Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/09/2024, 16:06

General

  • Target

    Backdoor.Win32.Berbew.exe

  • Size

    96KB

  • MD5

    dd1cf4a97dc28aa96864ca47ac08f9e0

  • SHA1

    246073b31553097c71dcb7df878791894065134b

  • SHA256

    65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352

  • SHA512

    08ad1158d5bbfc68495caf032e5c57cfd91096d9593f59f8db825a88ef1a5af86ce5b4e043a7cc406ac1bc484d0b2842f0c7438d459eb36432da349de9307bd3

  • SSDEEP

    1536:t2YQ6c20lH/e5KijzBmue9MbinV39+ChnSdFFn7Elz45zFV3zMetM:0oOiFAMbqV39ThSdn7Elz45P34

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\Lgokmgjm.exe
      C:\Windows\system32\Lgokmgjm.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\Lmiciaaj.exe
        C:\Windows\system32\Lmiciaaj.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\SysWOW64\Lllcen32.exe
          C:\Windows\system32\Lllcen32.exe
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Windows\SysWOW64\Mbfkbhpa.exe
            C:\Windows\system32\Mbfkbhpa.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\SysWOW64\Medgncoe.exe
              C:\Windows\system32\Medgncoe.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\SysWOW64\Mlopkm32.exe
                C:\Windows\system32\Mlopkm32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3496
                • C:\Windows\SysWOW64\Mchhggno.exe
                  C:\Windows\system32\Mchhggno.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1376
                  • C:\Windows\SysWOW64\Megdccmb.exe
                    C:\Windows\system32\Megdccmb.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:3756
                    • C:\Windows\SysWOW64\Mmnldp32.exe
                      C:\Windows\system32\Mmnldp32.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3660
                      • C:\Windows\SysWOW64\Mckemg32.exe
                        C:\Windows\system32\Mckemg32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4760
                        • C:\Windows\SysWOW64\Meiaib32.exe
                          C:\Windows\system32\Meiaib32.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4772
                          • C:\Windows\SysWOW64\Mmpijp32.exe
                            C:\Windows\system32\Mmpijp32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3416
                            • C:\Windows\SysWOW64\Mpoefk32.exe
                              C:\Windows\system32\Mpoefk32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:2848
                              • C:\Windows\SysWOW64\Mcmabg32.exe
                                C:\Windows\system32\Mcmabg32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:1652
                                • C:\Windows\SysWOW64\Migjoaaf.exe
                                  C:\Windows\system32\Migjoaaf.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:512
                                  • C:\Windows\SysWOW64\Mdmnlj32.exe
                                    C:\Windows\system32\Mdmnlj32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:3200
                                    • C:\Windows\SysWOW64\Menjdbgj.exe
                                      C:\Windows\system32\Menjdbgj.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:3848
                                      • C:\Windows\SysWOW64\Mlhbal32.exe
                                        C:\Windows\system32\Mlhbal32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4432
                                        • C:\Windows\SysWOW64\Npcoakfp.exe
                                          C:\Windows\system32\Npcoakfp.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:2388
                                          • C:\Windows\SysWOW64\Ngmgne32.exe
                                            C:\Windows\system32\Ngmgne32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:2764
                                            • C:\Windows\SysWOW64\Nilcjp32.exe
                                              C:\Windows\system32\Nilcjp32.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:1644
                                              • C:\Windows\SysWOW64\Nngokoej.exe
                                                C:\Windows\system32\Nngokoej.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                PID:4484
                                                • C:\Windows\SysWOW64\Ncdgcf32.exe
                                                  C:\Windows\system32\Ncdgcf32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  PID:1948
                                                  • C:\Windows\SysWOW64\Nebdoa32.exe
                                                    C:\Windows\system32\Nebdoa32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    PID:1388
                                                    • C:\Windows\SysWOW64\Nlmllkja.exe
                                                      C:\Windows\system32\Nlmllkja.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Modifies registry class
                                                      PID:2312
                                                      • C:\Windows\SysWOW64\Nphhmj32.exe
                                                        C:\Windows\system32\Nphhmj32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:2856
                                                        • C:\Windows\SysWOW64\Ngbpidjh.exe
                                                          C:\Windows\system32\Ngbpidjh.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:2364
                                                          • C:\Windows\SysWOW64\Njqmepik.exe
                                                            C:\Windows\system32\Njqmepik.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3148
                                                            • C:\Windows\SysWOW64\Nloiakho.exe
                                                              C:\Windows\system32\Nloiakho.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3452
                                                              • C:\Windows\SysWOW64\Nfgmjqop.exe
                                                                C:\Windows\system32\Nfgmjqop.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:4452
                                                                • C:\Windows\SysWOW64\Njefqo32.exe
                                                                  C:\Windows\system32\Njefqo32.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:2184
                                                                  • C:\Windows\SysWOW64\Ogifjcdp.exe
                                                                    C:\Windows\system32\Ogifjcdp.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    PID:4956
                                                                    • C:\Windows\SysWOW64\Opakbi32.exe
                                                                      C:\Windows\system32\Opakbi32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      PID:4008
                                                                      • C:\Windows\SysWOW64\Ocpgod32.exe
                                                                        C:\Windows\system32\Ocpgod32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        PID:4192
                                                                        • C:\Windows\SysWOW64\Ojjolnaq.exe
                                                                          C:\Windows\system32\Ojjolnaq.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          PID:3996
                                                                          • C:\Windows\SysWOW64\Olhlhjpd.exe
                                                                            C:\Windows\system32\Olhlhjpd.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:2908
                                                                            • C:\Windows\SysWOW64\Ocbddc32.exe
                                                                              C:\Windows\system32\Ocbddc32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4372
                                                                              • C:\Windows\SysWOW64\Ofqpqo32.exe
                                                                                C:\Windows\system32\Ofqpqo32.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:2328
                                                                                • C:\Windows\SysWOW64\Olkhmi32.exe
                                                                                  C:\Windows\system32\Olkhmi32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4240
                                                                                  • C:\Windows\SysWOW64\Ocdqjceo.exe
                                                                                    C:\Windows\system32\Ocdqjceo.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:692
                                                                                    • C:\Windows\SysWOW64\Ofcmfodb.exe
                                                                                      C:\Windows\system32\Ofcmfodb.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:5096
                                                                                      • C:\Windows\SysWOW64\Olmeci32.exe
                                                                                        C:\Windows\system32\Olmeci32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:900
                                                                                        • C:\Windows\SysWOW64\Ocgmpccl.exe
                                                                                          C:\Windows\system32\Ocgmpccl.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          PID:4808
                                                                                          • C:\Windows\SysWOW64\Ojaelm32.exe
                                                                                            C:\Windows\system32\Ojaelm32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:184
                                                                                            • C:\Windows\SysWOW64\Pmoahijl.exe
                                                                                              C:\Windows\system32\Pmoahijl.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              PID:3696
                                                                                              • C:\Windows\SysWOW64\Pcijeb32.exe
                                                                                                C:\Windows\system32\Pcijeb32.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:3152
                                                                                                • C:\Windows\SysWOW64\Pjcbbmif.exe
                                                                                                  C:\Windows\system32\Pjcbbmif.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:2928
                                                                                                  • C:\Windows\SysWOW64\Pqmjog32.exe
                                                                                                    C:\Windows\system32\Pqmjog32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    PID:2068
                                                                                                    • C:\Windows\SysWOW64\Pggbkagp.exe
                                                                                                      C:\Windows\system32\Pggbkagp.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:5036
                                                                                                      • C:\Windows\SysWOW64\Pnakhkol.exe
                                                                                                        C:\Windows\system32\Pnakhkol.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • Modifies registry class
                                                                                                        PID:3628
                                                                                                        • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                                                                          C:\Windows\system32\Pqpgdfnp.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:4244
                                                                                                          • C:\Windows\SysWOW64\Pcncpbmd.exe
                                                                                                            C:\Windows\system32\Pcncpbmd.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:3548
                                                                                                            • C:\Windows\SysWOW64\Pflplnlg.exe
                                                                                                              C:\Windows\system32\Pflplnlg.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:4640
                                                                                                              • C:\Windows\SysWOW64\Pmfhig32.exe
                                                                                                                C:\Windows\system32\Pmfhig32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                PID:2704
                                                                                                                • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                                                                  C:\Windows\system32\Pfolbmje.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:4524
                                                                                                                  • C:\Windows\SysWOW64\Pmidog32.exe
                                                                                                                    C:\Windows\system32\Pmidog32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1272
                                                                                                                    • C:\Windows\SysWOW64\Pcbmka32.exe
                                                                                                                      C:\Windows\system32\Pcbmka32.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      PID:4980
                                                                                                                      • C:\Windows\SysWOW64\Pfaigm32.exe
                                                                                                                        C:\Windows\system32\Pfaigm32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1084
                                                                                                                        • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                                                                                          C:\Windows\system32\Qmkadgpo.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:4712
                                                                                                                          • C:\Windows\SysWOW64\Qdbiedpa.exe
                                                                                                                            C:\Windows\system32\Qdbiedpa.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies registry class
                                                                                                                            PID:832
                                                                                                                            • C:\Windows\SysWOW64\Qfcfml32.exe
                                                                                                                              C:\Windows\system32\Qfcfml32.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4312
                                                                                                                              • C:\Windows\SysWOW64\Qmmnjfnl.exe
                                                                                                                                C:\Windows\system32\Qmmnjfnl.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:2972
                                                                                                                                • C:\Windows\SysWOW64\Qddfkd32.exe
                                                                                                                                  C:\Windows\system32\Qddfkd32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:4612
                                                                                                                                  • C:\Windows\SysWOW64\Qgcbgo32.exe
                                                                                                                                    C:\Windows\system32\Qgcbgo32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:748
                                                                                                                                    • C:\Windows\SysWOW64\Ajanck32.exe
                                                                                                                                      C:\Windows\system32\Ajanck32.exe
                                                                                                                                      66⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:4356
                                                                                                                                      • C:\Windows\SysWOW64\Ampkof32.exe
                                                                                                                                        C:\Windows\system32\Ampkof32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4932
                                                                                                                                        • C:\Windows\SysWOW64\Acjclpcf.exe
                                                                                                                                          C:\Windows\system32\Acjclpcf.exe
                                                                                                                                          68⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:208
                                                                                                                                          • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                                                                                            C:\Windows\system32\Afhohlbj.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3464
                                                                                                                                            • C:\Windows\SysWOW64\Ambgef32.exe
                                                                                                                                              C:\Windows\system32\Ambgef32.exe
                                                                                                                                              70⤵
                                                                                                                                                PID:4792
                                                                                                                                                • C:\Windows\SysWOW64\Aclpap32.exe
                                                                                                                                                  C:\Windows\system32\Aclpap32.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  PID:1236
                                                                                                                                                  • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                                                    C:\Windows\system32\Agglboim.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1072
                                                                                                                                                    • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                                                                                                                      C:\Windows\system32\Ajfhnjhq.exe
                                                                                                                                                      73⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      PID:3956
                                                                                                                                                      • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                                                        C:\Windows\system32\Amddjegd.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:3216
                                                                                                                                                        • C:\Windows\SysWOW64\Aeklkchg.exe
                                                                                                                                                          C:\Windows\system32\Aeklkchg.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2796
                                                                                                                                                          • C:\Windows\SysWOW64\Afmhck32.exe
                                                                                                                                                            C:\Windows\system32\Afmhck32.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:1456
                                                                                                                                                            • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                                              C:\Windows\system32\Amgapeea.exe
                                                                                                                                                              77⤵
                                                                                                                                                                PID:2320
                                                                                                                                                                • C:\Windows\SysWOW64\Aabmqd32.exe
                                                                                                                                                                  C:\Windows\system32\Aabmqd32.exe
                                                                                                                                                                  78⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:2136
                                                                                                                                                                  • C:\Windows\SysWOW64\Aglemn32.exe
                                                                                                                                                                    C:\Windows\system32\Aglemn32.exe
                                                                                                                                                                    79⤵
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:1604
                                                                                                                                                                    • C:\Windows\SysWOW64\Ajkaii32.exe
                                                                                                                                                                      C:\Windows\system32\Ajkaii32.exe
                                                                                                                                                                      80⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      PID:2892
                                                                                                                                                                      • C:\Windows\SysWOW64\Aepefb32.exe
                                                                                                                                                                        C:\Windows\system32\Aepefb32.exe
                                                                                                                                                                        81⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:4512
                                                                                                                                                                        • C:\Windows\SysWOW64\Bfabnjjp.exe
                                                                                                                                                                          C:\Windows\system32\Bfabnjjp.exe
                                                                                                                                                                          82⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:4908
                                                                                                                                                                          • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                                                                                                                            C:\Windows\system32\Bmkjkd32.exe
                                                                                                                                                                            83⤵
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:244
                                                                                                                                                                            • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                                                                                                              C:\Windows\system32\Bebblb32.exe
                                                                                                                                                                              84⤵
                                                                                                                                                                                PID:4384
                                                                                                                                                                                • C:\Windows\SysWOW64\Bganhm32.exe
                                                                                                                                                                                  C:\Windows\system32\Bganhm32.exe
                                                                                                                                                                                  85⤵
                                                                                                                                                                                    PID:4656
                                                                                                                                                                                    • C:\Windows\SysWOW64\Baicac32.exe
                                                                                                                                                                                      C:\Windows\system32\Baicac32.exe
                                                                                                                                                                                      86⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:3032
                                                                                                                                                                                      • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                                                                                        C:\Windows\system32\Bgcknmop.exe
                                                                                                                                                                                        87⤵
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:2540
                                                                                                                                                                                        • C:\Windows\SysWOW64\Bnmcjg32.exe
                                                                                                                                                                                          C:\Windows\system32\Bnmcjg32.exe
                                                                                                                                                                                          88⤵
                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:3356
                                                                                                                                                                                          • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                                                                                                                            C:\Windows\system32\Bmpcfdmg.exe
                                                                                                                                                                                            89⤵
                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                            PID:4700
                                                                                                                                                                                            • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                                                                                              C:\Windows\system32\Beglgani.exe
                                                                                                                                                                                              90⤵
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:2728
                                                                                                                                                                                              • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                                                                                                                                                C:\Windows\system32\Bfhhoi32.exe
                                                                                                                                                                                                91⤵
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:4784
                                                                                                                                                                                                • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                                                                                                                                                  C:\Windows\system32\Bnpppgdj.exe
                                                                                                                                                                                                  92⤵
                                                                                                                                                                                                    PID:4948
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                                                                                                                                      C:\Windows\system32\Banllbdn.exe
                                                                                                                                                                                                      93⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:3436
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bclhhnca.exe
                                                                                                                                                                                                        C:\Windows\system32\Bclhhnca.exe
                                                                                                                                                                                                        94⤵
                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                        PID:3636
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                                                                                          C:\Windows\system32\Bhhdil32.exe
                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:552
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                                                                                                                            C:\Windows\system32\Bnbmefbg.exe
                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:3316
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                                                                                                                              C:\Windows\system32\Belebq32.exe
                                                                                                                                                                                                              97⤵
                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2420
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Chjaol32.exe
                                                                                                                                                                                                                C:\Windows\system32\Chjaol32.exe
                                                                                                                                                                                                                98⤵
                                                                                                                                                                                                                  PID:3172
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cjinkg32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Cjinkg32.exe
                                                                                                                                                                                                                    99⤵
                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:2200
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                                                                                                                                                                      C:\Windows\system32\Cmgjgcgo.exe
                                                                                                                                                                                                                      100⤵
                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:4080
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                                                                                                                                        C:\Windows\system32\Cenahpha.exe
                                                                                                                                                                                                                        101⤵
                                                                                                                                                                                                                          PID:1984
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Cfpnph32.exe
                                                                                                                                                                                                                            102⤵
                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                            PID:1900
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                                                              C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                                                              103⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              PID:1260
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Caebma32.exe
                                                                                                                                                                                                                                C:\Windows\system32\Caebma32.exe
                                                                                                                                                                                                                                104⤵
                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:680
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Cdcoim32.exe
                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  PID:4536
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Cjmgfgdf.exe
                                                                                                                                                                                                                                    106⤵
                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:4184
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                                                      107⤵
                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      PID:4260
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Cmlcbbcj.exe
                                                                                                                                                                                                                                        108⤵
                                                                                                                                                                                                                                          PID:2084
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            PID:3880
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Cfdhkhjj.exe
                                                                                                                                                                                                                                              110⤵
                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                              PID:1916
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Cmnpgb32.exe
                                                                                                                                                                                                                                                111⤵
                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:5164
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Cajlhqjp.exe
                                                                                                                                                                                                                                                  112⤵
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:5208
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Chcddk32.exe
                                                                                                                                                                                                                                                    113⤵
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:5252
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                                                                                                                      114⤵
                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:5296
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                                                                                                                        115⤵
                                                                                                                                                                                                                                                          PID:5340
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Calhnpgn.exe
                                                                                                                                                                                                                                                            116⤵
                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:5384
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                                                                              117⤵
                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                              PID:5428
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Djdmffnn.exe
                                                                                                                                                                                                                                                                118⤵
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                PID:5472
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dmcibama.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Dmcibama.exe
                                                                                                                                                                                                                                                                  119⤵
                                                                                                                                                                                                                                                                    PID:5516
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Ddmaok32.exe
                                                                                                                                                                                                                                                                      120⤵
                                                                                                                                                                                                                                                                        PID:5560
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                                                                                                                                          121⤵
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                          PID:5604
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Dmefhako.exe
                                                                                                                                                                                                                                                                            122⤵
                                                                                                                                                                                                                                                                              PID:5648
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                                                                                                                                                123⤵
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:5692
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Deokon32.exe
                                                                                                                                                                                                                                                                                  124⤵
                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                  PID:5736
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                                                                                                                                                    125⤵
                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    PID:5788
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                                                                                                                                      126⤵
                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                      PID:5832
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                                                                                        127⤵
                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                        PID:5876
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                                                                                                                                          128⤵
                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                          PID:5920
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                            129⤵
                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                            PID:5964
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                              130⤵
                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                              PID:6008
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 216
                                                                                                                                                                                                                                                                                                131⤵
                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                PID:6092
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6008 -ip 6008
                            1⤵
                              PID:6068

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\SysWOW64\Aepefb32.exe

                              Filesize

                              96KB

                              MD5

                              ed8b77c3d8274986f58cf0868195059b

                              SHA1

                              4392f979ba031591b7cb58bb8d458fb155928c91

                              SHA256

                              55d6d3eb5624423f8ecff6795e65075b2c412705a82b86ca54e8d694bda046d1

                              SHA512

                              f832a65f8556879f1ada379a9b4c3120af444db209c07354760105ba0d39f6af413e215dd343e6d8a751f0ec506e47d597d24daf458fc251bb38d383659c84cd

                            • C:\Windows\SysWOW64\Afhohlbj.exe

                              Filesize

                              96KB

                              MD5

                              4b075d50113c5deddd4f4fcb3df8dddf

                              SHA1

                              4838183108570dffae6a5fa92eec0ca044ce4432

                              SHA256

                              65adc7d370042225921666f5b18a3c2263ad7ccc8ec1a4c3a7720b5749dd34d6

                              SHA512

                              a1978f1a99449917aab2ed914d3923e3785d2cef019344189eb74faf80de6743915d16d51d31eaaf2796a4a58b67ab644e79e96d312a1febd334657c8c217831

                            • C:\Windows\SysWOW64\Afmhck32.exe

                              Filesize

                              96KB

                              MD5

                              ccd6bcd762b032e58b31603846e091f9

                              SHA1

                              88c8758ac4a57513c2ad93fc5dd6e4c390220385

                              SHA256

                              3a1703b6f923a86b8f46908dec0aa1d13fb9876074c3ff743fa8f7a0e9ee2ca5

                              SHA512

                              0f27ceb5c243ba62b2ec9a9677a67cfd737ed777d827ee3c74cfb628a7c70b563537ebf4a8332b439ea85944638587c25a1b421b709d6f46131ecf75f6edc910

                            • C:\Windows\SysWOW64\Aglemn32.exe

                              Filesize

                              96KB

                              MD5

                              6cad6d4ef71ec45ba5f3630c304c27be

                              SHA1

                              9ec1e6bcfd1d2fe636b8371afbb39791fc3fd611

                              SHA256

                              ff452249881f6e502485894f79dcc5e89aa3b5d537cb1efde5a3906c4f2b700d

                              SHA512

                              60a0d37c06beb6c7862f83d622414ac7b8e396519eecf96bdcb94e094a4e6d9433d759bc9cea47f2debb641630eff7b3cd7b0557f41fdfa408a2eaa758569472

                            • C:\Windows\SysWOW64\Baicac32.exe

                              Filesize

                              96KB

                              MD5

                              6825d66d15afe17b02f118d4870ced13

                              SHA1

                              b3c9f4aa8c259a88eac7d47f3ad9bcaadc0b049f

                              SHA256

                              b80758bbc698647040d00549edd770f46dce61c14ca2e6688f601a21e9aeb021

                              SHA512

                              a0554eb931962719e1eba28014ebf97e577582f4660c16d95cee758d83588a7404cb46ea018c61ab90b03bba90c31e241aafdf7a8aa3290518e84f7af3e0511e

                            • C:\Windows\SysWOW64\Bmkjkd32.exe

                              Filesize

                              96KB

                              MD5

                              b7e823b7606515732cf90bd7bae1fb90

                              SHA1

                              09f5c4c2654ca175bb6afb09a2feccc48bf91891

                              SHA256

                              ab9f11ec55a64b80bf52c61afa13a665f3692540c69e78dd80cebeafdc5b14a6

                              SHA512

                              0b144d3ed4e6285da1cb76be4c4e1f9fcffd8f48636c61ff21ffd7d87915066bdbbe0c083ab6d1703a0ceb83117de9123b2f8a4f648fc77e2ec7dcc8b1584dbd

                            • C:\Windows\SysWOW64\Bnbmefbg.exe

                              Filesize

                              96KB

                              MD5

                              abc71b02e9d3bfaca874173ceb4396f3

                              SHA1

                              2cbe269f67f84bcf84f9706ae8ea5d1e6564ca7e

                              SHA256

                              ca70db092450022b8e56806ae3e9953940adf3ff8de21546b19491948b5d60aa

                              SHA512

                              3cd48fcd4c95c7235af904eb9c6f3d9813c732940483cae2091fc279b5ad8b153ca71d28d175dd7ece4ffca99bf69ea68c30695d0d684442de5588f346b116d3

                            • C:\Windows\SysWOW64\Bnpppgdj.exe

                              Filesize

                              96KB

                              MD5

                              8d8ea2af952f3dfc615fe52c91850059

                              SHA1

                              25d2f09b86d638dbd80f13bec272a02466405675

                              SHA256

                              d27747477a3d66aefc07741c24ccbd9f061fd1dc4125043511e1f4b7950fca2d

                              SHA512

                              646e7a5c0aa977e27179f8c1de03840e3d20187fb56adadb878fbf9b7fc9cc080a7574c584894b00dab15a5dd8454e5a5c878f5bf6a144ca1a6abd5df1d24bf9

                            • C:\Windows\SysWOW64\Cdcoim32.exe

                              Filesize

                              96KB

                              MD5

                              9fbd968171efeb5210eff77b00bed55f

                              SHA1

                              c185bd4a312bf17eac75831dbf78af53ff728672

                              SHA256

                              ad4f34624b6f66826725c52f8ad022ff389c62ae5886e5579b877e1b96968c70

                              SHA512

                              a80902fa2d700794f5f4027dd770e9c820faa3797ffbc8b6c6ef8f829152dc3ae679226d6534e5d2adc9c7d37a83194b3415a950cfa6449be04f2d110f611ff5

                            • C:\Windows\SysWOW64\Ceckcp32.exe

                              Filesize

                              96KB

                              MD5

                              b07972989f152f7ad2b42a2002b46d3c

                              SHA1

                              d66d8275d81705b49e29bd20186078ad97a93300

                              SHA256

                              80b94119b1b2bf21d9e8c1028b84594c4ed2696236d858889b6bcb7badd6c1ad

                              SHA512

                              5434219311da2fa516bdf1201b369edd9141c50d956158fd874449843be070a3d5e50c0ac7309b58532918ba8ba70ca86a32d5e5c4561ffa52ab140113497a5a

                            • C:\Windows\SysWOW64\Cmgjgcgo.exe

                              Filesize

                              96KB

                              MD5

                              d86e282b65472469b433b2214cc05c21

                              SHA1

                              0b8d1e1f2568644380dd08f3579921e469e276f6

                              SHA256

                              79ae1b5f349594b15bad149206c31b6b95b51f9084a7a19d423f5eb3a0d8c255

                              SHA512

                              e9b9bf5733f1889592ce21342e59144658c2ba4c82d26dafb5aa7d0eda81b05c02af7b8428c6e7efbfcaa540a6af63b3e2b33c7dce5f8de775e545e3ab0b3c5a

                            • C:\Windows\SysWOW64\Dddhpjof.exe

                              Filesize

                              96KB

                              MD5

                              eb483aaf1f4e041e5448590b59c1817c

                              SHA1

                              3d95e636e384c5d809830367e39f36b16362080d

                              SHA256

                              cb3e9e65e541352dd54242cb67cc26bf6cde167f67c0c15adb8f58070724c69e

                              SHA512

                              04b89b82ca88566eeaf8f4dc1411a65fddcfb1546f6da0aadb25cde01a53220622bdc4e83293dc9ff4b153d280b08fcf9bf7d83d9c7514d0a874e82f65b671db

                            • C:\Windows\SysWOW64\Ddjejl32.exe

                              Filesize

                              96KB

                              MD5

                              52180bd7c1e8a4ee87bb00ee90cbea03

                              SHA1

                              dab4a713f3360a13a2f0984a3cebe2a964579a76

                              SHA256

                              c237e9413fa9014fd48b619ef5f507220f1319db22c2e99589ef5d3490523f01

                              SHA512

                              25c6d4824ecd4a1f4f72e835a5580046890d04d9a4264f379c1dcd7fc3934c7043c0719da006a8a760360fe95837937dbbdb77fb6544a03122774ca96b339faa

                            • C:\Windows\SysWOW64\Ddmaok32.exe

                              Filesize

                              96KB

                              MD5

                              7a203c40c67186b0f805821e77d54040

                              SHA1

                              91848e0b94a5e090f8e435cc8b9d773a06ff63cd

                              SHA256

                              a1cdc2c7b2072b1a430a72985b4970a935b26f6916aca6e816e2006eb857e4b7

                              SHA512

                              0a03081ea80952c98c2edfe3593d7868b852e142f3c0aa9db508b6db179a8d751f132b0719641164751ccc7eb6d377e8133369a0f10d474fa10859ec9c929d58

                            • C:\Windows\SysWOW64\Ddonekbl.exe

                              Filesize

                              96KB

                              MD5

                              94c9814e1409a382824bd9eba8b03027

                              SHA1

                              36c76efd055ad9bdc8d6e8e007eadc640a41ae50

                              SHA256

                              3217d943c24acc8e7dddff6fbf9f7800e147953897523beae88b3bbab35e7ee3

                              SHA512

                              f981b0c4b7b3b4e6601e11a269acfc8aac0c37aa521efde56bc72393f476eb7d8a52b9c7162584faf76a4eaf9518fafaf2bdd962b9abb7c990e79bd65b9306b6

                            • C:\Windows\SysWOW64\Dmcibama.exe

                              Filesize

                              96KB

                              MD5

                              58ad49ad6fb8d0885ceaae1a4a894408

                              SHA1

                              6544f9bc8d6a23c9c105c614ebe4879afb002075

                              SHA256

                              3ae43bc61d0a23213b53615fad1713ebe47e45e09ada729f93bb0dc3ee1e5356

                              SHA512

                              55ef9d78dcd485571ae46711f90cc042de38b83454087009164142ebdef43d502bc0c68470939297490890119d31736d1ec7de91878128280f39573e634642e8

                            • C:\Windows\SysWOW64\Lgokmgjm.exe

                              Filesize

                              96KB

                              MD5

                              5c3171eccce98201c78670f4626c8c7b

                              SHA1

                              dc2ea310f35c71d8c491da4e665d6135340f8e13

                              SHA256

                              191edd1334af784bf5821a52878b562b0a0253ada6f556df80e1c6f0a6d4feea

                              SHA512

                              9a663964a032c11c4cf7dad8b2339170c997e002c9c246845e5e384138f2bb97f3cc1dd7e6807f3d25de7182003c7683af26340f2d82ec35dc10db6e68a3ab81

                            • C:\Windows\SysWOW64\Lllcen32.exe

                              Filesize

                              96KB

                              MD5

                              988168685c367f7069b48cf81ff71a7c

                              SHA1

                              ac8151b708047280ed43fe8d88bb20547c128d7e

                              SHA256

                              49626b9a47f6895b03a658bb496efa2273f464e46f6bed8926ab20c24449af5a

                              SHA512

                              2aab886784193b6f96407fd196bbbd2ede8ba7e6d1822d6bc9e804322b71e565537e46548e1bd414c04730bfdf3c3608e6bc6fbe31ddd828ef7ae1786fc76e0c

                            • C:\Windows\SysWOW64\Lmiciaaj.exe

                              Filesize

                              96KB

                              MD5

                              e93a6a5ca52d98738b895fbd1a0731fd

                              SHA1

                              54693813f9a7da360ab99b11af2371c4fa5b4545

                              SHA256

                              5d6e14f498f0ffd3787d6dcfb1d3b497313aaba39df728e214fab26acf9ca145

                              SHA512

                              ff17ea15f02ed1f96f457e06da827ec2438be4f7f4423439d443e02b7642cf579e4de45870a05ee28336facfa0fa62051a6ff683c0a9f09f4fd7bbc75690012e

                            • C:\Windows\SysWOW64\Mbfkbhpa.exe

                              Filesize

                              96KB

                              MD5

                              95acd99c8e649d835a04592407e81a85

                              SHA1

                              efee074768774a1305e0a977d3a226027f342644

                              SHA256

                              d547b333a7c1f64286433d6b4e6068c3bdb3ab40829485829f78a2317f195963

                              SHA512

                              5fee801c89f01d357116b06052c1de710a7145403c48cb3da0c644e5160cc28ffc79f0f74cb43b8a7cc9a5627305fd188137c424b0a79d50817bdce6366b28d5

                            • C:\Windows\SysWOW64\Mchhggno.exe

                              Filesize

                              96KB

                              MD5

                              e1249e43fbef0714ddf084f71fa7bd9e

                              SHA1

                              0dacb5783affdac7d0b53005b11d3dcdb0cb67fa

                              SHA256

                              7b6ad91312cd4fc01b910bfcaebdf95ab10bfc0da0b98f41026fe6736b58b713

                              SHA512

                              3a35812ece2c52d2b16a3e97b84c6153113ce91008c786bbaf74b09ba54a6a7cbf6563b755964d47d0f2b3eb91e25ccdccbe64ba029696f36e143abe8f9c6e30

                            • C:\Windows\SysWOW64\Mckemg32.exe

                              Filesize

                              96KB

                              MD5

                              dff7b848ccf0a8c53e7ccdbd726d0b42

                              SHA1

                              e65c2b7ba49f21d21b69c3fe5e02755674f2f8df

                              SHA256

                              5f76088a48413185d27c2c3da92b7eefb044cf5baa939d9fb95bcbd6ef667cdc

                              SHA512

                              ca42f0d3f759970cd226e3ce5a3557e0d298ef5b3280fd5e72449dc32a5e0364021d4b1847c026cf89e6a30cf037bac576fce42f785678e909b4411468e5f18f

                            • C:\Windows\SysWOW64\Mcmabg32.exe

                              Filesize

                              96KB

                              MD5

                              05adf2c331bfdaecc55b8523cced378e

                              SHA1

                              7eecbc389b19d538139bea6b54ffa5910cbbc5f6

                              SHA256

                              e6668a5dbfedb454be11ba0c8e0f5cd6b68c813f5a537f8470ee277ab3b27a63

                              SHA512

                              1e2bd41e67cf6781c088e695cb4907c306129254ab640d12202732e336a29236359d088460a17719271fe1f15055ccaa4d423c82d377faffd5d0d2ff3031fd5a

                            • C:\Windows\SysWOW64\Mdmnlj32.exe

                              Filesize

                              96KB

                              MD5

                              afca76b09a656d3f26acd6f4da29b804

                              SHA1

                              c6b68d1b88a5535a51ba1d77dfa6ec1cabd2572c

                              SHA256

                              4d3217ff6e9ed5215e16cecc92df233705deee174a94a482ead22dd235e4f6dc

                              SHA512

                              7a89a6a2649ed18233f38261070b1c00fff1279cdcc3aefa90faa293f4b8d6bd5cae000ac8fa23f70f7d7585d5ec33989305ea6435ae6fe43d14d3756ccffa5b

                            • C:\Windows\SysWOW64\Medgncoe.exe

                              Filesize

                              96KB

                              MD5

                              9bbf2f05d50196fe421cf4ceec8e8b3d

                              SHA1

                              5ba0a648193a924edb75b7ce8676b74b8af91926

                              SHA256

                              21f5fafed700278445afb433e699e3934fb5333fd8efc68ecbe2a9338236b233

                              SHA512

                              d2f260b2c24cffef3409e2ae4c069c7c11ae4f18436a584b82e5aa2bbbfa25dc93409af6e056b20b8879d6a6a46ddea5f44dda0def68ee98e5c6aa951109c298

                            • C:\Windows\SysWOW64\Megdccmb.exe

                              Filesize

                              96KB

                              MD5

                              33c7fc73bdff3c1a1a8924b45f95eeaf

                              SHA1

                              63f4f3e6f1435c48feb742f6d1dd5adcf7624510

                              SHA256

                              4413bb8786c21aa0e100d608c6a0aad9e84eb77f3dc3e6cc5cc30f9e8deb154b

                              SHA512

                              5003013ba1754c3756cf7ed6b744c38e3494e8b8af9aa4f5cc709c83b3fee0bbcf8fbb0933628885f36b1da7509b5319c0f8ad6cc46a9c56bb863a6868e2a0e6

                            • C:\Windows\SysWOW64\Meiaib32.exe

                              Filesize

                              96KB

                              MD5

                              d36d87e186c36a96e1c349777288d786

                              SHA1

                              3a9c74220a97e819fc0e5cc92ae3472ba2742f87

                              SHA256

                              7d786a7431601fa38b4d836f8f7d326354c29d75d02610afd434a1c039d5c37a

                              SHA512

                              2ce2cf2973718699c771747c48e6c638568a57c6be0fcbc8025d25e8dc2ebf59c2caf3b1af3953f146a8e896bce76036c8c1fba4452c6814202f5beb2536eab8

                            • C:\Windows\SysWOW64\Menjdbgj.exe

                              Filesize

                              96KB

                              MD5

                              a1c9ed13a612cd58f5c10153370ee988

                              SHA1

                              5e2c4b138fd59fc0407b1282bfaa23fa741e5b53

                              SHA256

                              8ccdbb1334a78be2fd3e308d66491edbb49fb02849cb250381fa630620f62a9d

                              SHA512

                              dd347d61ff738c314b7028a77cfa6105df25bcd663f852aacb2b86f95ab896a3674429725e970154040b8e8213a478222e180d453c856d8755527e832afbca27

                            • C:\Windows\SysWOW64\Migjoaaf.exe

                              Filesize

                              96KB

                              MD5

                              9b885a3c09fa1949651341e6791ba6a1

                              SHA1

                              f5f50904df8be4829ae06d2345f568aefcdb7f1f

                              SHA256

                              2a8dc9b3aa0200648ce41c247393751945d8347ae763de0516eedfd4550551f6

                              SHA512

                              b2fbe0f02e5ee3405139427b9dacbbcfa7e62ea9e7dc46b5bf5ef4e553ed60539b9018520d0717b36fb8c90623fb457873d2628d3df26c53eec8f871c4fff02c

                            • C:\Windows\SysWOW64\Mlopkm32.exe

                              Filesize

                              64KB

                              MD5

                              bcecaaebcaab99f3f34d54253ffa7089

                              SHA1

                              1fdfbd889f9b7e9c60a10e9bffb8fb9c4d70c6f6

                              SHA256

                              33cf2787a27cc84042b686a75e5053749e500c6601f335e63755b73bef3c068e

                              SHA512

                              27e3f48b72e70162560eef28a88fc50dd3a68938224d017328294e9c87aa13b4dcc30e398cd31cdc8a62ab52ab96223acec8e25a7e66c588d6ba7752e8cd28ec

                            • C:\Windows\SysWOW64\Mlopkm32.exe

                              Filesize

                              96KB

                              MD5

                              6cd0cf6c21dba07c209ec1f60f076a0d

                              SHA1

                              03d698d91c38d3a34ab210795fb628d84a60c7c4

                              SHA256

                              1246e63f2926bf1ae9feb6c1fe9757071160eece745148af84017b7a535109fe

                              SHA512

                              6d8dd4e7f169110e3dc0cadf264019f54079774814346f2d405e0bef72586a10e7771c544df53ebd2766785700ddfe477597ac050e2db4c8a353d1661ef2fee5

                            • C:\Windows\SysWOW64\Mmnldp32.exe

                              Filesize

                              96KB

                              MD5

                              64190a677a042b8a372c4bed3ee2a1ce

                              SHA1

                              f2774d3d990741fba01fbb53f5ffd5f5e6343284

                              SHA256

                              a7f6579f92131f15cec301951fccb6507a199baa3d3f7b36bd1fe959b4456473

                              SHA512

                              ab75b4402a71dd6f4ecd5c655258eb5b949c5e588e8158aac2bee1c104b2ca052d3e90408c9009117b5e30156e03a6db60a5266551c91abc4ddeb0333f741244

                            • C:\Windows\SysWOW64\Mmpijp32.exe

                              Filesize

                              96KB

                              MD5

                              56b672824452b586a118c53248095b96

                              SHA1

                              f2d9e535da5a9037e27f88b8a035dd81891600f0

                              SHA256

                              b63b99f342ba1c7bad8381ea68ca0140cc75d3fee387aabc3593419c7b09e3aa

                              SHA512

                              5645ed61d174248e576867f4c9af4bd1de4aa46f9223e55ea5e28ef8ad595232f4ab98cc5ed9120baedd9fbeb4d7f96bc6b98795c9de29f2ae502a22851baaae

                            • C:\Windows\SysWOW64\Mpoefk32.exe

                              Filesize

                              96KB

                              MD5

                              460df5b57ff1da1d1db91ad58a1b1e38

                              SHA1

                              864e1cead8f5c43a4d8a1add956437b0191b057f

                              SHA256

                              4ccea6506bf5c697b9e5e49589c85592b91a51e4080b68d09cf9811930d1d442

                              SHA512

                              bbe37fb25636dfc92c016cb4ab52e00745b04faa054c7040f75ecbdc982f156f3c66531fa47b1f4f7d65a2db1fb39331eff03b472722c01aaf3ac47da307b7f4

                            • C:\Windows\SysWOW64\Ncdgcf32.exe

                              Filesize

                              96KB

                              MD5

                              80f15e648e2e4383819cb903c6dc028b

                              SHA1

                              f2b1e8d951fd0403114f46d21a7ff3690118cd00

                              SHA256

                              cf4b7e53ba85d0132aadd3a08420141eb95af4a481956b9ecfb6595aa9dd912b

                              SHA512

                              af56bb70d4eb0a8be17145a5cf1228cb15c88d2323f8f96d6e5ff41e306d8a3452963f137d3ab25fc94127f442bb83191f2327e992ad8e6210063d5ae65ff200

                            • C:\Windows\SysWOW64\Nebdoa32.exe

                              Filesize

                              96KB

                              MD5

                              072d10850bda412153d214728914c687

                              SHA1

                              356f0aaf984fb656eb04d6eca93921724318dd67

                              SHA256

                              25aab746b29146c1603d8ef4eb473d56dddf0f07bbcd6d68de476fd3d2c7cbb3

                              SHA512

                              65ecc2bc8431f1d66444feee9da61f6a140e52a9b3115e4ef9946b7dcee833564f50fb7c3772aededb4819d1b897ed14a1d3c4776a53bc1111bbb1f4a3d9da53

                            • C:\Windows\SysWOW64\Nfgmjqop.exe

                              Filesize

                              96KB

                              MD5

                              e5905f00f228d67802933a5b28b459dd

                              SHA1

                              93cf662f6f5e185c2fed8ebec26dd1b99a780f93

                              SHA256

                              540872d904b9680742a6ad8ad0baa9236ff8cc2ce432d8de26f640397987ff45

                              SHA512

                              ccf9ee3854d44b0dffc0e3f61d1762987d74d2b5e61ac994d6937621e18db4612e0ba80406c75875da5336a63df410489079cee02a0d56fc84597ebc8740499a

                            • C:\Windows\SysWOW64\Ngbpidjh.exe

                              Filesize

                              96KB

                              MD5

                              f3c75f3a616628f0c77204ecebc44791

                              SHA1

                              c5ea8fb913635175d4ff6b5ec293bf1b23290c86

                              SHA256

                              0adfe9969dcb140937b757246bd8bab15b785241fbe08509745a9e4242cddf6f

                              SHA512

                              da010d0fdbb1635b01a53ab64360416db6b551026afe044d15e516f9727c10df33defa474b7ad13bb36bdf1750ace5e321b4dd8aab04a610d864d1d4052c599a

                            • C:\Windows\SysWOW64\Ngmgne32.exe

                              Filesize

                              96KB

                              MD5

                              e49d7fde67450e0bd64ebc69e489a8e6

                              SHA1

                              08e0082e250831a5733139a3d4341b4ae2ccdf69

                              SHA256

                              8753b327de8858c1ad2d4a169c557eaea09a0bebf7f194291ea73d233045611a

                              SHA512

                              d46bf41d82eadcdefd69046d69db4d7ddadc6b7895255a31aeb89682a1968e97ff59e98586c319e19506fa062ace949f0377af37efb3e5a559ec2974d9295c3f

                            • C:\Windows\SysWOW64\Nilcjp32.exe

                              Filesize

                              96KB

                              MD5

                              734154f24ccc78962d43fb9bf092fe81

                              SHA1

                              89d3b6fc59107e9d323c0f44baa219897b1f84e4

                              SHA256

                              839922ae7472e03c83bf9f1a87c78019cf367d1525e1375908f453256ccfd66b

                              SHA512

                              2bb8f66e4f497f6e33dc65cd3f6964fb667ffeba9801d249a57b1e9c2254de6653165be7df087a2f5ba8b7c8fa450889285847a484ca679e5519a363e4b1b249

                            • C:\Windows\SysWOW64\Njefqo32.exe

                              Filesize

                              96KB

                              MD5

                              01b57e924cc0f8668a7fd67c88df064e

                              SHA1

                              f79dee3461f263c310d0505d0864837a42b23bf5

                              SHA256

                              3150bffcdfb4c78d564445a86b31c9b188c83435fa1c5b4090779d67a59c614b

                              SHA512

                              5eb2fc431a376bceb4642dfe809fa9e5091f70ffa50b7f0bb2fde4b6095b2b3465dbb99d50aa99176cb1c9469cffd3ece3f7df3c39fbb68f5ede72f79746ede9

                            • C:\Windows\SysWOW64\Njqmepik.exe

                              Filesize

                              96KB

                              MD5

                              cae7436beb9868f663245e67015429aa

                              SHA1

                              7a91c3bd479d58af6d4bde4551c36d9847d03764

                              SHA256

                              53e6c64fbe3d36d5aaa5a18ead3493c62fa3ccd54fd16c3d6838546542064274

                              SHA512

                              6c2ca71a1aac43ab4809439772624863f39719ca1873a6e8d287a20d377419fed5702dae3a28ab786aeed1ba4a6006b5cc72f15213e69a6199efae2b76d47680

                            • C:\Windows\SysWOW64\Nlmllkja.exe

                              Filesize

                              96KB

                              MD5

                              b8c906857c0f6b51fe0a860b5c497975

                              SHA1

                              44dcc694065975e59d5340df4b38ef51ad543f56

                              SHA256

                              1e32d37d5e08bda236c93eb67a4f08604a090e2bb06a287aa696e736405bb372

                              SHA512

                              500da844f84422049005d5caded41c7edd4d70eebcb6b0e69de7ab3cb7a66c1937ef7286ac99c928cf1a14f3c94910233095415839f256cd722ccc698ba15fea

                            • C:\Windows\SysWOW64\Nloiakho.exe

                              Filesize

                              96KB

                              MD5

                              2e63ba062a56b626312ebf8d37c05a79

                              SHA1

                              b69318c1f4012634fa7013472e15ef80b536d045

                              SHA256

                              6695a10dc047ab6d2511c898f91f844e9e29e0b8fc328eb4621d5920161479a1

                              SHA512

                              6124db69ca61374cea286cd63c1afc61a1519f2e381c185833aaca10c4563fa7e1fa4df5a538b51b7654a9611194134d3d29d74549fab8f66efbcba379cd6249

                            • C:\Windows\SysWOW64\Nngokoej.exe

                              Filesize

                              96KB

                              MD5

                              48e3e9a6142d10035bfa2f70c20c4589

                              SHA1

                              4f31556a546d7f1e682972a9b2bfa472cfb7ca1b

                              SHA256

                              a24b0f016b3c822b6216fc6e10c180a1a794e5195356e71eeb33fecaf6fae25e

                              SHA512

                              582f7e94c97c0ebf495f5be073611eacc041f2a8e6576f5d366c64900f5a0a61ba35fb701e097943f5982a9279c9d6171646865ff4405397245c5c201dd6fc79

                            • C:\Windows\SysWOW64\Npcoakfp.exe

                              Filesize

                              96KB

                              MD5

                              5f273c799afcf6abe51340738b9ee49d

                              SHA1

                              034b5d30928296745c941b3bde2080895d22a57f

                              SHA256

                              24c8eed054fbc770e101bcaa60e47099d3df04f6ce099f98e1751678b450e4f2

                              SHA512

                              d5b64ae11240a745b469b8b4ceadc20e8aa825e0eb381260c160517e644015600488301a749bfa8c5b5c417788489b2f668ee02e6ffd19d152bb6deac4ad5e2f

                            • C:\Windows\SysWOW64\Npcoakfp.exe

                              Filesize

                              96KB

                              MD5

                              abf60bc4e286d140501ca45870fc9583

                              SHA1

                              902050f6702316f0114ebe49bad68db9c4564502

                              SHA256

                              c1eaa8ab49fc62c9ec6f68385020362dcab7eb22c58aed1368a85643ba89c6a2

                              SHA512

                              02449ad0427fd6ee40b2a92dc4748775e1efbeba26755604246e4407422f012e244f25352949a975b9467ec2c925b9715d09481a686c11f6c6310d5211e87064

                            • C:\Windows\SysWOW64\Nphhmj32.exe

                              Filesize

                              96KB

                              MD5

                              f6bb55fccbcfdde377a7205942affac9

                              SHA1

                              36fa7246411012977cd1b6dd19839511883f6fc3

                              SHA256

                              d628526393ad3d26d0a40b0f5643887b234a365586a23eef0127bd72efba8b5c

                              SHA512

                              ce59b5d817c5f9fa761963821d29f205ff2c5714aac8ab5a18ef01527da5a20e158a0d9676faae66c37c6c48e4a82f5aace448dd078d264b44ab1b92a2a7cc9d

                            • C:\Windows\SysWOW64\Ocpgod32.exe

                              Filesize

                              96KB

                              MD5

                              43b7c027ccc9f4df58364a6630d1ea84

                              SHA1

                              31ab719fb94715237c9f3eb595f4389e7e3afd9a

                              SHA256

                              ff303240613ac4cd9d0fdc04e8e9a9d40f4906fb7399cd783556e363f7ed79f7

                              SHA512

                              3545de2e4a56b2fbff9f1d962e037a7b9f964ef03878024406d4ca31f465ab13245be3546eda3879f3dfd8b36c8e66f30da0a418d30cd92cae8b086099345544

                            • C:\Windows\SysWOW64\Ofqpqo32.exe

                              Filesize

                              96KB

                              MD5

                              913345d0d558e0887e0cba17ba71e976

                              SHA1

                              9bf4b7c1cf8f127c6bfe0f96b1611743a6bc3d0a

                              SHA256

                              0c0bfd4f8b5f2ede355fbce9fd54be9ab163c600279cb7a9defff4e7b0d1f613

                              SHA512

                              0cdc65d14df57adc449a13b582f8a5c8edb43707b88e9ec32867c545e08d81cde3825a77cc67489a671656fafae965a821f80c94c83f68af1aaa8be7b38d74ab

                            • C:\Windows\SysWOW64\Ogifjcdp.exe

                              Filesize

                              96KB

                              MD5

                              aacd3b5bdd3d50135a8b81d29a519c3d

                              SHA1

                              68743fd1c151723af037c5dbfa7c3f518ac1d98a

                              SHA256

                              a19a7e70ae182f5469319d8d2d6f4ae439fc731471b60565b766e0befec4c5a8

                              SHA512

                              9a27153b245bc072192fbc04e4ad25359b685c88fe33f4987c0f7e7e3e9ddeea2874e525993611d7a7b9bc12c5ceb5991009710cf9977c344f917b360af1abbd

                            • C:\Windows\SysWOW64\Olhlhjpd.exe

                              Filesize

                              96KB

                              MD5

                              63352b2f638d6d8eaf8b44eebe0e01a0

                              SHA1

                              96d0760cdaa160d83a40f014fb594396c50caa7a

                              SHA256

                              d098736415f94df5b2b210700cf7c7a7eb52bc9a0682448d2189620ec3fb849c

                              SHA512

                              a90b687394269a65cefdc4a1f434d9a6747192701488b0d0a144c34ae4c73b1d203ed7c78ed8a66f3a6e6537263e3c0e401cac4faa6491cbc87b48d5e8aa6ad6

                            • C:\Windows\SysWOW64\Pcijeb32.exe

                              Filesize

                              96KB

                              MD5

                              a1b08ae2c29ab9e0ba106144b417bb51

                              SHA1

                              ea286642117690140234198560cf3551c922f3bd

                              SHA256

                              e16aff792aff6458c4628e5560e3c74e9c8fce49b258828d3e1a232a828602f2

                              SHA512

                              fa2801419f8f2dc013643a4b53f540ce7037da74a41b1158481d0277480f5fa42dc2df43a49251956a8fc779e8275d3ee8943d380f4dacb9652f86836af47bdd

                            • C:\Windows\SysWOW64\Qddfkd32.exe

                              Filesize

                              96KB

                              MD5

                              5e5797d47dcf6e0e3e4e2731d726043c

                              SHA1

                              7939aa887225973c36b1435e343397e1a376cd13

                              SHA256

                              9033e801e7c0726f9049c7b821304d61424d4216f5f455710e810ae2e9102655

                              SHA512

                              f577a60ff73563961ed5e53152b1630af36c125cb836e3cb0a281a00be1f810175931ec5e91f30f46bb01ddf918e8eb356bc2f56f0eb3a8d0a5a9f413ae55d75

                            • memory/184-328-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/208-466-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/244-559-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/512-120-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/692-304-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/748-452-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/832-424-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/900-316-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1072-494-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1084-412-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1236-484-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1272-400-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1376-593-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1376-55-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1388-196-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1456-514-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1604-532-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1644-168-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1652-111-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/1948-184-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2068-352-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2100-8-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2100-551-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2136-526-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2184-247-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2268-39-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2268-579-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2312-204-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2320-520-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2328-292-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2364-220-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2388-151-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2540-587-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2704-388-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2764-159-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2796-508-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2848-103-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2856-207-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2892-538-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2900-31-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2900-572-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2908-280-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2928-346-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/2972-436-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3032-580-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3148-224-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3152-340-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3200-128-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3216-502-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3356-594-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3416-95-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3452-232-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3464-472-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3496-586-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3496-47-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3548-376-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3628-364-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3660-71-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3696-334-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3756-63-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3848-135-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3956-496-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3992-23-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3992-565-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/3996-274-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4008-262-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4072-0-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4072-544-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4192-268-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4240-298-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4244-370-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4312-430-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4356-454-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4372-286-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4384-566-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4432-144-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4452-240-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4484-176-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4512-545-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4524-394-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4612-442-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4640-382-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4656-573-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4712-418-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4760-79-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4764-16-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4764-558-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4772-87-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4792-478-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4808-322-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4908-552-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4932-460-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4956-256-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/4980-406-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/5036-358-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                            • memory/5096-310-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB