

      SHA512

      5211028e2fef929b071742805dc518719cfe7ed0c10d7800610ed5551f3474151a77ee095c96bfb8b6f1ddfd3f792ee963052ce5d1318d150854a661b1137e7f

    • C:\Windows\SysWOW64\Kbeibo32.exe

      Filesize

      77KB

      MD5

      f23e33b1cb7bff1d4ae24372a67c53a5

      SHA1

      a8284d798eef2e1f323981c4d39bae307ffb4164

      SHA256

      232c496912a3894a09a8b0bbbf577c275b93bb3969712414273aa6cc41ce1b93

      SHA512

      f74cfd02747e4881f6da95b18ca2e2ee596f65f465d4eb948f3daf04269da514ed57db59ac3b9bbd6a3a87785ad21e38dd6a867a9bfdde05a9d949a3bce4430c

    • C:\Windows\SysWOW64\Kdhbpf32.exe

      Filesize

      77KB

      MD5

      cee54423b3ce31110362a7a7864e00f7

      SHA1

      0011335828ac256970d3a3fb98fee78aad2bb01f

      SHA256

      6f5722aa940e99e2a1c042a9eed30d62575be9c71ec54da39b8329587633b557

      SHA512

      002cdad523b95749b29969227c5a16be767a7633b6f517bfc01ed6b279aed0f345a53a5a034697b4732e5796fc96d7d7b68232c3e29f58cfe8d5648efea744c8

    • C:\Windows\SysWOW64\Kdkoef32.exe

      Filesize

      77KB

      MD5

      7959c5c6b080ea88b012cca818e03fbd

      SHA1

      ab6b3663e611f2d5b7f5c2bebbdd001ded8b04cf

      SHA256

      baa7016b9ce79ccdf89f53a53e3c031c2b58f4c1a9a123880a4199c5ef22f67c

      SHA512

      eeaf9f4d88ad25d76a4731386aff3e6590325e790edfec47685f567402d2a19c44a1ed89a52ce5c6d9ebebadb016c0379e0a136d0c6bd9ccb6598d69eb0542f8

    • C:\Windows\SysWOW64\Kemhei32.exe

      Filesize

      77KB

      MD5

      bbec303e7d02f00e92250292c85229db

      SHA1

      0bff2290a155e3dcc9034486d397e2f8c6013a36

      SHA256

      e78d158a3c193e968529a911ef3fa33b97cb813754e00fa05dba9c5b9727474b

      SHA512

      7fbb2445c6290f570edd52c5701e701ee30328fc691fc4ac77f7dcb7644afa761d2ef08d52d9de10fcf998fb6cdb9eeaaca5257fb2975114cecd643419f25680

    • C:\Windows\SysWOW64\Khabke32.exe

      Filesize

      77KB

      MD5

      bd753e4f1551704b90a7071b69710d5b

      SHA1

      96229f7672fe363fb3ca6b60dcedc9b211f12783

      SHA256

      75646a9bb7911bc42a1902961b5a07dbee5ddcd55e266a098ab9e10a8448079d

      SHA512

      0fb1d45a98f7166676d04c3f704a7e9df805de59a2b0ef729ea0999ddedce9518317f1fbaf7ec680b099bac0eddeb23511562b2035b508726f0de83501d1d2d2

    • C:\Windows\SysWOW64\Khihld32.exe

      Filesize

      77KB

      MD5

      3565118d635919261aa279c3c5463ef6

      SHA1

      d9821dc612e2f81592eb84d05e4710dadd90567e

      SHA256

      f20b8c57958754f732b7ab82d01f23e4e07eec82e42a2d4dfb2865282a9e054b

      SHA512

      dec75ee80c69f9ae8fb522caddceb8e62001a7d5b6df7890d4fe3df243b77ea0634d5214dd1316fe9ee351a5109eb516bbcce99102671e501437e1a2daa961a2

    • C:\Windows\SysWOW64\Kkbkmqed.exe

      Filesize

      77KB

      MD5

      aac9641bd3473bba23d52aed2320c152

      SHA1

      4286150802982892286eb4fd58f134ce548731a1

      SHA256

      8be0ad9a969df8a2d33958f9c2b62ec3953263f73c445635f20a9ae5e336bab0

      SHA512

      e2a7b3a4de40693526cd1819413bed133b213cc085a2d8438c7b26ca602f0cd822fe049d34aca6a599c37d0757a990baa932251623986682477deccc3ec9a46b

    • C:\Windows\SysWOW64\Kkpnga32.exe

      Filesize

      77KB

      MD5

      c747ce80715d10b11d452d5dc6e90537

      SHA1

      600a93c2ab9f90570b1cecab30bdc3f2a0fdab61

      SHA256

      ace6ddfcad370caa057b5ad4be18e64d746681e89677487b8f518496d69a3e93

      SHA512

      26683a4b245868fdf937512268fb5443358c1a64ba252693bfd5ba112ca056ee87805104ee612bb09f84011b0880af122fb4521934cce795bc076d03120e1ac9

    • C:\Windows\SysWOW64\Kocphojh.exe

      Filesize

      77KB

      MD5

      4badd4ff65bb855a96b9b03dcc3c0d14

      SHA1

      5b498184fa2eabc0d28783de1b676e8428f9a5f0

      SHA256

      a67ed592c39fe6f6dc59b7a0fcd3245fa9cb14a7531dc496988dc5596994f7d0

      SHA512

      2cb01bc90730e02a6c7faaf7711a0e1c367eeb632f775dc4622db05c98842704a72c607fd5bedc24fed34c4712a44462eea9504497901d0a93c4f02921d53283

    • C:\Windows\SysWOW64\Lacijjgi.exe

      Filesize

      77KB

      MD5

      30b64045d503ecfde3dcaf89d021791f

      SHA1

      3c21616b72ce77d5d4421f1a1f3e5cc8df618f30

      SHA256

      c6220994935cc7974cef136ba40d09230d9376f8e7c6f9a70dfebec598e7b806

      SHA512

      e2ed93db8ef2724a32eb9a6f01d02a0ac871a741929dffdc1280ffee71b5ea2b97208ca452c88fa50e7ebaaaf241e2fe94ed1e3079603b67e56706c11c48a512

    • C:\Windows\SysWOW64\Lajokiaa.exe

      Filesize

      77KB

      MD5

      be8e873fa7356398d13f0ec13674e4bf

      SHA1

      9592ddba21575fac6ab9c5ad2b2c677e549cc7ac

      SHA256

      59a04ed871c6059ac9c89bd9ca935d03edcb88b6a6a9708cc210e73de60b22c9

      SHA512

      e2996c58d7b20c8fc4a9e380bfa9d8d73552c28ca4baf39abe0381c5a6ef6a2276299d117291326af8dc968ea5759f36ffe743cb304b56353a736a1478eafc80

    • C:\Windows\SysWOW64\Lbcedmnl.exe

      Filesize

      77KB

      MD5

      1a65015ec18d0f32a05e8f046eb03b72

      SHA1

      e78019f2838ee07493aa10f0109fa8d7219ca29b

      SHA256

      cf4d947b4640535205179a86215ed371c9839838f971902d26c732c95d4396af

      SHA512

      bc14fe532d4219282abc8a45122ab65568cabfb6fbd053bbce62f3f6ee5b66a4bf4fb5d21f8fd6923af5e9a29629bee61a649a049d33e1a5c2bc5a15c7f3a09e

    • C:\Windows\SysWOW64\Ldfoad32.exe

      Filesize

      77KB

      MD5

      e0e45451d290148cba5c279c4e863879

      SHA1

      c66e0b379410d7a43dc87dc125b8b242451d27a9

      SHA256

      93e08cf0fe5bc9a317a8e93a3a4dd3b82ca07a17554f85d673da7bc61034e1b1

      SHA512

      a59b6a46daf2d85ad2c8db0f48c87359c374771e4b972d4162206b6f4b211c7e108aec7d1e9942c22715d32176c25dd7868037acfd656277c3d2e58d60d52ebf

    • C:\Windows\SysWOW64\Leabphmp.exe

      Filesize

      77KB

      MD5

      e172e800eb8688155ae16e726e6977ee

      SHA1

      97e488549e7d07b185db09c35d0166887f0a4d66

      SHA256

      1209ea10dca045ff791f516d7a89f7b16aef9a1f5d03b06196fea2c7e7734cd1

      SHA512

      b03d84c658746c35e73d6646321f8c17f1e1fdd2410664db3d8d3f1ac991a42cd22d5f0c9e7caaac037860fc0d95c03a77ad717471cbd28841b750d7ffeb240b

    • C:\Windows\SysWOW64\Lhdggb32.exe

      Filesize

      77KB

      MD5

      d969a1ebe2749f72f86eb4b259595db8

      SHA1

      7685bbeaee3cee841461d4f78e89a0cabec31247

      SHA256

      10b8900ce73cc01766f1fde14f446ffac29262581027fbcd73383ce5e46b0646

      SHA512

      257bdc617d42f0c5b98a4c6805ba40d873379c982699cdcfa18318343bb8a5bb4ad03c56444436a940feab204ecf121006b801e8288f93519b94dc85ceede0f9

    • C:\Windows\SysWOW64\Lhmafcnf.exe

      Filesize

      77KB

      MD5

      7c73e0d3670eb0f7471ef707b19d9be6

      SHA1

      f4d3c296f85c19e8051d0d2c150c8b4fede786fa

      SHA256

      cfb4ddae48358908ff3ef2e1440cc2dee18b197fa1227b301fff10d14f9f80a1

      SHA512

      82bda9feb3dbd92325d11572e796d3feda902ae9b21005f9058fb411e8039cb87fc7bfc271b67182e0b8fa4bce44a43be20976fc009462464d6a4f72f7dfa3e9

    • C:\Windows\SysWOW64\Lhpnlclc.exe

      Filesize

      77KB

      MD5

      5929cd82604229b18dfe430d495347dd

      SHA1

      1ab425a24a7fb27aed098d81a26d6c3cd32fbba3

      SHA256

      217c7c5f3806b0ab2124369bf2d9b293f453e68e889c9a11a84c52fce3ed7274

      SHA512

      07dabd8a7cd983efa9d41cbfe628290a629097b44adc1e41f50c8a48ac145f0490a04a8c8d91a6fc4bbec791f4e71207cfd392c4414e21c6c33a24fc70d6c4fd

    • C:\Windows\SysWOW64\Lkiamp32.exe

      Filesize

      77KB

      MD5

      65c779a659cbf6c9dcad19f3d3e642f4

      SHA1

      da53e84172c4157344ee74328ae59948c8661d49

      SHA256

      9a1c49f168012c0ff17b7066032fb4bb82250df0714d0ea23c239cc8d1921492

      SHA512

      5f52e223985ce081151e18ea7e847f51b78695f9f5d8be4f3d1fac9d6d8391d6dcc3fcdb20d62b4e7799f61262df4894aaee561d7ee7bac9d40856371aedfc46

    • C:\Windows\SysWOW64\Llngbabj.exe

      Filesize

      77KB

      MD5

      1de575b47f58af35d08ad9b39f0cd1f6

      SHA1

      3f58911fbf546f1f35b32f8b197dc31f95383acb

      SHA256

      b55b708db018558be878d5b54a5de3cea3954b15b64dbaf10fa952aeac8b2e09

      SHA512

      361acb4bbeb47ced9df32966d43ab4c09892884dc0dcc825e1fbd3eb12c82a227e79f55e9c4df68bd0ab38b4dc21d32942f763373aa14266607de6ce3fb95b5b

    • C:\Windows\SysWOW64\Lojfin32.exe

      Filesize

      77KB

      MD5

      d3617a1828a274ac25611ce0748130f2

      SHA1

      379a9a30b0f4c16eedd98a48ea42c35ebf3fa7ab

      SHA256

      dbc2084679b20b56619bddcff447ef756591500e270694eeda5dc238f41c81af

      SHA512

      cd6544c2b77cabda6f983a92f1549e0a4ba652e26753d9c0ee9fb2def6ea01cf519210407eb1c6a363560a293a51dcfcdc3de7346848097a615023a3111b442b

    • C:\Windows\SysWOW64\Loopdmpk.exe

      Filesize

      77KB

      MD5

      32d7a07ed509e14ec63bd7db4a5fe719

      SHA1

      5b2c485e8c2a38b15a23428704947f7fb73c0d9c

      SHA256

      a89763c1935e2ad48ffc98a11c67bf19a8c9e41d9c4898d96263b083d78ac53d

      SHA512

      876bfffc0d382380cc0b223e3c57dedf848e819872d0242acd7caf25b24c5fe7cc52212930bc08b054f6c3bc92bd413667fad56c09aa9168d1be6a69fef906ec

    • C:\Windows\SysWOW64\Mdnebc32.exe

      Filesize

      77KB

      MD5

      400a043a6ea25a55af2fb05f342b0251

      SHA1

      e4f4057ca10afde05c2afe842f3669cb34b68350

      SHA256

      00a3ada544a012d38cfdf467683b4385801057baf0a519273daf75446819d9f4

      SHA512

      fc4922d95fe9ba1fc507ac443f2ebf4bf15d383e7bf8a78195ef3267be86b81668c94460796c6a1ab6bd826fcac4cf04d9ead52e299639e88db28c90aef58a83

    • C:\Windows\SysWOW64\Mkepineo.exe

      Filesize

      77KB

      MD5

      7a608197217df00c02e14f4f4de834e8

      SHA1

      d4bf17b59ac7887c3ba231a94bf17d7e5bdec98d

      SHA256

      1f16372b6631dbed36463bba66858405ca4de1084445841a91cdb956d6077528

      SHA512

      14222efac726c7a36754a48a1e46fcbdee5eb1cbaae99856e23a4886d7527fdfcd446e6faa7d10b3ad27877e62f84778909a3fbe7e58d104c90e55e097662191

    • C:\Windows\SysWOW64\Mkgmoncl.exe

      Filesize

      77KB

      MD5

      31efff666bc70ec4f510f7a7545e79fd

      SHA1

      068e281b8801e94a98d2ea49d01ae7531ec81473

      SHA256

      74a4818e8b467564c740450147d3f3052f1c366e586bca30ff52a769022e56ff

      SHA512

      551a7d3f9f96c6ea10a3d998381b8c01ee28f595fa97885e43f869f7c6632d407d95f8fe2bd7cd8a00b52a69345f6d9660a9878c01de61e8cf79abe2e2a3af54

    • C:\Windows\SysWOW64\Ohhfknjf.exe

      Filesize

      77KB

      MD5

      41af1faa0f7c926ea31f5b57f77c2e83

      SHA1

      448fdc37a4ac31ff9323ee6d147459e3519831db

      SHA256

      090b754c6cc86ad15b49a4e690023984308ab34d254c48f64821af5f4f87e7bc

      SHA512

      26f7132a3a780df199086d5da19f15a40b96e8c3ed507e8a9c5798923342403d94c7cad4afb38331f4d7c046062ca43303562ed089411660ec0c9a2e93f65f34

    • C:\Windows\SysWOW64\Pcpgmf32.exe

      Filesize

      77KB

      MD5

      186ebdffb9a24ce3e63f069a7d92a7ec

      SHA1

      e999b73c251ccc70daad9e19207d9a26cb1ca293

      SHA256

      c966f3d51681261ad83c6d881141c90b7ab25a6ddf8c12b6a3dc0fd221de5769

      SHA512

      928f65c47f0844f95485434ac4e48bd5d8390d14f0aefd0431f9e3878fc41a972af8aa2a533e31c975e400fe8668d60af7b2a7ad3dbfc076da5c59663d93e08a

    • C:\Windows\SysWOW64\Qbngeadf.exe

      Filesize

      77KB

      MD5

      5ea337a2f7057850dbd4579146f2e196

      SHA1

      d72e3ecc90ddcec1d1f754ab090b08f30243274a

      SHA256

      fa11b7edffdf0976928e7ea6b2c8ecb0e95abf5d951791d63de56c714dfad65f

      SHA512

      cbf8b3a262103c0cfe6b6330911c111f3884391f9c4c7aa9433602d720898971aa950836e5975c0592a0b88b8d1657bd9aa0b2fb920d30f1fb9a17d4aacba7cd

    • C:\Windows\SysWOW64\Qfgfpp32.exe

      Filesize

      77KB

      MD5

      b8246ec23abada02a0f681a8e4528635

      SHA1

      ebfab14f46dd58bd80bb1d62578844074836ec4b

      SHA256

      7e167bb6568c74d11a2e9c479c39aacadbfe620428740afa739987202d0dc4ce

      SHA512

      84df7eb97988945866f000c2481ec454e07e4d2134d1bc7746c44501797ff3c1b77993cac306ce97eb7ab908770d7ff2e4477766770acc6230d1ff8a5f4e54ee

    • memory/32-443-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/64-485-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/216-269-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/428-467-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/440-525-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/440-32-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/752-275-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/976-347-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1128-407-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1400-185-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1520-112-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1520-535-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1540-479-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1584-497-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1592-523-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1592-8-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1644-97-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1644-533-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1676-419-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1716-121-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1716-536-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1764-232-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1836-538-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1836-136-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1944-413-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2016-281-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2052-311-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2124-522-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2124-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

    • memory/2124-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2220-437-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2296-530-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2296-72-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2324-370-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2364-528-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2364-56-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2420-335-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2440-40-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2440-526-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-532-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-88-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2548-455-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2592-256-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2776-29-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2904-371-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2912-64-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2912-529-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3040-224-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3052-176-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3112-263-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3180-305-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3188-449-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3192-405-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3216-222-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3232-478-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3252-201-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3320-377-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3340-329-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3344-240-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3404-515-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3468-192-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3476-524-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3476-16-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3488-359-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3524-293-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3592-173-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3612-491-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3628-389-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3728-105-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3728-534-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3772-208-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3792-248-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4088-323-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4244-160-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4396-531-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4396-80-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4440-144-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4440-539-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4540-48-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4540-527-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4596-425-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4636-395-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4740-461-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4792-383-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4804-128-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4804-537-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4844-353-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4904-514-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4940-508-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4976-431-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/5020-317-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/5036-341-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/5052-152-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/5060-287-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/5076-299-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/5176-521-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB